"SPIFFE/SPIRE Workload Identity: Zero-Trust Service Identity for Cloud-Native Systems"
Shared secrets and static certificates collapse under modern cloud volatility: containers churn, nodes are replaced, and trust boundaries blur across clusters and organizations. This book is written for experienced platform, security, and infrastructure engineers who need a rigorous, implementation-ready approach to non-human identity—one that holds up under adversarial threat models, operational failure modes, and real production constraints.
You'll learn SPIFFE as an interoperable identity contract—SPIFFE IDs, trust domains, SVIDs (X.509 and JWT), bundles, and the Workload API—and how to validate, rotate, and distribute trust safely at scale. The book then dives into SPIRE as the control plane: server/agent architecture, trust chains, key hierarchies, and the lifecycle that turns attested nodes into reliable identity issuers. From there it treats the hard parts head-on: node and workload attestation, selector quality, registration entry modeling, policy-as-code workflows, federation across trust domains, and correct service-mesh integration and authorization mapping.
Prerequisites include strong Kubernetes/Linux fundamentals, PKI/TLS literacy, and comfort operating distributed systems. Throughout, you'll get decision frameworks, trade-off criteria, and production playbooks for HA, scaling, incident response, observability, and version-aware operations—so the guidance remains durable as SPIRE evolves.
