Skip to main content

Register Cluster with Trust Domain Server

In order for Defakto Agents running in the cluster to be able to connect to the Trust Domain Server, you need to register the cluster with the Trust Domain Server. The examples below use Kubernetes Service Account Token attestation, the recommended method for Kubernetes-hosted agents. For other environments or attestation methods, see the Agent Attestation Methods overview.

Kubernetes Service Account Token attestation

To enable Kubernetes Service Account Token attestation, register the cluster, then apply an AgentAttestation policy with the OIDC issuer URL for the Kubernetes cluster where the Agents will run. The OIDC endpoint must be reachable from the Trust Domain Server.

For example, to retrieve the OIDC issuer URL from an AWS EKS cluster:

OIDC_ISSUER_URL=$(aws eks describe-cluster --name <cluster-name> --query "cluster.identity.oidc.issuer" --output text)

Register the cluster:

./spirlctl cluster register \
example-workload-1 --trust-domain example.com \
--platform k8s

Create an AgentAttestation policy file with the issuer URL:

section: AgentAttestation
schema: v1
spec:
policies:
- name: k8s_policy
requiredAttestors:
- type: k8s_token
config:
issuerURL: $OIDC_ISSUER_URL

Apply it:

spirlctl config set cluster --id <cluster-id> attestation-policy.yaml

In the agent Helm values:

agent:
auth:
clusterId: c-xxxxxx
attestors:
- type: k8s_token

Cluster Version Key (CVK) attestation

The Defakto Agent can also authenticate using a key pair. The cluster is registered with the following command:

spirlctl cluster register example-workload-1 --trust-domain example.com --platform k8s

Here, workloads-cl-3 is the name of the cluster to register and spirl.example.com is the name of the trust domain. It will produce the following output:

Successfully registered cluster workloads-cl-3 to trust domain spirl.example.com
Cluster Version ID: cv-1r0yfu9yjy
Private Key:
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIMkReSwyvhVzOmfwzXzIF3vd4M+BWOZ9ppjj6EFWG8gl
-----END PRIVATE KEY-----

When using CVK authentication, you'll need to provide the Cluster Version ID and Private Key to the agent Helm chart when deploying the agent in the cluster. You should keep the Private Key in the secure location.