Skip to content

SPIFFE identity documents (SVID)

A SPIFFE Verifiable Identity Document (SVID) is a document that encodes a SPIFFE ID, providing a cryptographically verifiable identity for a workload within a security domain^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md#L6-L8].

In a Kubernetes Context, the SVID takes the form of an X.509 certificate^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md#L60-L62]. This certificate functions as the identity document for a specific service instance or "Pod"^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md#L60-L62].

Verification

To confirm the validity of a workload's identity, the SVID (specifically its certificate chain) can be inspected to identify the issuer^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md#L53-L55]. For example, when SPIRE is used as a Certificate Authority (CA) with Istio, the issued SVID will list SPIRE as the organization (O) in the certificate's subject field^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md#L60-L62].

Sources

^[400-devops-07-monitoring-and-observability-k8s-istio-samples-security-spire-readme.md]