This tutorial walks through deploying SPIRE on a Kubernetes cluster, registering workloads, and verifying that pods receive cryptographic identities. By the end, your pods will have automatically-issued, short-lived X.509 certificates for mutual TLS.
Prerequisites
- A Kubernetes cluster (Kind, Minikube, or cloud-managed)
- kubectl configured and working
- Basic understanding of Kubernetes pods, services, and service accounts
Architecture Overview
SPIRE runs as two components on Kubernetes: the SPIRE Server (a StatefulSet with persistent storage for the datastore) and the SPIRE Agent (a DaemonSet that runs on every node). The Agent exposes the SPIFFE Workload API via a Unix domain socket that pods access through a CSI driver or hostPath volume.
What You Will Deploy
- SPIRE Server as a StatefulSet with SQLite datastore
- SPIRE Agent as a DaemonSet with Kubernetes node attestor
- SPIRE Controller Manager for automatic workload registration
- A demo application that retrieves its SVID and establishes mTLS
Full Tutorial in Our Free Course
Module 5 of the Mastering SPIFFE & SPIRE course provides the complete hands-on tutorial with Kubernetes manifests, verification commands, and troubleshooting guides. The companion GitHub repository contains all manifests ready to apply.