Skip to content

Kubernetes Workload Identity

Work in Progress

This page is a placeholder. See Architecture for current documentation.

Overview

Kubernetes 1.35+ includes native workload identity with SPIFFE support.

Example Deployment

apiVersion: v1
kind: ServiceAccount
metadata:
  name: code-review-agent
  annotations:
    spiffe.io/identity: "spiffe://cluster.local/ns/ai-agents/sa/code-review"
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: code-review-agent
spec:
  template:
    spec:
      serviceAccountName: code-review-agent
      containers:
        - name: agent
          image: acme/code-review-agent:v1
          env:
            - name: SPIFFE_ENDPOINT_SOCKET
              value: "unix:///var/run/spiffe/agent.sock"
          volumeMounts:
            - name: spiffe-workload-api
              mountPath: /var/run/spiffe
              readOnly: true
      volumes:
        - name: spiffe-workload-api
          projected:
            sources:
              - serviceAccountToken:
                  path: token
                  expirationSeconds: 3600
                  audience: spiffe://cluster.local

Reference