Featured image of post SPIRE Agent Pod Setup
Kubernetes Security SPIFFE Cloud DevOps

SPIRE Agent Pod Setup

SPIRE (Secure Production Identity Framework for Everyone) agent

1. What is SPIRE and Why Do You Need It?

SPIFFE & SPIRE Overview

  • SPIFFE (Secure Production Identity Framework for Everyone) (Wikipedia) is a standard for workload identity management.
  • SPIRE (SPIFFE Runtime Environment) (GitHub) is an implementation of SPIFFE, enabling automatic issuance of X.509 certificates and JWTs for services.

Why Use SPIRE?

  • πŸ” Zero Trust Security - Every workload must prove its identity before communicating.
  • πŸ”„ No Hardcoded Credentials - Workloads get short-lived identity certificates, avoiding API keys.
  • ☁️ Multi-Cloud & Hybrid Ready - Works across AWS, GCP, Azure, on-prem, and Kubernetes.

Now, let’s set it up inside a Kubernetes pod!

2. Installing SPIRE on Kubernetes

Step 1: Deploy the SPIRE Server

The SPIRE Server is the central authority that issues identities.

Create a Kubernetes deployment:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

apiVersion: apps/v1
kind: Deployment
metadata:
  name: spire-server
spec:
  replicas: 1
  selector:
    matchLabels:
      app: spire-server
  template:
    metadata:
      labels:
        app: spire-server
    spec:
      containers:
      - name: spire-server
        image: ghcr.io/spiffe/spire-server:1.5.0
        args:
        - "-config"
        - "/run/spire/config/server.conf"
        volumeMounts:
        - name: spire-config
          mountPath: /run/spire/config
      volumes:
      - name: spire-config
        configMap:
          name: spire-server-config

Create the ConfigMap for SPIRE Server:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

apiVersion: v1
kind: ConfigMap
metadata:
  name: spire-server-config
data:
  server.conf: |
    server {
      log_level = "INFO"
      data_dir = "/run/spire/data"
      bind_address = "0.0.0.0"
      bind_port = "8081"
    }

Deploy the SPIRE Server:

1

kubectl apply -f spire-server.yaml

Verify it’s running:

1

kubectl get pods | grep spire-server

3. Deploying the SPIRE Agent Inside a Pod

Now, we need to run SPIRE Agents inside every pod that requires identities.

Step 1: Deploy the SPIRE Agent

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: spire-agent
spec:
  selector:
    matchLabels:
      app: spire-agent
  template:
    metadata:
      labels:
        app: spire-agent
    spec:
      containers:
      - name: spire-agent
        image: ghcr.io/spiffe/spire-agent:1.5.0
        args:
        - "-config"
        - "/run/spire/config/agent.conf"
        volumeMounts:
        - name: spire-config
          mountPath: /run/spire/config
      volumes:
      - name: spire-config
        configMap:
          name: spire-agent-config

Create the ConfigMap for SPIRE Agent:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

apiVersion: v1
kind: ConfigMap
metadata:
  name: spire-agent-config
data:
  agent.conf: |
    agent {
      server_address = "spire-server.default.svc.cluster.local"
      server_port = 8081
      socket_path = "/run/spire/sockets/agent.sock"
    }

Deploy the SPIRE Agent:

1

kubectl apply -f spire-agent.yaml

Check the logs to see if the agent is running:

1

kubectl logs -l app=spire-agent

4. Registering a Workload with SPIRE

Now that SPIRE Agents are running inside our pods, we need to register workloads.

Step 1: Register a Kubernetes Pod with SPIRE

Run this command:

1

kubectl exec -it $(kubectl get pods -l app=spire-server -o name) -- spire-server entry create     -parentID spiffe://example.org/spire/server     -spiffeID spiffe://example.org/my-service     -selector k8s:pod-label:app:my-app

This tells SPIRE:

  • Only pods labeled app=my-app get the identity spiffe://example.org/my-service.

Now, your pod can automatically receive short-lived certificates! πŸ”

5. Using SPIRE with Istio for Secure Service Mesh

SPIRE integrates seamlessly with Istio for secure mTLS communication.

Step 1: Configure Istio to Use SPIRE

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: spire-authentication
  namespace: istio-system
spec:
  selector:
    matchLabels:
      istio: ingressgateway
  mtls:
    mode: STRICT

Apply it:

1

kubectl apply -f spire-authentication.yaml

Now, all Istio services will use SPIRE for authentication. πŸš€

6. Verifying SPIRE is Working

To verify, run:

1

kubectl exec -it $(kubectl get pods -l app=spire-server -o name) -- spire-server entry show

You should see the SPIFFE IDs issued to workloads.

You can also check your pod:

1

kubectl exec -it my-app-pod -- cat /run/spire/sockets/agent.sock

If you see identity certificates, SPIRE is working correctly! πŸŽ‰

Final Thoughts

Setting up SPIRE inside a pod gives you strong identity security with zero trust principles.

Key Takeaways

βœ… SPIRE issues workload identities dynamically.
βœ… No more hardcoded API keys! πŸŽ‰
βœ… Works with Istio for mTLS encryption.
βœ… Enables Zero Trust Security in Kubernetes.

If you’re building secure microservices, SPIRE is a must-have! πŸ”₯

© 2001 - 2025 Brian Braatz Blog