Linkerd enforces authorization policies using SPIFFE/SPIRE workload identities for secure service access
Linkerd leverages SPIFFE/SPIRE to establish and enforce workload identities for both Kubernetes and non-Kubernetes services. By integrating with SPIRE, Linkerd proxies obtain SPIFFE Verifiable Identity Documents (SVIDs), which are then used as the basis for Linkerd's mutual TLS (mTLS) and fine-grained authorization policies, ensuring secure and identity-aware access control for services within and beyond the mesh.
Linked Evidence
Linkerd 2.15 ships native SPIFFE/SPIRE integration, allowing proxies outside Kubernetes to obtain SPIFFE-compliant identities from SPIRE and participate in Linkerd's mTLS mesh and authorization policies.
Announcing Linkerd 2.15 | LinkerdLinkerd proxies on external machines can be configured to obtain their TLS certificates directly from SPIRE instead of from Linkerd's in-cluster identity service, using SPIFFE-compatible SVIDs so that mTLS and Linkerd authorization policies apply uniformly to both Kubernetes and non-Kubernetes workloads.
Adding non-Kubernetes workloads to your mesh | LinkerdLinkerd adopts SPIFFE/SPIRE as its external workload identity mechanism because SPIFFE gives a standard format for machine identity and SPIRE issues SVIDs for arbitrary workloads on arbitrary machines, enabling Linkerd's mTLS and authorization policies to span both Kubernetes and non-Kubernetes services.
Mesh expansion and SPIFFE support arriving in the upcoming Linkerd 2.15 | Linkerd