ProficientNowTechRFCs
Platform RFCs

RFC-WORKLOAD-IDENTITY-0001: Workload Identity Architecture

RFC-WORKLOAD-IDENTITY-0001                                   Standards Track
Category: Standards Track                          Workload Identity Architecture
Version: 1.0.0                                              February 2026

RFC-WORKLOAD-IDENTITY-0001: Workload Identity Architecture

Document Metadata

FieldValue
RFC NumberRFC-WORKLOAD-IDENTITY-0001
TitleWorkload Identity Architecture
StatusDraft
CategoryStandards Track
Created2026-02-11
Updated2026-02-11
Version1.0.0
AuthorPlatform Engineering Team
RequiresRFC-IAM-0001, RFC-SECOPS-0001

Abstract

This RFC defines the architecture for non-human identity management across all workloads in the platform. It establishes patterns for authenticating and authorizing machines, services, CI/CD pipelines, GitOps operators, Kubernetes controllers, and AI agents. The architecture builds on SPIFFE/SPIRE as the primary identity framework, integrates with HashiCorp Vault for secret access, leverages Teleport Machine ID for infrastructure automation, and uses service mesh (Linkerd) for network-layer identity enforcement.

This RFC complements RFC-IAM-0001 (human identity) and RFC-PAM-0001 (privileged access), sharing the same trust foundation (Azure AD as authorization ceiling) and credential authority (Vault) while implementing distinct access patterns appropriate for non-human principals.

Scope

In Scope

ConcernDescription
Kubernetes workload identityPod/container identity via service accounts and SPIFFE
Service-to-service authenticationmTLS, SPIFFE SVIDs
CI/CD pipeline identityGitHub Actions OIDC, GitLab CI, Tekton
GitOps operator identityArgoCD, Flux, Kargo automation tokens
Kubernetes operator identityController service accounts
CronJob/scheduled task identityBatch workload authentication
AI agent identityLLM-based automation, delegation chains
Machine identity (VMs)Teleport Machine ID for non-K8s hosts
Cross-cluster identity federationSPIFFE federation, trust domains

Out of Scope

ConcernAddressed By
Human identity and authenticationRFC-IAM-0001
Human privileged access (SSH, DB, kubectl)RFC-PAM-0001
Secret storage and lifecycle managementRFC-SECOPS-0001
Network-level security policiesRFC-TENANT-SECURITY (planned)
Developer portal self-serviceRFC-DEVELOPER-PLATFORM (planned)

Relationship to Other RFCs

Normative Dependencies

RFC-IAM-0001: Federated Identity and Access Management Architecture

  • Provides human identity foundation
  • Defines authorization ceiling concept
  • Establishes Keycloak as identity broker

RFC-SECOPS-0001: GitOps-Native, Vault-First Secret Management Architecture

  • Defines Vault as credential authority
  • Establishes ESO distribution patterns
  • Provides secret lifecycle management

Integration Points

RFC-PAM-0001: Privileged Access Management Architecture

  • Shares Teleport infrastructure (Machine ID)
  • Uses same Vault credential engines
  • Follows complementary access patterns

Future RFCs

RFCRelationship
RFC-DEVELOPER-PLATFORMMay provide self-service for workload identity
RFC-TENANT-SECURITYNetwork-level controls complement workload identity

Table of Contents

Core Sections

  1. Introduction

    • Background and motivation
    • Current state analysis
    • Problem statement

  2. Requirements

    • Design goals and non-goals
    • Architectural invariants
    • Success criteria

  3. Architecture

    • Identity hierarchy
    • Trust boundaries
    • Authority domains
    • Integration patterns

  4. Components

    • Component taxonomy
    • SPIRE architecture
    • Vault integration
    • Teleport Machine ID
    • Service mesh integration

Workload Categories

  1. Kubernetes Workloads

    • ServiceAccount patterns
    • SPIRE agent deployment
    • Vault Kubernetes auth

  2. CI/CD Identity

    • OIDC federation patterns
    • GitHub Actions integration
    • Tekton pipeline identity

  3. GitOps Identity

    • ArgoCD identity model
    • Flux workload identity
    • Automation token management

  4. Operator Identity

    • Kubernetes operator patterns
    • Controller service accounts
    • CronJob identity

  5. AI Agent Identity

    • Agent identity challenges
    • Delegation patterns
    • Sub-agent chains

  6. Machine Identity

    • Teleport Machine ID
    • tbot deployment
    • VM attestation

Cross-Cutting Concerns

  1. Service Mesh Integration

    • Linkerd identity model
    • mTLS configuration
    • Authorization policies

  2. Federation

    • Cross-cluster identity
    • SPIFFE federation
    • Multi-cloud identity

Supporting Sections

  1. Rationale

    • Why SPIFFE/SPIRE
    • Alternatives considered
    • Trade-off analysis

  2. Evolution

    • Future considerations
    • AI agent evolution
    • Standards evolution

Appendices

Reading Paths

Platform Engineers

Recommended reading order for platform engineers implementing this architecture:

  1. Introduction - Understand the problem space
  2. Requirements - Learn the invariants
  3. Architecture - Grasp the overall design
  4. Components - Understand component responsibilities
  5. Kubernetes Workloads - Core implementation
  6. Service Mesh Integration - Network identity

Security Engineers

Recommended reading order for security review:

  1. Requirements - Understand invariants and constraints
  2. Architecture - Trust boundaries and authority domains
  3. AI Agent Identity - Delegation chain security
  4. Federation - Cross-boundary trust
  5. Rationale - Understand design decisions

DevOps/SRE Teams

Recommended reading order for operations teams:

  1. CI/CD Identity - Pipeline identity patterns
  2. GitOps Identity - Operator identity
  3. Machine Identity - VM identity
  4. Operator Identity - Controller patterns

Application Developers

Recommended reading order for application developers:

  1. Kubernetes Workloads - How workloads get identity
  2. Service Mesh Integration - mTLS for services
  3. Appendix A: Glossary - Terminology reference

Key Concepts

Identity Hierarchy

┌─────────────────────────────────────────────────────────────────┐
│                    ENTERPRISE IDENTITY CEILING                   │
│                         (Azure AD / Entra ID)                    │
└─────────────────────────────────────────────────────────────────┘

                    ┌─────────────┴─────────────┐
                    ▼                           ▼
    ┌───────────────────────────┐   ┌───────────────────────────┐
    │     HUMAN IDENTITY        │   │    WORKLOAD IDENTITY      │
    │      (RFC-IAM-0001)       │   │  (RFC-WORKLOAD-IDENTITY)  │
    │                           │   │                           │
    │  Keycloak ← Azure AD      │   │  SPIRE ← Cloud Providers  │
    │         ↓                 │   │         ↓                 │
    │  Platform Applications    │   │  Service-to-Service       │
    │  (Harbor, Backstage...)   │   │  (mTLS, Vault access)     │
    └───────────────────────────┘   └───────────────────────────┘
                    │                           │
                    └─────────────┬─────────────┘

                    ┌───────────────────────────┐
                    │   PRIVILEGED ACCESS       │
                    │     (RFC-PAM-0001)        │
                    │                           │
                    │  Human → Teleport → Infra │
                    │  Machine → Teleport → Infra│
                    └───────────────────────────┘

Workload Categories

CategoryExampleIdentity Method
Kubernetes ApplicationsWeb services, APIsSPIFFE SVID + Vault K8s Auth
CI/CD PipelinesGitHub Actions, TektonOIDC Federation
GitOps OperatorsArgoCD, FluxServiceAccount + Vault K8s Auth
Kubernetes OperatorsCustom controllersServiceAccount + RBAC
CronJobsScheduled tasksServiceAccount + Vault K8s Auth
AI AgentsLLM automationDelegation tokens (RFC 8693)
VMs/MachinesInfrastructure automationTeleport Machine ID (tbot)

Document Conventions

Requirement Level Keywords

This document uses requirement level keywords as defined in [RFC2119] and [RFC8174]:

KeywordMeaning
MUSTAbsolute requirement
MUST NOTAbsolute prohibition
SHOULDRecommended but not required
SHOULD NOTNot recommended but not prohibited
MAYOptional

Invariant References

Invariants are referenced as INV-X where X is the invariant number. See Section 2 for complete invariant definitions.

ADR References

Architecture Decision Records are referenced as ADR-WI-XXX. See Appendix A for the ADR index.

Version History

VersionDateChanges
1.0.02026-02-11Initial release

Document Navigation

PreviousIndexNext
Table of Contents1. Introduction →

End of Index

Next

RFC-TENANT-SECURITY-0001 Planning Document

Next

1. Introduction

On this page