CodersSecret

What is SPIRE?

SPIRE (SPIFFE Runtime Environment) is the reference implementation of the SPIFFE specification. It is a CNCF graduated project used by Bloomberg, Uber, Pinterest, and ByteDance at massive scale.

SPIRE ARCHITECTURESPIRE Server (StatefulSet)Agent (DaemonSet)Pod A (SVID)Pod B (SVID)Pod C (SVID)

SPIRE Architecture

  • SPIRE Server: Central control plane that manages registrations, signs SVIDs, and maintains the trust bundle. Runs as a Kubernetes StatefulSet.
  • SPIRE Agent: Runs on every node (DaemonSet). Exposes the Workload API, performs workload attestation, and caches SVIDs.
  • Controller Manager: Watches Kubernetes for pod events and auto-registers workloads.

How SPIRE Issues Identity

  1. Agent starts on a node and proves its legitimacy to the Server (node attestation)
  2. A workload calls the Workload API via Unix domain socket
  3. Agent inspects the calling process and matches it to a registration entry (workload attestation)
  4. Agent requests an SVID from the Server and returns it to the workload
  5. SVID is automatically rotated before expiry — zero manual intervention

Learn SPIRE

Deploy SPIRE on Kubernetes in our free Module 5: Running SPIRE on Kubernetes.

Related Terms

SPIFFE SVID (SPIFFE Verifiable Identity Document) Workload Identity attestation

Learn This in Our Free Courses

Mastering SPIFFE & SPIRE