As modern applications expand across multiple clusters, clouds, and hybrid regions, traditional security mechanisms, such as long lived secrets, static certificates, or cloud provider specific identity and access management, struggle to keep up with the scale, velocity, and ephemeral nature of microservices. Red Hat’s zero trust workload identity manager is designed to resolve this by dynamically issuing temporary, cryptographically attested identities to workloads at runtime. This enables your applications to systematically prove what they are, not just where they run.

Zero trust workload identity manager version 1.1 is now generally available, delivering universal  runtime-attested identities for workloads across your cloud native deployment fleet.

Production scaling with upstream SPIFFE and SPIRE

Built on the trusted foundation of the upstream SPIRE project, which is the reference implementation of the Secure Production Identity Framework for Everyone (SPIFFE) standard, zero trust workload identity manager abstracts complex configurations into an automated, enterprise-ready Day 2 operator.

If you're looking to scale your deployments and operate safely in high-traffic production environments, this solution offers a unified identity plane that bridges your container environments. By tying identity directly to continuous runtime attestation, the platform reduces reliance on static secrets and manual certificate management. While the upstream SPIFFE and SPIRE projects support both virtual machines and containers, we deliver these capabilities natively for containers within your Red Hat OpenShift environments. This targeted footprint allows platform teams to maximize container security and performance while leveraging our operator securely in high scale production environments.

What's new in zero trust workload identity manager operator 1.1

What's new in zero trust workload identity manager operator 1.1

The release of zero trust workload identity manager operator 1.1 brings critical new features designed to help enterprises scale their production zero trust architectures.

Native SPIFFE Helper integration and modes

Adopting zero trust can be challenging when working with legacy applications or workloads that cannot interact directly with the SPIRE Workload API. Zero trust workload identity manager operator 1.1 introduces formal support for the SPIFFE Helper, a powerful utility designed to bridge this gap. Running alongside your workload, the SPIFFE Helper automatically fetches cryptographic identity credentials and keys, saving them to a shared volume. It supports multiple operational modes to monitor credential lifetimes, automatically rotate credentials, and signal or hot reload your application when credentials update, ensuring zero downtime without rewriting application source code.

Multi-cluster service mesh integration

While protecting communication within a single cluster is a solid starting point, production architectures demand security-focused cross boundary communication. Zero trust workload identity manager operator 1.1 features integration with Red Hat OpenShift Service Mesh based on Istio, extending cryptographic trust across multi-cluster environments. By facilitating automated server to server SPIRE federation, the operator allows distinct service meshes across disparate clusters, regions, or clouds to recognize and validate each other's identities. This enables seamless, strict mutual TLS across cluster boundaries, allowing distributed applications to communicate based on continuously attested cryptographic identities rather than vulnerable network placement or IP based firewalls.

Customizable enterprise SPIRE plug-ins and custom PKI integration

Production environments are rarely "one size fits all". To satisfy complex corporate compliance and integrate smoothly with existing security infrastructure, zero trust workload identity manager operator 1.1 introduces configuration support to enable cert manager and Vault plug-ins for UpstreamAuthority. This specific functionality enables an organization to bring its own PKI. With these plug-ins, the identity plane hooks directly into your established enterprise certificate management systems, allowing Red Hat OpenShift to issue cryptographically attested workload identities rooted entirely in your existing corporate trust chain.

Broadening access with expanded OpenShift entitlements

Previously packaged exclusively with Red Hat OpenShift Platform Plus, the zero trust workload identity manager operator is now also available to customers with standard Red Hat OpenShift Container Platform entitlements. This confirms that whether you are running a core OpenShift cluster or a comprehensive multi-cluster platform, you have immediate access to production ready, SPIFFE and SPIRE workload identity management.

Additionally, we're releasing an end to end example workflow with Open Policy Agent and OpenShift Service Mesh in the near future to help you fully implement these advanced security patterns.

Agentic AI and the imperative for strong identity

The technical enhancements in zero trust workload identity manager operator 1.1 arrive at a critical moment as enterprises actively deploy agentic AI. As autonomous AI agents operate side by side with humans, often possessing equal standing in decision making, orchestration, and action, the stakes for auditability and traceability are higher than ever. Today, almost all agent platforms and harnesses are using SPIFFE and SPIRE for workload identity based on zero-trust principles.

By attesting AI workloads at runtime and issuing verifiable identities to AI agents, zero trust workload identity manager ensures accountability for every action. This allows organizations to maintain traceability across complex, multistep workflows and apply consistent policies that enforce the same zero trust principles across both human and AI workloads.

Get started today

Ready to eliminate static secrets and scale your production zero trust security architecture? 

  • You can explore the updated Red Hat OpenShift documentation to view implementation guides for the SPIFFE Helper, multi-cluster service mesh integration, and custom plug-in configurations. 
  • Install the operator directly from your Red Hat OpenShift OperatorHub console using your standard Red Hat OpenShift Container Platform or Red Hat OpenShift Platform Plus entitlements.

Product trial

Red Hat OpenShift Container Platform | Product Trial

A consistent hybrid cloud foundation for building and scaling containerized applications.

About the authors

Anjali Telang is a Principal Product Manager for Security and Identity in OpenShift at RedHat. She is a security and cloud enthusiast with over 16 years of experience in cloud, security and networking. Prior to leading Identity and Access Product Management (IAM) in RedHat OpenShift, she worked on Identity and Access Management in VMWare Tanzu and has held various product and engineering roles at RedHat, VMware and NetApp

UI_Icon-Red_Hat-Close-A-Black-RGB

Browse by channel

automation icon

Automation

The latest on IT automation for tech, teams, and environments

AI icon

Artificial intelligence

Updates on the platforms that free customers to run AI workloads anywhere

open hybrid cloud icon

Open hybrid cloud

Explore how we build a more flexible future with hybrid cloud

security icon

Security

The latest on how we reduce risks across environments and technologies

edge icon

Edge computing

Updates on the platforms that simplify operations at the edge

Infrastructure icon

Infrastructure

The latest on the world’s leading enterprise Linux platform

application development icon

Applications

Inside our solutions to the toughest application challenges

Virtualization icon

Virtualization

The future of enterprise virtualization for your workloads on-premise or across clouds