Default SPIFFE ID templates
SPIRL generates SPIFFE IDs for new SPIFFE Verifiable Identity Documents (SVIDs) in a platform-dependent way. For example, the default path template for Kubernetes is:
/{{cluster.name}}/ns/{{kubernetes.pod.namespace}}/sa/{{kubernetes.pod.service_account}}
Assuming a trust domain of spirl.example.com, a cluster name of
edge-global, a namespace of prod and a service account named
nginx, this expands to the following SPIFFE ID:
spiffe://spirl.example.com/edge-global/ns/prod/sa/nginx
By default, the following path templates are used, depending on the platform:
# Default Kubernetes path template
/{{cluster.name}}/ns/{{kubernetes.pod.namespace}}/sa/{{kubernetes.pod.service_account}}
# Default Istio path template
/ns/{{kubernetes.pod.namespace}}/sa/{{kubernetes.pod.service_account}}
# Default Linux path template
/{{node_group.name}}/{{linux.user.name}}
# Default developer identity path template
/users/{{email.domain}}/{{email.username}}
Customizing the path template for a new cluster
The default path templates are based on SPIFFE best practices. However, these path templates can be customized for each cluster. It is safest to do so when adding the cluster to the trust domain:
spirlctl cluster add production --trust-domain spirl.example.com \
--platform k8s \
--path-template /{{cluster.name}}/ns/{{kubernetes.pod.namespace}}/n/{{kubernetes.pod.name}}
Passing in a new path template replaces the default, and the new path template will be used to generate SPIFFE IDs.
Available Kubernetes attributes
The following attributes are available to use in path templates for
Kubernetes-based platforms (e.g. k8s).
| Kubernetes Attribute | Path Template Variable |
|---|---|
| Namespace | kubernetes.pod.namespace |
| Pod Name | kubernetes.pod.name |
| Pod UID | kubernetes.pod.uid |
| Service Account | kubernetes.pod.service_account |
To use Linux attributes in path templates, see how to install the SPIRL Agent on Debian or Ubuntu.