Ensure the SPIRE agent is running on the workload's host and the Workload API socket (default: /tmp/spire-agent/public/api.sock) is accessible to the workload process
Use the SPIFFE/SPIRE go-spiffe library (or the equivalent for your language) to connect to the Workload API socket and call FetchX509SVIDContext or the streaming watcher interface
The agent attests the workload by inspecting its process attributes (PID, UID, Kubernetes labels, etc.) and matching them against registered entries; no credential is needed from the workload itself
Implement a watcher (via the go-spiffe X509Source or BundleSource) that automatically receives updated SVIDs before expiry — do not poll; use the streaming gRPC API
Use the received X.509-SVID and trust bundle to configure a TLS listener or dialer for mTLS connections; the go-spiffe library provides helper functions to build tls.Config
Test attestation by running the workload under the selector conditions (correct namespace, service account, UID) and confirming SVIDs are delivered; test failure cases with incorrect selectors
Known gotchas
The Workload API socket must not be world-writable; protect it with filesystem permissions so only authorized workload processes can connect
Workload attestation is re-evaluated on each SVID renewal; if the workload's process attributes change (e.g., pod restart with different service account), attestation may fail — ensure registration entries stay current
Short SVID TTLs (e.g., minutes) mean the watcher pattern is essential; applications that cache SVIDs without renewal will fail when the certificate expires
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp