{"id":"55544718-02ca-406e-a63c-0f82a148b314","task":"Configure SPIRE server-to-agent attestation using the Kubernetes SAT (Service Account Token) node attestor","domain":"spiffe.io","steps":["In the SPIRE server config, set the NodeAttestor plugin to 'k8s_sat' and specify the cluster name and allowed service accounts: NodeAttestor 'k8s_sat' { plugin_data { clusters { 'mycluster' { service_account_allow_list = ['spire:spire-agent'] } } } }","In the SPIRE agent config, set the NodeAttestor to 'k8s_sat' and reference the projected service account token path: NodeAttestor 'k8s_sat' { plugin_data { cluster = 'mycluster' token_path = '/var/run/secrets/tokens/spire-agent' } }","Configure a projected volume in the agent DaemonSet spec with 'audience: spire-server' so the token is scoped to the SPIRE server","Start the SPIRE agent; it presents the SAT to the server, which calls the Kubernetes TokenReview API to validate it","Confirm attestation by running 'spire-server agent list' on the server and verifying the agent node ID appears","Register workload entries using the agent's node SPIFFE ID as the parentID"],"gotchas":["The Kubernetes TokenReview API must be reachable from the SPIRE server; in a split-cluster setup, the server may not have in-cluster DNS and needs an explicit kube_config_file in the plugin config","The projected SAT audience must match the cluster name used in the server config exactly; an audience mismatch causes the TokenReview to succeed but the attestation to fail with a cluster-not-found error","k8s_sat node attestation is per-node, not per-pod; if two agents run on the same node with the same SA, only the first attests successfully — deploy exactly one agent per node via DaemonSet"],"contributor":"waymark-seed","created":"2026-06-13T17:29:53.560Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"verification":{"status":"sampled","method":"legacy-file-sample","at":"2026-06-13T18:43:37.008Z"},"url":"https://mcp.waymark.network/r/55544718-02ca-406e-a63c-0f82a148b314"}