v1.10.4 Latest
SPIFFE Overview Concepts Community Presentations Get Involved
SPIRE About Concepts Use Cases Comparisons Case Studies
Try Quickstart for Linux and MacOS X Quickstart for Kubernetes Quickstart for Docker Compose
Plan Scaling SPIRE Extending
Deploy Getting SPIRE Install Server Install Agent Configuring Registering workloads Working with SVIDs SPIFFE Library Usage Examples SPIRE Agent Configuration Reference SPIRE Server Configuration Reference SPIRE Telemetry Configuration
Maintain Upgrade/Downgrade SPIRE
Helm Charts Hardened About Installation Upgrading Service Selection Recommendations
Exposing Services Identifiers Namespaces
Advanced Federation Local Mirrors
Integrate SPIRE Securing Microservices Using Envoy with SPIRE SPIRE with Envoy and X.509-SVIDs SPIRE with Envoy and JWT-SVIDs Spire with OPA + Envoy + X.509-SVIDs Spire with OPA + Envoy + JWT-SVIDs
SVID Authentication AWS OIDC Authentication Vault Integration Example
SPIRE Architecture Nested SPIRE Example SPIRE Federation Example

Recommendations

Recommended Configuration

Enable Recommendations

In a production deployment there are a series of recommendations we have. By enabling the recommendations, you can easily get all of them applied to your deployment. If there are particular recommmendations you do not wish to use, you can still set those recommendations to false to disable them.

your-values.yaml snippet:

global:
  spire:
    recommendations:
      enabled: true

Individual Recommentations

Name Value
Namespace Layout global.spire.recommendations.namespaceLayout
Namespace Pod Security Standards global.spire.recommendations.namespacePSS
PriorityClassName global.spire.recommendations.priorityClassName
Prometheus global.spire.recommendations.prometheus
Strict Mode global.spire.recommendations.strictMode
Security Contexts global.spire.recommendations.securityContexts

Namespace Layout

Option global.spire.recommendations.namespaceLayout causes the services to be deployed across the two recommended namespaces for the services:

Namespace Type Namespace Value Default Value Purpose
Server global.spire.namespaces.server.name spire-server Services that should have restricted Kubernetes privileges
System global.spire.namespaces.system.name spire-system Services needing Kubernetes privileges
Service Name Namespace Type
SPIRE Server Server
SPIFFE OIDC Discovery Provider Server
SPIFFE CSI Driver System
SPIRE Agent System

Namespace Pod Security Standards

Option global.spire.recommendations.namespacePSS sets the chart to set the recommended Kubernetes Pod Security Standard labels when namespaces are created with the chart via any of the namespace flags as described in the namespace documentation

On creation, the following Namespaces are assigned their Pod Security Standard:

Namespace Type Pod Security Standard
Server Restricted
System Privileged

Priority Class Name

Option global.spire.recommendations.priorityClassName sets the Kubernetes Priority Class Names so that if there is resource contention on the cluster the SPIRE Services will have a very high priority. SPIRE malfunctioning can cuase other important workloads to malfunction too so we prevent that from happening.

Prometheus

Option global.spire.recommendations.prometheus enables prometheus style exporters to be exposed out of the relevant pods. This enables Prometheus or other compatable services to gather metrics from the various services.

Strict Mode

Option global.spire.recommendations.strictMode adds additional checks on the configuration to help ensure your configuration is production ready. These are settings that are recommended as part of the install instructions.

Security Contexts

Option global.spire.recommendations.securityContexts sets the Kubernetes pod securityContext and container securityContext to settings that meet the required Kubernetes Pod Security Standards as well as addition settings that tighten security as much as the maintainers know how.