Module 5: Running SPIRE on Kubernetes Slides

Slide Outline

1. Running SPIRE on Kubernetes - Deploy and operate SPIRE in real Kubernetes clusters
2. Learning Objectives - 4 outcomes for this module
3. Why This Module Matters - This is where SPIRE becomes real. Deploying on Kubernetes is the most common production scenario, and the skills you bui
4. Kubernetes Identity Challenges - Lesson section from the full module
5. SPIRE Kubernetes Architecture - Lesson section from the full module
6. Deploying SPIRE Server - Lesson section from the full module
7. Deploying SPIRE Agent - Lesson section from the full module
8. Automatic Workload Registration - Lesson section from the full module
9. Retrieving SVIDs Inside Pods - Lesson section from the full module
10. Real-World Use Cases - Production Kubernetes clusters with hundreds of services needing identity, Multi-tenant clusters where different teams own different namespaces
11. Common Mistakes to Avoid - 5 mistakes covered
12. Production Notes - 3 practical notes
13. Security Risks to Watch - 3 risks covered
14. Hands-On Labs - 4 hands-on labs
15. Key Takeaways - 6 points to remember

Learning Objectives

• Deploy SPIRE Server and Agent on Kubernetes
• Configure Kubernetes workload and node attestors
• Use SPIRE Controller Manager for automatic registration
• Retrieve SVIDs inside pods

Why This Module Matters

This is where SPIRE becomes real. Deploying on Kubernetes is the most common production scenario, and the skills you build here — deploying, registering, debugging — are exactly what you will use every day as a platform engineer operating SPIRE.

Production Notes

• Use the SPIRE CSI Driver to mount the Workload API socket into pods. It is cleaner than hostPath volumes and provides proper lifecycle management.
• In production, always run SPIRE Server as a StatefulSet with persistent storage. Losing the datastore means losing all registration entries.
• Monitor SVID rotation continuously. A stalled rotation means certificates will expire and services will fail.

Common Mistakes

• Deploying SPIRE Agent as a sidecar instead of a DaemonSet
• Forgetting to create the spire-bundle ConfigMap before starting agents
• Using the wrong cluster name in k8s_psat attestor config
• Not giving SPIRE Server RBAC permissions for tokenreviews
• Setting SVID TTL too short without monitoring rotation success

Key Takeaways

• SPIRE Server runs as a StatefulSet, Agent as a DaemonSet
• SPIRE Controller Manager auto-registers workloads from Kubernetes metadata
• CSI Driver mounts the Workload API socket into pods transparently
• SVIDs rotate automatically — applications never handle certificate renewal
• ClusterSPIFFEID resources define SPIFFE ID templates for automatic registration
• Debug attestation failures by checking agent logs and registration entry selectors

Hands-On Labs

1. Deploying SPIRE on Kind

   Deploy a full SPIRE stack on a local Kind cluster.

   • Create a Kind cluster with 3 worker nodes
   • Deploy SPIRE Server as a StatefulSet
   • Deploy SPIRE Agent as a DaemonSet
   • Verify server-agent connectivity

   View lab files on GitHub

2. Registering Kubernetes Workloads

   Register workloads and verify SVID issuance.

   • Deploy SPIRE Controller Manager
   • Create ClusterSPIFFEID resources
   • Deploy a demo application pod
   • Verify the pod receives an X.509-SVID

   View lab files on GitHub

3. Automatic Identity Rotation

   Observe SVID rotation without application restart.

   • Set SVID TTL to 5 minutes for testing
   • Monitor the SVID expiration timestamp
   • Observe automatic rotation before expiry
   • Verify the application continues without interruption

   View lab files on GitHub

4. Debugging Failed Attestation

   Troubleshoot common SPIRE deployment issues.

   • Intentionally misconfigure a workload selector
   • Observe the attestation failure in agent logs
   • Fix the registration entry
   • Verify successful attestation after the fix

   View lab files on GitHub