Concepts
This page summarises the key concepts and API resources associated with the Cofide Connect platform. A more general overview of SPIFFE workload identity concepts can be found here.
Trust Zone
Section titled “Trust Zone”A trust zone represents a single cluster or collection of clusters within a single trust boundary. Each trust zone is a single SPIFFE trust domain, and workload identities that are issued in a trust zone will have the trust domain as the root of the minted SVID. Each trust zone will have at least one Cofide SPIRE Server deployed in at least one cluster.
Cluster
Section titled “Cluster”A cluster is a single Kubernetes cluster onboarded onto Connect.
Attestation
Section titled “Attestation”Attestation is the process by which a workload identity system verifies the identity of a node or workload before issuing it an SVID. Cofide SPIRE supports the full range of upstream OSS SPIRE attestation plugins and also provides improved support for TPM-based node attestation. Read more about these methods here.
Attestation happens at two levels:
- Node attestation verifies the identity of the host or node on which the Cofide SPIRE Agent is running.
- Workload attestation verifies the identity of a process, container, or unit of software running on an already-attested node.
Read more about node attestation and workload attestation in the SPIRE documentation.
Attestation Policy
Section titled “Attestation Policy”Attestation policies map identities to workloads by specifying attributes of the workload that must be attested in order for an identity to be issued. Attestation policies are defined and bound to trust zones with an attestation policy binding. This allows for the re-use of common policy across trust zones.
For more details on the types of attestation policies available in the Connect platform, see the dedicated attestation documentation.
Federation
Section titled “Federation”A federation is a trust relationship between two trust zones, allowing for trust to be established between workloads across each of these.
This maintains multiple securely isolated trust zones (each with their own root of trust), while enabling selected workloads to communicate. Attestation policies are used in conjunction with federations to select which workloads are allowed to federate.
Federated Service
Section titled “Federated Service”A federated service simplifies connectivity between workloads in different trust zones, making it easier to securely discover and communicate with a service in a remote trust zone. Combined with a federation, the Cofide Agent facilitates discovery and secure connectivity to this service - this is currently available via xDS (Envoy) and the Cofide Go SDK.
Next Steps
Section titled “Next Steps”For more details on the types of attestation available in the Cofide Connect workload identity platform, see the attestation page. Alternatively, to start putting these workload identity concepts into practice using an existing Connect deployment, see the workload onboarding section.
© 2026 Cofide Limited. All rights reserved.