Quickstart

Onboarding workloads to the Cofide Connect platform happens in a few logically distinct stages. This guide will walk through these stages for a new Connect user.

Static Attestation Policies

Connect uses Attestation Policy and Attestation Policy Binding resources to determine which identity to issue to each workload.

Create a simple static attestation policy with

cofidectl attestation-policy add static \
    --parent-id-path cluster/my-workload-cluster/spire/agents \
    --spiffe-id-path cluster/my-workload-cluster/foo/bar \
    --selectors k8s:ns:foo \
    --name my-first-policy

and then bind it to a trust zone with

cofidectl attestation-policy-binding add \
    --trust-zone my-first-trust-zone \
    --attestation-policy my-first-policy

This will grant any workload in namespace foo of my-workload-cluster the SPIFFE ID spiffe://example.com/cluster/my-workload-cluster/foo/bar. For the full list of available Kubernetes workload selectors, see the official SPIRE plugin docs.

If workloads in this trust zone need to validate certificates from workloads in another trust zone, see Federation.

For more information on the types of attestation policies available in Connect, see the dedicated Attestation documentation.

Securing Workloads

After defining one or more attestation policies to map workload selectors to SPIFFE IDs, you can now start securing workloads with modern identity primitives using the supported zero-trust workload credentials and communication patterns.