Workload Attestation Methods
Workload attestation is the process of identifying a workload when it requests an SVID. Each time a workload connects to the agent's Workload API socket, the agent collects attributes about that workload from one or more configured attestors, then sends those attributes to the Trust Domain Server to determine the correct SVID.
Applying Configuration
Workload attestation is configured per-cluster using Managed Configuration, under the WorkloadAttestation section. Multiple attestors can be enabled simultaneously — the agent collects attributes from all enabled attestors on each SVID request.
Using spirlctl
spirlctl config set cluster --id <cluster-id> workload-attestation.yaml
Using Terraform
resource "spirl_cluster_config" "workload_attestation" {
cluster_id = spirl_cluster.my_cluster.id
sections = {
WorkloadAttestation = <<-YAML
section: WorkloadAttestation
schema: v1
spec:
kubernetes:
enabled: true
includeAnnotationPrefixes:
- "example.com/"
linux:
enabled: true
YAML
}
}
Once a configuration document passes validation and is stored, the Defakto control plane syncs it to your Trust Domain Servers automatically. No server or agent restart is required.
Attribute Visibility
Collected workload attributes are available in:
- SPIFFE ID path templates
- X.509 SVID customization templates
- JWT SVID additional claims
- The Workload Attestation Extension, which can use them to make allow/deny decisions or add custom attributes
To control which attributes are sent to the Trust Domain Server, see Attribute Redaction.
Available Methods
| Method | Config key | Description |
|---|---|---|
| Kubernetes | kubernetes | Identifies workloads via the Kubernetes API |
| Docker | docker | Identifies workloads via the Docker daemon |
| Linux | linux | Identifies workloads via kernel process information |
| Linux systemd | systemd | Identifies workloads by their systemd service unit |
| Custom Extension | — | Delegate attestation to an external webhook |