SPIRE Controller Manager Deep Dive: Mastering Kubernetes CRDs for Workload Identity

Introduction: The Missing Piece in SPIFFE/SPIRE Documentation#

After deploying SPIFFE/SPIRE on Kubernetes, you might have noticed a glaring gap in the ecosystem: comprehensive documentation for the SPIRE Controller Manager and its Custom Resource Definitions (CRDs). While the official docs provide basic examples, they barely scratch the surface of what’s possible with these powerful Kubernetes-native tools.

In this deep dive, we’ll explore every aspect of the SPIRE Controller Manager, from basic ClusterSPIFFEID resources to advanced federation patterns, templating strategies, and production-grade implementations. This is the guide I wish existed when I first started working with SPIRE CRDs.

Understanding SPIRE Controller Manager Architecture#

Before diving into CRDs, let’s understand how the SPIRE Controller Manager fits into the overall architecture:

1
graph TB
2
    subgraph "Kubernetes Control Plane"
3
        API[Kubernetes API Server]
4
        ETCD[etcd]
5
    end
6

7
    subgraph "SPIRE Control Plane"
8
        CM[SPIRE Controller Manager]
9
        SS[SPIRE Server]
10
        REG[Registration API]
11
    end
12

13
    subgraph "Custom Resources"
14
        CSID[ClusterSPIFFEID]
15
        CFTD[ClusterFederatedTrustDomain]
16
        SID[SPIFFEID<br/>deprecated]
17
    end
18

19
    subgraph "Workloads"
20
        POD1[Pod 1]
21
        POD2[Pod 2]
22
        POD3[Pod 3]
23
    end
24

25
    API --> CM
26
    CM --> SS
27
    SS --> REG
28
    CSID --> CM
29
    CFTD --> CM
30
    SID --> CM
31
    CM -.->|Creates Entries| REG
32
    REG -.->|Issues SVIDs| POD1
33
    REG -.->|Issues SVIDs| POD2
34
    REG -.->|Issues SVIDs| POD3
35

36
    style CM fill:#99ff99
37
    style CSID fill:#ffcc99
38
    style CFTD fill:#ffcc99

Key Components#

SPIRE Controller Manager: A Kubernetes controller that watches for CRD changes and reconciles them with SPIRE Server
ClusterSPIFFEID: Cluster-wide resource for registering workloads
ClusterFederatedTrustDomain: Manages federation relationships
SPIFFEID: Namespace-scoped resource (deprecated but still supported)

Installation and Setup#

First, ensure the SPIRE Controller Manager is properly installed:

1
# Check if controller manager is enabled in your Helm values
2
helm get values spire -n spire-system | grep controllerManager
3

4
# If not enabled, update your values:
5
cat <<EOF > controller-manager-values.yaml
6
spire-server:
7
  controllerManager:
8
    enabled: true
9
    resources:
10
      requests:
11
        cpu: 100m
12
        memory: 128Mi
13
      limits:
14
        cpu: 200m
15
        memory: 256Mi
16

17
    # Important: Controller Manager identity
18
    identities:
19
      clusterSPIFFEIDs:
20
        default:
21
          enabled: true
22

23
    # Configure which CRDs to install
24
    installAndUpgradeCRDs: true
25
    deleteWebhookConfigurationOnDelete: true
26

27
    # Webhook configuration for validation
28
    validatingWebhookConfiguration:
29
      enabled: true
30
EOF
31

32
# Upgrade SPIRE with controller manager enabled
33
helm upgrade spire spiffe/spire \
34
  -n spire-system \
35
  -f controller-manager-values.yaml

Verify the installation:

1
# Check CRDs are installed
2
kubectl get crd | grep spiffe
3

4
# Expected output:
5
# clusterfederatedtrustdomains.spire.spiffe.io
6
# clusterspiffeids.spire.spiffe.io
7
# spiffeids.spire.spiffe.io
8

9
# Check controller manager is running
10
kubectl get pods -n spire-system -l component=controller-manager

ClusterSPIFFEID: The Foundation of Workload Registration#

Basic ClusterSPIFFEID#

Let’s start with a simple example:

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: basic-workload
5
spec:
6
  # SPIFFE ID template - supports Go templating
7
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
8

9
  # Select pods by labels
10
  podSelector:
11
    matchLabels:
12
      app: my-app
13

14
  # Workload selectors for SPIRE agent
15
  workloadSelectorTemplates:
16
    - "k8s:ns:{{ .PodMeta.Namespace }}"
17
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"

Advanced Templating#

The real power comes from advanced templating. Here’s what’s available:

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: advanced-templating
5
spec:
6
  # All available template variables
7
  spiffeIDTemplate: |
8
    spiffe://{{ .TrustDomain }}/
9
    region/{{ .PodMeta.Annotations.region | default "us-east-1" }}/
10
    cluster/{{ .PodMeta.Labels.cluster | default "primary" }}/
11
    ns/{{ .PodMeta.Namespace }}/
12
    sa/{{ .PodSpec.ServiceAccountName }}/
13
    pod/{{ .PodMeta.Name }}/
14
    node/{{ .PodSpec.NodeName }}
15

16
  # Complex pod selection
17
  podSelector:
18
    matchExpressions:
19
      - key: environment
20
        operator: In
21
        values: ["production", "staging"]
22
      - key: security-scan
23
        operator: NotIn
24
        values: ["failed"]
25

26
  # Namespace selection
27
  namespaceSelector:
28
    matchLabels:
29
      team: platform
30
    matchExpressions:
31
      - key: compliance
32
        operator: Exists
33

34
  # Advanced workload selectors
35
  workloadSelectorTemplates:
36
    - "k8s:ns:{{ .PodMeta.Namespace }}"
37
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
38
    - "k8s:pod-label:app:{{ .PodMeta.Labels.app }}"
39
    - "k8s:pod-label:version:{{ .PodMeta.Labels.version }}"
40
    {{- if .PodMeta.Labels.region }}
41
    - "k8s:pod-label:region:{{ .PodMeta.Labels.region }}"
42
    {{- end }}
43

44
  # DNS names for the certificate
45
  dnsNameTemplates:
46
    - "{{ .PodMeta.Name }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
47
    - "{{ .PodMeta.Name }}.{{ .PodMeta.Namespace }}.svc"
48
    - "{{ .PodMeta.Name }}.{{ .PodMeta.Namespace }}"
49
    {{- range .PodSpec.Containers }}
50
    {{- range .Ports }}
51
    - "{{ $.PodMeta.Name }}-{{ .ContainerPort }}.{{ $.PodMeta.Namespace }}.svc.cluster.local"
52
    {{- end }}
53
    {{- end }}
54

55
  # TTL for the SVID (in seconds)
56
  ttl: 3600
57

58
  # JWT SVID TTL (optional, different from X.509)
59
  jwtSvidTTL: 300
60

61
  # Federation
62
  federatesWith:
63
    - "partner.example.com"
64
    - "cloud.example.com"
65

66
  # Admin flag - grants access to SPIRE Server API
67
  admin: false
68

69
  # Downstream flag - for nested SPIRE deployments
70
  downstream: false
71

72
  # Entry expiry time (Unix timestamp)
73
  # entryExpiry: 1735689600

Template Functions and Advanced Logic#

SPIRE Controller Manager supports Go template functions:

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: template-functions
5
spec:
6
  spiffeIDTemplate: |
7
    {{- $ns := .PodMeta.Namespace -}}
8
    {{- $sa := .PodSpec.ServiceAccountName -}}
9
    {{- if eq $ns "production" -}}
10
    spiffe://{{ .TrustDomain }}/prod/{{ $sa }}
11
    {{- else if eq $ns "staging" -}}
12
    spiffe://{{ .TrustDomain }}/staging/{{ $sa }}
13
    {{- else -}}
14
    spiffe://{{ .TrustDomain }}/dev/{{ $ns }}/{{ $sa }}
15
    {{- end -}}
16

17
  # Using default values
18
  dnsNameTemplates:
19
    - "{{ .PodMeta.Labels.service | default .PodMeta.Name }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
20

21
  # String manipulation
22
  workloadSelectorTemplates:
23
    - "k8s:ns:{{ .PodMeta.Namespace }}"
24
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
25
    # Convert to uppercase
26
    - "k8s:env:{{ .PodMeta.Labels.environment | upper }}"
27
    # Replace characters
28
    - 'k8s:app:{{ .PodMeta.Labels.app | replace "-" "_" }}'

Real-World Use Cases#

1. Multi-Tenant SaaS Platform#

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: saas-tenant-workloads
5
spec:
6
  # Include tenant ID in SPIFFE ID
7
  spiffeIDTemplate: |
8
    spiffe://{{ .TrustDomain }}/
9
    tenant/{{ required "Missing tenant label" .PodMeta.Labels.tenant }}/
10
    service/{{ required "Missing service label" .PodMeta.Labels.service }}/
11
    version/{{ .PodMeta.Labels.version | default "v1" }}
12

13
  # Only pods with tenant label
14
  podSelector:
15
    matchExpressions:
16
      - key: tenant
17
        operator: Exists
18
      - key: service
19
        operator: Exists
20

21
  namespaceSelector:
22
    matchLabels:
23
      purpose: tenant-workloads
24

25
  workloadSelectorTemplates:
26
    - "k8s:ns:{{ .PodMeta.Namespace }}"
27
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
28
    - "k8s:tenant:{{ .PodMeta.Labels.tenant }}"
29
    - "k8s:service:{{ .PodMeta.Labels.service }}"
30

31
  # Tenant-specific DNS names
32
  dnsNameTemplates:
33
    - "{{ .PodMeta.Labels.service }}.{{ .PodMeta.Labels.tenant }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
34
    - "{{ .PodMeta.Labels.service }}.{{ .PodMeta.Labels.tenant }}.internal"
35

36
  # Federate with customer environments
37
  federatesWith:
38
    - "customer1.example.com"
39
    - "customer2.example.com"

2. Microservices with Versioning#

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: versioned-microservices
5
spec:
6
  spiffeIDTemplate: |
7
    {{- $service := required "service label required" .PodMeta.Labels.service -}}
8
    {{- $version := required "version label required" .PodMeta.Labels.version -}}
9
    {{- $env := .PodMeta.Namespace -}}
10
    spiffe://{{ .TrustDomain }}/env/{{ $env }}/svc/{{ $service }}/{{ $version }}
11

12
  podSelector:
13
    matchExpressions:
14
      - key: service
15
        operator: Exists
16
      - key: version
17
        operator: Exists
18
      - key: canary
19
        operator: DoesNotExist  # Exclude canary deployments
20

21
  workloadSelectorTemplates:
22
    - "k8s:ns:{{ .PodMeta.Namespace }}"
23
    - "k8s:service:{{ .PodMeta.Labels.service }}"
24
    - "k8s:version:{{ .PodMeta.Labels.version }}"
25
    {{- if .PodMeta.Labels.feature }}
26
    - "k8s:feature:{{ .PodMeta.Labels.feature }}"
27
    {{- end }}
28

29
  # Version-specific DNS
30
  dnsNameTemplates:
31
    - "{{ .PodMeta.Labels.service }}-{{ .PodMeta.Labels.version }}.{{ .PodMeta.Namespace }}.svc.cluster.local"
32
    - "{{ .PodMeta.Labels.service }}.{{ .PodMeta.Namespace }}.svc.cluster.local"  # Also respond to non-versioned

3. Database Workloads with Special Permissions#

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: database-workloads
5
spec:
6
  spiffeIDTemplate: |
7
    spiffe://{{ .TrustDomain }}/db/{{ .PodMeta.Labels.database }}/{{ .PodMeta.Labels.role | default "replica" }}
8

9
  podSelector:
10
    matchLabels:
11
      component: database
12

13
  workloadSelectorTemplates:
14
    - "k8s:ns:{{ .PodMeta.Namespace }}"
15
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"
16
    - "k8s:statefulset:{{ .PodMeta.OwnerReferences[0].Name }}"
17

18
  # Longer TTL for stable database workloads
19
  ttl: 86400 # 24 hours
20

21
  # Admin access for primary database
22
  admin: |
23
    {{- if eq (.PodMeta.Labels.role | default "replica") "primary" -}}
24
    true
25
    {{- else -}}
26
    false
27
    {{- end -}}

ClusterFederatedTrustDomain: Managing Federation#

Federation allows workloads from different trust domains to authenticate with each other:

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterFederatedTrustDomain
3
metadata:
4
  name: partner-federation
5
spec:
6
  # The trust domain to federate with
7
  trustDomain: "partner.example.com"
8

9
  # Bundle endpoint URL of the foreign trust domain
10
  bundleEndpointURL: "https://spire-bundle.partner.example.com:8443"
11

12
  # How to authenticate to the bundle endpoint
13
  bundleEndpointProfile:
14
    # Option 1: Web PKI (HTTPS)
15
    type: "https_web"
16

17
    # Option 2: SPIFFE authentication
18
    # type: "https_spiffe"
19
    # endpointSPIFFEID: "spiffe://partner.example.com/spire/server"
20

21
  # Trust domain bundle (optional - for bootstrap)
22
  # trustDomainBundle: |
23
  #   -----BEGIN CERTIFICATE-----
24
  #   ...
25
  #   -----END CERTIFICATE-----

Advanced Federation Scenarios#

Multi-Cloud Federation#

1
# AWS Federation
2
apiVersion: spire.spiffe.io/v1alpha1
3
kind: ClusterFederatedTrustDomain
4
metadata:
5
  name: aws-federation
6
spec:
7
  trustDomain: "aws.company.com"
8
  bundleEndpointURL: "https://spire.us-east-1.aws.company.com:8443"
9
  bundleEndpointProfile:
10
    type: "https_web"
11
---
12
# GCP Federation
13
apiVersion: spire.spiffe.io/v1alpha1
14
kind: ClusterFederatedTrustDomain
15
metadata:
16
  name: gcp-federation
17
spec:
18
  trustDomain: "gcp.company.com"
19
  bundleEndpointURL: "https://spire.us-central1.gcp.company.com:8443"
20
  bundleEndpointProfile:
21
    type: "https_spiffe"
22
    endpointSPIFFEID: "spiffe://gcp.company.com/spire/server"
23
---
24
# On-Premises Federation
25
apiVersion: spire.spiffe.io/v1alpha1
26
kind: ClusterFederatedTrustDomain
27
metadata:
28
  name: onprem-federation
29
spec:
30
  trustDomain: "onprem.company.com"
31
  bundleEndpointURL: "https://spire.datacenter.company.com:8443"
32
  bundleEndpointProfile:
33
    type: "https_web"

Partner Ecosystem Federation#

1
# Customer federation with bootstrap bundle
2
apiVersion: spire.spiffe.io/v1alpha1
3
kind: ClusterFederatedTrustDomain
4
metadata:
5
  name: customer-acme-federation
6
spec:
7
  trustDomain: "acme.customer.com"
8
  bundleEndpointURL: "https://spire.acme.customer.com:8443"
9
  bundleEndpointProfile:
10
    type: "https_spiffe"
11
    endpointSPIFFEID: "spiffe://acme.customer.com/spire/server"
12
  # Bootstrap bundle for initial trust
13
  trustDomainBundle: |
14
    -----BEGIN CERTIFICATE-----
15
    MIIDQTCCAimgAwIBAgIUAAAAAAAAAAAAAAAAAAAAAIwDQYJKoZIhvcNAQEL
16
    ... (customer root CA cert) ...
17
    -----END CERTIFICATE-----

Production Patterns and Best Practices#

1. Hierarchical SPIFFE ID Structure#

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: hierarchical-structure
5
spec:
6
  spiffeIDTemplate: |
7
    {{- $region := .PodMeta.Labels.region | default "global" -}}
8
    {{- $env := .PodMeta.Labels.environment | default "dev" -}}
9
    {{- $team := .PodMeta.Labels.team | default "platform" -}}
10
    {{- $service := required "service label required" .PodMeta.Labels.service -}}
11
    spiffe://{{ .TrustDomain }}/{{ $region }}/{{ $env }}/{{ $team }}/{{ $service }}

2. Canary Deployments#

1
# Separate registration for canary workloads
2
apiVersion: spire.spiffe.io/v1alpha1
3
kind: ClusterSPIFFEID
4
metadata:
5
  name: canary-workloads
6
spec:
7
  spiffeIDTemplate: |
8
    spiffe://{{ .TrustDomain }}/canary/{{ .PodMeta.Labels.service }}/{{ .PodMeta.Labels.version }}
9

10
  podSelector:
11
    matchLabels:
12
      deployment: canary
13

14
  # Shorter TTL for canary deployments
15
  ttl: 900 # 15 minutes
16

17
  # Different workload selectors for monitoring
18
  workloadSelectorTemplates:
19
    - "k8s:deployment:canary"
20
    - "k8s:service:{{ .PodMeta.Labels.service }}"
21
    - "k8s:version:{{ .PodMeta.Labels.version }}"

3. Emergency Access Patterns#

1
apiVersion: spire.spiffe.io/v1alpha1
2
kind: ClusterSPIFFEID
3
metadata:
4
  name: emergency-access
5
spec:
6
  spiffeIDTemplate: |
7
    spiffe://{{ .TrustDomain }}/emergency/{{ .PodSpec.ServiceAccountName }}
8

9
  podSelector:
10
    matchLabels:
11
      access-level: emergency
12

13
  # Very short TTL
14
  ttl: 300 # 5 minutes
15

16
  # Admin access for emergency pods
17
  admin: true
18

19
  # Specific namespace only
20
  namespaceSelector:
21
    matchNames:
22
      - emergency-access

Debugging and Troubleshooting#

Common Issues and Solutions#

1. Templates Not Rendering#

1
# Check controller manager logs
2
kubectl logs -n spire-system -l component=controller-manager
3

4
# Common template errors:
5
# - Missing required fields
6
# - Invalid template syntax
7
# - Nil pointer references
8

9
# Debug template rendering
10
kubectl get clusterspiffeid <name> -o yaml | kubectl neat

2. Workloads Not Getting Identities#

1
# Check if entries are created in SPIRE
2
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
3
  /opt/spire/bin/spire-server entry list -selector k8s:ns:default
4

5
# Check pod labels match selector
6
kubectl get pod <pod-name> --show-labels
7

8
# Verify namespace labels
9
kubectl get ns <namespace> --show-labels

3. Federation Not Working#

1
# Check federation status
2
kubectl get clusterfederatedtrustdomain -o wide
3

4
# Verify bundle endpoint connectivity
5
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
6
  curl -v https://<bundle-endpoint>:8443
7

8
# Check SPIRE server logs for federation errors
9
kubectl logs -n spire-system spire-server-0 -c spire-server | grep federation

Validation Webhook Issues#

The controller manager includes a validating webhook that can block invalid resources:

1
# Temporarily disable webhook for debugging
2
apiVersion: v1
3
kind: ValidatingWebhookConfiguration
4
metadata:
5
  name: spire-controller-manager-webhook
6
webhooks:
7
  - name: clusterspiffeid.spire.spiffe.io
8
    failurePolicy: Ignore # Change from Fail to Ignore

Advanced Controller Manager Configuration#

Custom Controller Settings#

1
apiVersion: v1
2
kind: ConfigMap
3
metadata:
4
  name: spire-controller-manager-config
5
  namespace: spire-system
6
data:
7
  controller-manager-config.yaml: |
8
    apiVersion: spire.spiffe.io/v1alpha1
9
    kind: ControllerManagerConfig
10

11
    # Reconciliation settings
12
    reconcileInterval: 30s
13

14
    # Leader election
15
    leaderElection:
16
      enabled: true
17
      namespace: spire-system
18

19
    # Metrics
20
    metrics:
21
      bindAddress: ":8080"
22

23
    # Health probes
24
    health:
25
      healthProbeBindAddress: ":8081"
26

27
    # Webhook settings
28
    webhook:
29
      port: 9443
30

31
    # Ignore certain namespaces
32
    ignoreNamespaces:
33
      - kube-system
34
      - kube-public
35
      - kube-node-lease

Performance Tuning#

1
# For large clusters with many ClusterSPIFFEIDs
2
apiVersion: spire.spiffe.io/v1alpha1
3
kind: ClusterSPIFFEID
4
metadata:
5
  name: performance-optimized
6
  annotations:
7
    # Reduce reconciliation frequency
8
    spiffe.io/reconcile-interval: "5m"
9
spec:
10
  # Use specific selectors to reduce watch overhead
11
  podSelector:
12
    matchLabels:
13
      spiffe-managed: "true"
14

15
  # Limit namespace scope
16
  namespaceSelector:
17
    matchExpressions:
18
      - key: name
19
        operator: NotIn
20
        values: ["kube-system", "kube-public"]

Integration with GitOps#

ArgoCD Integration#

1
# Application definition for SPIFFE IDs
2
apiVersion: argoproj.io/v1alpha1
3
kind: Application
4
metadata:
5
  name: spiffe-identities
6
  namespace: argocd
7
spec:
8
  source:
9
    repoURL: https://github.com/company/spiffe-config
10
    path: identities/
11
    targetRevision: main
12
  destination:
13
    server: https://kubernetes.default.svc
14
  syncPolicy:
15
    automated:
16
      prune: true
17
      selfHeal: true
18
    syncOptions:
19
      # Important: ServerSideApply for CRDs
20
      - ServerSideApply=true

Flux Integration#

1
apiVersion: kustomize.toolkit.fluxcd.io/v1
2
kind: Kustomization
3
metadata:
4
  name: spiffe-identities
5
  namespace: flux-system
6
spec:
7
  interval: 5m
8
  path: ./clusters/production/spiffe
9
  prune: true
10
  sourceRef:
11
    kind: GitRepository
12
    name: flux-system
13
  # Ensure CRDs are applied first
14
  dependsOn:
15
    - name: spire-crds

Security Considerations#

RBAC for ClusterSPIFFEID Management#

1
# Role for managing ClusterSPIFFEIDs
2
apiVersion: rbac.authorization.k8s.io/v1
3
kind: ClusterRole
4
metadata:
5
  name: spiffeid-manager
6
rules:
7
  - apiGroups: ["spire.spiffe.io"]
8
    resources: ["clusterspiffeids"]
9
    verbs: ["get", "list", "watch", "create", "update", "patch"]
10
  - apiGroups: ["spire.spiffe.io"]
11
    resources: ["clusterfederatedtrustdomains"]
12
    verbs: ["get", "list", "watch"]
13
---
14
# Restrict who can create admin ClusterSPIFFEIDs
15
apiVersion: rbac.authorization.k8s.io/v1
16
kind: ClusterRole
17
metadata:
18
  name: spiffeid-admin-manager
19
rules:
20
  - apiGroups: ["spire.spiffe.io"]
21
    resources: ["clusterspiffeids"]
22
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
23
    # Note: No resource-level restrictions on admin field

Policy Enforcement with OPA#

1
# policy.rego - Enforce ClusterSPIFFEID policies
2
package spiffe.clusterspiffeid
3

4
import future.keywords.contains
5
import future.keywords.if
6

7
# Deny admin ClusterSPIFFEIDs in non-admin namespaces
8
deny[msg] {
9
    input.request.kind.kind == "ClusterSPIFFEID"
10
    input.request.object.spec.admin == true
11
    not input.request.object.spec.namespaceSelector.matchNames[_] == "spire-admin"
12
    msg := "Admin ClusterSPIFFEIDs must target only spire-admin namespace"
13
}
14

15
# Enforce naming conventions
16
deny[msg] {
17
    input.request.kind.kind == "ClusterSPIFFEID"
18
    not regex.match("^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", input.request.object.metadata.name)
19
    msg := "ClusterSPIFFEID names must follow DNS subdomain format"
20
}
21

22
# Limit TTL values
23
deny[msg] {
24
    input.request.kind.kind == "ClusterSPIFFEID"
25
    input.request.object.spec.ttl > 86400  # 24 hours
26
    msg := "TTL cannot exceed 24 hours"
27
}

Monitoring and Observability#

Metrics for ClusterSPIFFEIDs#

1
# ServiceMonitor for controller manager metrics
2
apiVersion: monitoring.coreos.com/v1
3
kind: ServiceMonitor
4
metadata:
5
  name: spire-controller-manager
6
  namespace: spire-system
7
spec:
8
  selector:
9
    matchLabels:
10
      app: spire-controller-manager
11
  endpoints:
12
    - port: metrics
13
      interval: 30s
14
      path: /metrics

Useful Metrics to Track#

1
# Number of ClusterSPIFFEIDs
2
count(kube_customresource_clusterspiffeid_info)
3

4
# Failed reconciliations
5
rate(controller_runtime_reconcile_errors_total{controller="clusterspiffeid"}[5m])
6

7
# Reconciliation duration
8
histogram_quantile(0.99,
9
  rate(controller_runtime_reconcile_duration_seconds_bucket{controller="clusterspiffeid"}[5m])
10
)
11

12
# Webhook rejection rate
13
rate(controller_runtime_webhook_rejections_total[5m])

Migration Strategies#

From Manual Entry Registration to CRDs#

1
#!/bin/bash
2
# Export existing entries
3
kubectl exec -n spire-system spire-server-0 -c spire-server -- \
4
  /opt/spire/bin/spire-server entry list -format json > entries.json
5

6
# Convert to ClusterSPIFFEID format
7
cat entries.json | jq -r '.entries[] |
8
{
9
  apiVersion: "spire.spiffe.io/v1alpha1",
10
  kind: "ClusterSPIFFEID",
11
  metadata: {
12
    name: ("imported-" + .id)
13
  },
14
  spec: {
15
    spiffeIDTemplate: .spiffe_id,
16
    workloadSelectorTemplates: [.selectors[].value],
17
    ttl: .ttl
18
  }
19
}' > imported-entries.yaml

From SPIFFEID to ClusterSPIFFEID#

1
# Before: Namespace-scoped SPIFFEID
2
apiVersion: spire.spiffe.io/v1alpha1
3
kind: SPIFFEID
4
metadata:
5
  name: old-workload
6
  namespace: default
7
spec:
8
  spiffeId: "spiffe://example.org/ns/default/sa/my-service"
9
  parentId: "spiffe://example.org/node/example"
10
  selector:
11
    namespace: default
12
    serviceAccount: my-service
13
---
14
# After: Cluster-scoped ClusterSPIFFEID
15
apiVersion: spire.spiffe.io/v1alpha1
16
kind: ClusterSPIFFEID
17
metadata:
18
  name: new-workload
19
spec:
20
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/ns/{{ .PodMeta.Namespace }}/sa/{{ .PodSpec.ServiceAccountName }}"
21
  namespaceSelector:
22
    matchNames: ["default"]
23
  podSelector:
24
    matchLabels:
25
      serviceAccount: my-service
26
  workloadSelectorTemplates:
27
    - "k8s:ns:{{ .PodMeta.Namespace }}"
28
    - "k8s:sa:{{ .PodSpec.ServiceAccountName }}"

Future-Proofing Your Implementation#

Upcoming Features and Preparation#

1
# Prepare for future features
2
apiVersion: spire.spiffe.io/v1alpha1
3
kind: ClusterSPIFFEID
4
metadata:
5
  name: future-ready
6
  annotations:
7
    # Future: Automatic rotation policies
8
    spiffe.io/rotation-policy: "auto"
9
    # Future: Priority classes
10
    spiffe.io/priority-class: "critical"
11
    # Future: Topology awareness
12
    spiffe.io/topology-key: "topology.kubernetes.io/zone"
13
spec:
14
  spiffeIDTemplate: "spiffe://{{ .TrustDomain }}/workload/{{ .PodMeta.UID }}"
15

16
  # Future: Conditional federation
17
  # federatesWithTemplate:
18
  #   - "{{ if eq .PodMeta.Labels.external \"true\" }}partner.com{{ end }}"
19

20
  # Future: Dynamic TTL based on workload
21
  # ttlTemplate: "{{ if eq .PodMeta.Labels.critical \"true\" }}3600{{ else }}7200{{ end }}"

Conclusion#

The SPIRE Controller Manager and its CRDs transform SPIFFE/SPIRE from a powerful but manual system into a truly Kubernetes-native identity platform. By mastering ClusterSPIFFEID and ClusterFederatedTrustDomain resources, you can:

✅ Automate workload registration at scale
✅ Implement complex identity hierarchies
✅ Manage multi-cloud federation declaratively
✅ Integrate with GitOps workflows
✅ Build production-grade zero-trust architectures

This deep dive has covered everything from basic usage to advanced patterns, but the real power comes from applying these concepts to your specific use cases. Start simple with basic ClusterSPIFFEID resources, then gradually add complexity as your understanding and requirements grow.

In the next post, we’ll explore how to implement end-to-end mTLS between pods using these identities, including integration with service meshes and advanced traffic policies based on SPIFFE IDs.

Additional Resources#

Found an issue or have a question? The SPIRE Controller Manager is actively developed, and the community is very responsive to feedback and feature requests.