Agent Configuration

The Agent plays a central role in SVID issuance. This section covers how to configure each step the agent performs, from proving its own identity through to delivering credentials to workloads. For background on what agents and attestation are, see Concepts.

The agent's role in SVID issuance has three configurable stages:

Agent Attestation

When an agent starts, it authenticates to the Trust Domain Server to establish a trusted session. Defakto supports multiple attestation methods, which can be combined into policies that require one or more proofs simultaneously.

See Agent Attestation Methods for available methods, policy configuration, and the attributes each method produces.

Workload Attestation

When a workload requests an SVID, the agent collects attributes about the workload — its Kubernetes pod identity, Linux process information, or other runtime context — and sends them to the Trust Domain Server. The server uses those attributes to determine the workload's SPIFFE ID.

See Workload Attestation Methods for available attestors, configuration, and the attributes they collect.

How Attributes Accumulate

Attributes from both phases are available for use in SPIFFE ID path templates, X.509 customization, and JWT customization:

• Agent attributes are collected once at agent startup. They reflect the agent's host identity (cloud instance metadata, TPM identity, SSH certificate, etc.).

• Workload attributes are collected on each SVID request. They reflect the workload's runtime identity (Kubernetes pod, Linux user, systemd unit, etc.).

Both sets of attributes are sent to the Trust Domain Server by default. To limit which workload attributes are forwarded, see Attribute Redaction.