Module 4: SPIRE Architecture and Components Slides

Slide Outline

1. SPIRE Architecture and Components - How SPIRE implements the SPIFFE specification in production
2. Learning Objectives - 4 outcomes for this module
3. Why This Module Matters - SPIRE is the runtime engine behind workload identity. Understanding its internals — Server/Agent separation, attestation
4. SPIRE Server - Lesson section from the full module
5. SPIRE Agent - Lesson section from the full module
6. Node Attestation - Lesson section from the full module
7. Workload Attestation - Lesson section from the full module
8. Registration Entries - Lesson section from the full module
9. SPIRE Plugin Framework - Lesson section from the full module
10. Deployment Models - Lesson section from the full module
11. Real-World Use Cases - Enterprise Kubernetes identity — attesting pods via service accounts, VM workload identity — attesting bare-metal servers via cloud instance documents
12. Common Mistakes to Avoid - 5 mistakes covered
13. Production Notes - 3 practical notes
14. Security Risks to Watch - 3 risks covered
15. Hands-On Labs - 3 hands-on labs
16. Key Takeaways - 6 points to remember

Learning Objectives

• Understand SPIRE Server and Agent architecture
• Learn node attestation and workload attestation
• Configure registration entries
• Master the SPIRE plugin framework

Why This Module Matters

SPIRE is the runtime engine behind workload identity. Understanding its internals — Server/Agent separation, attestation flows, registration entries — is the difference between following a tutorial and operating SPIRE confidently in production. When something breaks at 2 AM, you need to know WHERE to look.

Production Notes

• Always use a shared database (PostgreSQL/MySQL) for SPIRE Server in production. SQLite does not support HA.
• SPIRE Agent should run as a DaemonSet — one per node, not one per pod. It serves all workloads on the node via the Unix socket.
• Use the k8s_psat node attestor for Kubernetes. It is more secure than join tokens because it leverages Kubernetes projected service account tokens.

Common Mistakes

• Using SQLite datastore in production (use PostgreSQL for HA)
• Not enabling debug logging during initial deployment — makes troubleshooting impossible
• Creating overly broad registration selectors that match unintended workloads
• Forgetting to create a registration entry before expecting a workload to get an SVID
• Running SPIRE Agent as a sidecar instead of a DaemonSet (wastes resources, complicates management)

Key Takeaways

• SPIRE Server is the control plane — manages registrations and signs SVIDs
• SPIRE Agent runs on every node — exposes the Workload API to local workloads
• Node attestation proves the Agent is on a legitimate node
• Workload attestation proves the calling process matches a registration entry
• Registration entries map selectors to SPIFFE IDs
• SPIRE is plugin-based — supports multiple clouds, orchestrators, and datastores

Hands-On Labs

1. Installing SPIRE from Binaries

   Install and run SPIRE Server and Agent on a local machine.

   • Download SPIRE release binaries
   • Configure SPIRE Server with SQLite datastore
   • Configure SPIRE Agent with join token attestor
   • Start the server and agent, verify they connect

   View lab files on GitHub

2. Configuring Registration Entries

   Register workloads and assign SPIFFE IDs.

   • Create a registration entry for a demo workload
   • Verify the entry with spire-server entry show
   • Run the demo workload and confirm it receives an SVID
   • Inspect the SVID with openssl

   View lab files on GitHub

3. Attesting Nodes and Workloads

   Observe the full attestation flow.

   • Enable debug logging on SPIRE Server and Agent
   • Restart the agent and observe node attestation logs
   • Run a workload and observe workload attestation logs
   • Intentionally fail attestation and observe the error

   View lab files on GitHub