Zero trust workload identity manager now available in tech preview

Non-human identities—also known as machine or workload identities—are becoming increasingly critical as organizations adopt cloud-native ecosystems and advanced AI workflows. For workloads spanning multiple cloud platforms, adhering to zero trust principles becomes challenging as they cross identity domains. A unified identity framework provides consistency in automating identity issuance and enforcing access control policies across diverse environments. SPIFFE/SPIRE, an open source identity issuance framework, enables organizations to implement centralized, scalable identity management on par with cloud platforms. This article will introduce the zero trust workload identity manager, an operator designed to bring SPIFFE/SPIRE capabilities to Red Hat OpenShift, empowering customers with security capabilities to manage workload identities across various cloud infrastructures.

**Solving the “bottom turtle” problem **

The Secure Production Identity Framework for Everyone (SPIFFE) and SPIRE projects, part of the Cloud Native Computing Foundation (CNCF), were born out of a vision by Kubernetes co-founderJoe Beda, to standardize how software components are identified—enabling security-focused, consistent identity across distributed systems, regardless of environment or location. SPIFFE provides the framework for issuing and managing identities through cryptographically verifiable documents called SVIDs with SPIFFE IDs embedded in x509 certificates or JSON Web Tokens (JWTs). SPIRE, the SPIFFE Runtime Environment, implements SPIFFE for strong machine identities and addresses the ‘secret zero’ or ‘bottom turtle’ problem of establishing a foundational source of trust upon which all other identities and credentials rely.

By taking advantage of kernel-level introspection, SPIRE gathers reliable information about the calling workload without requiring it to present credentials, thereby bootstrapping trust in a security-focused and scalable manner. It issues identities using X.509 certificates and JWTs, ensuring broad compatibility with existing infrastructure. This approach eliminates the legacy model of binding workload identity to network location—a method insufficient for today’s dynamic, cloud-native ecosystems.

Unified Identity Management Framework

The SPIFFE/SPIRE federation enables binding trust and allows services across different cloud topologies, such as separate clusters, datacenters or cloud providers to communicate with enhanced security capabilities. Federation is achieved through the exchange of trust bundles containing certificates and public keys necessary for identity validation. SPIRE supports both static and dynamic federation configurations. Static federation is configured via the spire-server.conf file, while dynamic federation utilizes the Trust Domain API. Additionally, SPIRE can serve as a SPIFFE bundle endpoint, enabling other SPIRE servers to fetch trust bundles. This federation capability facilitates secure communication across diverse environments without sharing secrets or private keys.

SPIRE’s OpenID Connect (OIDC) federation capability allows workloads to authenticate to external systems using short-lived OIDC credentials. This is achieved through an OIDC Discovery Provider, which exposes metadata and public keys that external services can use to verify JWT-SVIDs issued by SPIRE. By adopting this model, organizations can extend their identity trust to providers like Microsoft Entra ID, HashiCorp Vault, Red Hat Build Of Keycloak and other OIDC-compliant systems. This approach simplifies identity federation and enhances security by relying on short-lived, cryptographically verifiable credentials rather than static API keys or credentials.

MFA for machine authentication

Attestation is the primary differentiator with SPIRE. Unlike OIDC tokens or mTLS certificates, which are often issued without verifying the workload, SPIRE performs both node and workload attestation before issuing identities— strengthening multifactor authentication. Node attestation verifies the identity of the system running the SPIRE Agent using platform-specific data, like cloud instance metadata or Kubernetes Service Account tokens. Once verified, the SPIRE server provides the agent with a signing certificate. Workload attestation then checks the identity of applications using attributes such as process or container metadata. If validated, the agent issues an identity for the workload. This layered attestation approach supports a zero trust model and security-focused service communication. With flexible architecture SPIRE can adapt to diverse environments, with attestation sources and selectors configured through the agent and server settings. For more information, see SPIRE concepts.

**Benefits of using SPIRE on Red Hat OpenShift with Red Hat’s zero trust workload identity operator **

The zero trust workload identity manager operator delivers enterprise-grade SPIFFE/SPIRE integration for Red Hat OpenShift. Over the past year, we’ve worked closely with customers to understand their workload identity needs and deliver a solution tailored for production environments. We’ve provided in-depth insights into deploying and operating SPIRE on Red Hat OpenShift through blogs, tutorials and conferences. Recently, our talk on using SPIRE for agentic AI workloads at the Workload Identity Day Zero event during KubeCon London 2025 received positive feedback.

Zero trust workload identity manager is a Day 2 operator for Red Hat OpenShift and can be installed on existing clusters. Key capabilities include:

• Simplified installation and lifecycle management
• SPIFFE CSI Driver, enabling streamlined secret injection into workloads
• SPIRE Server with OIDC Discovery, allowing integration with OIDC-compatible services
• SPIRE Controller Manager plug-in, providing automated workload registration for user-defined applications while filtering out control plane and system workloads
• End-to-end validation on Red Hat OpenShift, supported by comprehensive documentation for installation and troubleshooting
• SPIRE Agent and Server Metrics that can be sent to Prometheus

Contact Red Hat to tailor the zero trust workload identity manager operator for your unique deployment needs and enterprise use cases and support multifactor authentication for workloads.