Skip to main content

SPIRE on Kubernetes: Step-by-Step Deployment Tutorial

This tutorial walks through deploying SPIRE on a Kubernetes cluster, registering workloads, and verifying that pods receive cryptographic identities. By the end, your pods will have automatically-issued, short-lived X.509 certificates for mutual TLS.

Prerequisites

  • A Kubernetes cluster (Kind, Minikube, or cloud-managed)
  • kubectl configured and working
  • Basic understanding of Kubernetes pods, services, and service accounts

Architecture Overview

SPIRE runs as two components on Kubernetes: the SPIRE Server (a StatefulSet with persistent storage for the datastore) and the SPIRE Agent (a DaemonSet that runs on every node). The Agent exposes the SPIFFE Workload API via a Unix domain socket that pods access through a CSI driver or hostPath volume.

What You Will Deploy

  1. SPIRE Server as a StatefulSet with SQLite datastore
  2. SPIRE Agent as a DaemonSet with Kubernetes node attestor
  3. SPIRE Controller Manager for automatic workload registration
  4. A demo application that retrieves its SVID and establishes mTLS

Full Tutorial in Our Free Course

Module 5 of the Mastering SPIFFE & SPIRE course provides the complete hands-on tutorial with Kubernetes manifests, verification commands, and troubleshooting guides. The companion GitHub repository contains all manifests ready to apply.

How to Use This Topic

This page is a focused entry point into the larger course. Use it to understand the vocabulary, the production problem, and the first practical module to open next.

  • Read the overview to map the concept to real engineering work.
  • Follow the linked module for exercises, diagrams, and implementation details.
  • Return to the full curriculum when you need adjacent topics and a complete learning path.

Start Learning for Free

Continue with Mastering SPIFFE & SPIRE: Zero Trust for Cloud Native Systems: 13 modules, 30 hands-on labs, completely free.

Start Module 5 | View full curriculum