Goal
Every pod gets a cryptographic identity. All service-to-service traffic is mutually authenticated. No more password-based service credentials.
Tasks
- Deploy SPIRE server and agent via Helm
- Configure SPIFFE IDs for each service: spiffe://argus-k8s/prod/payment-service
- Issue SVIDs (X.509 certificates) to each pod
- Configure Cilium to enforce SPIFFE identity on network policies
- Add SPIFFE identity to Argus enricher context
- Test: pod without valid SVID cannot connect to postgres
Acceptance criteria
- All prod pods have valid SVIDs
- Network connection without SVID blocked by Cilium
- SPIFFE ID visible in Argus incident enrichment
Goal
Every pod gets a cryptographic identity. All service-to-service traffic is mutually authenticated. No more password-based service credentials.
Tasks
Acceptance criteria