Add a Kubernetes Cluster
Before you begin
This step requires:
- A Kubernetes cluster with cluster admin permissions
kubectlconfigured to access your cluster
If you don't have a Kubernetes cluster, you can create a local cluster using kind:
kind create cluster --name "cluster-1"
Bootstrap the cluster
Run the following command to bootstrap your cluster with Defakto:
./spirlctl cluster add "cluster-1" --trust-domain "example.com" --platform k8s \
--kube-context $(kubectl config current-context)
If you have more than one kubeconfig context, spirlctl will prompt you to pick one interactively. Pass --kube-context <name> to skip the prompt, as shown above.
Once complete, the above step will have done the following:
- Registered your Kubernetes cluster with Defakto.
- Within your cluster, created a new namespace (
spirl-system) to run the required Defakto components. - Deployed the following Defakto components:
- The admission controller, which automatically exposes the Defakto agent to your pods.
- The CSI Driver, which facilitates injection of the SPIFFE Workload API to your workloads.
- The Agent, which runs alongside your workloads to grant them SPIFFE SVIDs.
That’s it! Defakto is now running. Any pod you deploy with the label k8s.spirl.com/spiffe-csi: enabled will have a SPIFFE Workload API socket automatically injected, with an X.509-SVID and JWT-SVID made available. To see it in action, continue to deploy a SPIFFE demo app.
Optional: Repeat the above command with a different cluster name and kubectl context to add more Kubernetes clusters to the example.com trust domain.