Register Cluster with Trust Domain Server
In order for Defakto Agents running in the cluster to be able to connect to the Trust Domain Server, you need to register the cluster with the Trust Domain Server. The examples below use Kubernetes Service Account Token attestation, the recommended method for Kubernetes-hosted agents. For other environments or attestation methods, see the Agent Attestation Methods overview.
Kubernetes Service Account Token attestation
To enable Kubernetes Service Account Token attestation, register the cluster, then apply an AgentAttestation policy with the OIDC issuer URL for the Kubernetes cluster where the Agents will run. The OIDC endpoint must be reachable from the Trust Domain Server.
For example, to retrieve the OIDC issuer URL from an AWS EKS cluster:
OIDC_ISSUER_URL=$(aws eks describe-cluster --name <cluster-name> --query "cluster.identity.oidc.issuer" --output text)
Register the cluster:
./spirlctl cluster register \
example-workload-1 --trust-domain example.com \
--platform k8s
Create an AgentAttestation policy file with the issuer URL:
section: AgentAttestation
schema: v1
spec:
policies:
- name: k8s_policy
requiredAttestors:
- type: k8s_token
config:
issuerURL: $OIDC_ISSUER_URL
Apply it:
spirlctl config set cluster --id <cluster-id> attestation-policy.yaml
In the agent Helm values:
agent:
auth:
clusterId: c-xxxxxx
attestors:
- type: k8s_token
Cluster Version Key (CVK) attestation
The Defakto Agent can also authenticate using a key pair. The cluster is registered with the following command:
spirlctl cluster register example-workload-1 --trust-domain example.com --platform k8s
Here, workloads-cl-3 is the name of the cluster to register and
spirl.example.com is the name of the trust domain. It will produce the following
output:
Successfully registered cluster workloads-cl-3 to trust domain spirl.example.com
Cluster Version ID: cv-1r0yfu9yjy
Private Key:
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIMkReSwyvhVzOmfwzXzIF3vd4M+BWOZ9ppjj6EFWG8gl
-----END PRIVATE KEY-----
When using CVK authentication, you'll need to provide the Cluster Version ID and Private Key to the agent Helm chart when deploying
the agent in the cluster. You should keep the Private Key in the
secure location.