Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
58 lines (43 sloc) 1.97 KB

Agent plugin: NodeAttestor "k8s_psat"

Must be used in conjunction with the server-side k8s_psat plugin

The k8s_psat plugin attests nodes running inside of Kubernetes. The agent reads and provides the signed projected service account token (PSAT) to the server. In addition to service account data, PSAT embeds the pod name and UID on its claims. This allows SPIRE to create more fine-grained attestation policies for agents.

The server-side k8s_psat plugin will generate a SPIFFE ID on behalf of the agent of the form:

spiffe://<trust domain>/spire/agent/k8s_psat/<cluster>/<node UID>

The main configuration accepts the following values:

Configuration Description Default
cluster Name of the cluster. It must correspond to a cluster configured in the server plugin.
token_path Path to the projected service account token on disk "/var/run/secrets/tokens/spire-agent"

A sample configuration with the default token path:

    NodeAttestor "k8s_psat" {
        plugin_data {
            cluster = "MyCluster"

Its k8s volume definition:

    - name: spire-agent
        - serviceAccountToken:
            path: spire-agent
            expirationSeconds: 600
            audience: spire-server

And volume mount:

    - mountPath: /var/run/secrets/tokens
      name: spire-agent

A full example of this attestor is provided in the SPIRE examples repository.


This attestor is based on two Kubernetes beta features (since k8s v1.12): TokenRequest and TokenRequestProjection. TokenRequest exposes the ability to obtain finely scoped service account tokens from the Kubernetes API Server. TokenRequestProjection facilitates the automatic creation and mounting of such a token into a container.

You can’t perform that action at this time.