WorkloadIdentity
WorkloadIdentity is the core resource in Riptides. It defines a cryptographic identity for a workload, determining its SPIFFE ID, how the workload is matched on a host, what TLS policy applies, and which other identities it is allowed to communicate with.
- API Group:
core.riptides.io - Version:
v1alpha1 - Kind:
WorkloadIdentity - Plural:
workloadidentitys
workloadID
Section titled “workloadID”| Type | string |
| Required | Yes |
A hierarchical identifier for this workload. Combined with the trust domain, it forms the workload’s SPIFFE ID:
spiffe://<trustDomain>/<workloadID>For example, a workloadID of myapp/backend/api in the trust domain example.com produces the SPIFFE ID spiffe://example.com/myapp/backend/api.
| Type | object |
| Required | Yes |
Determines which daemon or daemon group this identity is scoped to. Exactly one of the following must be set:
daemon.id(string) — Scope to a single daemon by its ID.daemonGroup.id(string) — Scope to an daemon group by its ID. All daemons in the group will serve this identity.
selectors
Section titled “selectors”| Type | array of selector objects |
| Required | Yes |
Selectors define the criteria an daemon uses to match a running process to this identity. Each selector object contains key-value pairs that must all match for the workload to be identified. Multiple selector objects in the array are evaluated with OR logic (any match is sufficient).
Common selector keys:
| Key | Description |
|---|---|
k8s:label:<label-name> | Kubernetes pod label value. |
k8s:pod:namespace | Kubernetes pod namespace. |
k8s:container:name | Kubernetes container name within the pod. |
process:name | Name of the running process binary. |
process:cmdline | Command line string prefix of the process. |
| Type | object |
| Required | No |
Configures the SVID (SPIFFE Verifiable Identity Document) issued to this workload.
x509— X.509 SVID settings.dnsNames(arrayofstring) — Additional DNS SANs to include in the certificate.ttl(string, pattern^\d+s$) — Time-to-live for the X.509 certificate (e.g.,3600s).
jwt— JWT SVID settings.ttl(string, pattern^\d+s$) — Time-to-live for JWT SVIDs (e.g.,300s).
connection
Section titled “connection”| Type | object |
| Required | No |
Default connection policy for this workload’s inbound traffic.
tls.mode(string) — TLS mode. Valid options:SIMPLE— Server-side TLS only (workload presents its certificate; client is not verified).MUTUAL— Mutual TLS (both sides present and verify certificates).PERMISSIVE— Accept both plaintext and mTLS connections. Useful during migration.
tls.intercept(boolean, nullable) — Whentrue, the Riptides kernel module transparently intercepts connections to upgrade them to TLS.tls.skipVerification(boolean, nullable) — Whentrue, skip peer certificate verification (not recommended for production).
allowedSPIFFEIDs
Section titled “allowedSPIFFEIDs”| Type | object |
| Required | No |
Defines the default set of SPIFFE IDs this workload is authorized to communicate with.
inbound(arrayofstring) — SPIFFE IDs allowed to connect to this workload.outbound(arrayofstring) — SPIFFE IDs this workload is allowed to connect to.
ingress
Section titled “ingress”| Type | array of ingress rule objects |
| Required | No |
Per-port inbound connection policies. Each entry overrides the default connection and allowedSPIFFEIDs for a specific listening port.
port(integer, required) — The listening port number.connection(object) — Connection settings for this port (same schema as top-levelconnection).allowedSPIFFEIDs(arrayofstring) — SPIFFE IDs permitted on this port.svid(object) — Per-port SVID overrides (same schema as top-levelsvid).workloadID(string) — Optional workload ID override for this ingress port.
egress
Section titled “egress”| Type | array of egress rule objects |
| Required | No |
Egress rules define how this workload connects to downstream services. Each rule targets one or more services (matched by label selectors) and can override the default connection policy, allowed SPIFFE IDs, SVID settings, and workload ID on a per-service basis.
selectors(arrayof selector objects, required) — Label selectors that match against Service labels to identify the target services.connection(object) — TLS/connection settings for outbound connections to matched services.allowedSPIFFEIDs(arrayofstring) — SPIFFE IDs of the expected remote peers.svid(object) — Per-egress SVID overrides.workloadID(string) — Optional workload ID override for this egress rule.
Status
Section titled “Status”WorkloadIdentity resources do not expose a status subresource. The daemon resolves the identity assignment based on scope and selectors and reports operational state through other system resources.
Examples
Section titled “Examples”Basic workload identity with mTLS
Section titled “Basic workload identity with mTLS”A simple workload identity for a backend service, scoped to an daemon group, with permissive TLS and inbound/outbound access control:
apiVersion: core.riptides.io/v1alpha1kind: WorkloadIdentitymetadata: name: cartservice namespace: riptides-systemspec: workloadID: myapp/app/cartservice scope: daemonGroup: id: riptides/daemongroup/prod-us-east-1/workers selectors: - k8s:label:app: cartservice k8s:pod:namespace: myapp process:name: cartservice connection: tls: mode: PERMISSIVE allowedSPIFFEIDs: inbound: - spiffe://example.com/myapp/app/frontend - spiffe://example.com/myapp/app/checkoutservice outbound: - spiffe://example.com/myapp/app/redis-cartWorkload with TLS intercept for credential injection
Section titled “Workload with TLS intercept for credential injection”A workload that connects to external APIs with transparent TLS interception. Credential injection is configured in the associated CredentialBinding resources.
apiVersion: core.riptides.io/v1alpha1kind: WorkloadIdentitymetadata: name: support-assistant namespace: riptides-systemspec: workloadID: support-assistant/app/assistant-api scope: daemonGroup: id: riptides/daemongroup/prod-us-east-1/workers selectors: - k8s:label:app: support-assistant k8s:pod:namespace: support-assistant process:cmdline: next-server (v connection: tls: mode: PERMISSIVE intercept: trueWorkload with per-port ingress rules
Section titled “Workload with per-port ingress rules”A workload that exposes multiple ports with different TLS policies per port:
apiVersion: core.riptides.io/v1alpha1kind: WorkloadIdentitymetadata: name: control-center namespace: riptides-systemspec: workloadID: platform/control-center scope: daemonGroup: id: riptides/daemongroup/prod-us-east-1/infra selectors: - k8s:container:name: control-center k8s:label:app.kubernetes.io/component: control-center process:name: java connection: tls: mode: PERMISSIVE ingress: - port: 9021 connection: tls: mode: PERMISSIVE - port: 8080 connection: tls: mode: MUTUAL allowedSPIFFEIDs: - spiffe://example.com/platform/control-center egress: - allowedSPIFFEIDs: - spiffe://example.com/platform/kafka-broker connection: tls: mode: PERMISSIVE selectors: - app: kafka-cluster-encrypted-listeners - connection: tls: mode: SIMPLE selectors: - app: external-analytics allowedSPIFFEIDs: inbound: - spiffe://example.com/platform/control-center/health-checkRelated Resources
Section titled “Related Resources”- CredentialBinding — Bind credentials to this workload for injection using
CredentialBinding.propagation.injectionselectors. - CredentialSource — Define where credentials come from.
- Service — Define the services that egress selectors match against.
- API Reference Overview