Kubernetes Workload Attestor
The Kubernetes attestor identifies workloads by querying the Kubernetes API for the pod that owns the requesting process.
Configuration
Enable the Kubernetes attestor in the WorkloadAttestation section:
section: WorkloadAttestation
schema: v1
spec:
kubernetes:
enabled: true
includeAnnotationPrefixes:
- "example.com/"
| Field | Default | Description |
|---|---|---|
kubernetes.enabled | true | Enable or disable Kubernetes attestation |
kubernetes.includeAnnotationPrefixes | [] | Annotation key prefixes to include as attributes. Empty means no annotations. Restart required to change. |
Attributes
The following attributes are collected for workloads running in
Kubernetes-based platforms (e.g. k8s) and can be used in path
templates, JWT custom claims, and X.509 Subject customization. Some
attributes are restricted to specific surfaces — see the Notes column.
| Kubernetes Attribute | Path Template Variable | Notes |
|---|---|---|
| Pod Image Count | kubernetes.pod.image_count | Number of containers in the pod. E.g. 1 |
| Pod Init Image Count | kubernetes.pod.init_image_count | Number of init containers in the pod. E.g. 0 |
| Pod Name | kubernetes.pod.name | |
| Namespace | kubernetes.pod.namespace | |
| Pod UID | kubernetes.pod.uid | |
| Pod Node Name | kubernetes.pod.node.name | |
| Pod Owner | kubernetes.pod.owner | Owner of the pod, formatted as Type:Name. E.g. ReplicaSet:my-replicaset-5cfd45f6c9. See note below. |
| Pod Owner UID | kubernetes.pod.owner_uid | UID of the pod's owner. E.g. 316ea285-b878-4d20-a9fe-2e1c79b0f083. See note below. |
| Service Account | kubernetes.pod.service_account | |
| Pod Container Image Name | kubernetes.pod.container.<container_name>.image.name | One entry per container in the pod. Not available in path templates. |
| Pod Container Image ID | kubernetes.pod.container.<container_name>.image.id | One entry per container in the pod. Not available in path templates. |
| Pod Init Container Image Name | kubernetes.pod.init_container.<container_name>.image.name | One entry per init container in the pod. Not available in path templates. |
| Pod Init Container Image ID | kubernetes.pod.init_container.<container_name>.image.id | One entry per init container in the pod. Not available in path templates. |
| Pod Label | kubernetes.pod.label[<label_key>] | One entry per label on the pod |
| Pod Annotation | kubernetes.pod.annotation[<annotation_key>] | One entry per allowlisted annotation on the pod |
| Container Name | kubernetes.container.name | Disabled by default. See below. |
| Container Image Name | kubernetes.container.image.name | Disabled by default. See below. |
| Container Image ID | kubernetes.container.image.id | Disabled by default. See below. |
kubernetes.pod.owner and kubernetes.pod.owner_uid are derived from the pod's OwnerReferences. If there are multiple entries, the last owner in OwnerReferences is used.
Pod label and pod annotation keys containing forward slashes (/) or
dashes (-) require Trust Domain Server version 0.28.0 or newer. On
earlier versions, configuration using these keys will fail
synchronization, and the server will remain on its previous
configuration.
Pod annotations are emitted only for keys matching an allowlisted
prefix. Configure prefixes via kubernetes.includeAnnotationPrefixes
in the WorkloadAttestation managed configuration section. For
example, to expose the annotation example.com/my-annotation:
section: WorkloadAttestation
schema: v1
spec:
kubernetes:
includeAnnotationPrefixes:
- "example.com/"
Container attributes must be enabled by setting
includeContainerAttributes: true in the relevant platform block
(e.g. k8s, istio) of the spirl-system Helm values.
The kubernetes.container.* attributes describe the container running
the attested workload. To access attributes of other containers in the
same pod, use the kubernetes.pod.container.<container_name>.*
attributes instead.