Linux systemd Workload Attestor
The systemd attestor identifies workloads by querying the Linux systemd D-Bus API on the agent's host. When a process requests an SVID, the agent looks up its systemd unit metadata and emits it as attributes.
This attestor is separate from the Linux attestor because it collects a different category of information. The Linux attestor identifies workloads by process-level attributes (user, group, binary path), while the systemd attestor identifies workloads by the service unit managing them. Both can be enabled simultaneously — their attributes complement each other.
Configuration
Enable the systemd attestor in the WorkloadAttestation section:
section: WorkloadAttestation
schema: v1
spec:
systemd:
enabled: true
| Field | Default | Description |
|---|---|---|
systemd.enabled | false | Enable or disable systemd attestation |
The agent must be able to reach the system D-Bus socket (/run/dbus/system_bus_socket) to resolve systemd metadata.
Attributes
All attributes have the origin systemd.
| Attribute | Description |
|---|---|
systemd.id | Systemd unit name (e.g., nginx.service) |
systemd.fragment_path | Path to the unit file on disk |
systemd.control_group | cgroup path for the unit |
systemd.invocation_id | Unique invocation ID for this run of the unit |
Example SPIFFE ID template:
/systemd/{{systemd.id}}
systemd.invocation_id is regenerated each time the unit starts. Policies that include this attribute will not match across restarts — use systemd.id for stable identity.
Workloads not managed by systemd (e.g., ad-hoc processes, containers) will not have systemd.* attributes and will not satisfy policies that require them.