As modern applications expand across multiple clusters, clouds, and hybrid regions, traditional security mechanisms, such as long lived secrets, static certificates, or cloud provider specific identity and access management, struggle to keep up with the scale, velocity, and ephemeral nature of microservices. Red Hat’s zero trust workload identity manager is designed to resolve this by dynamically issuing temporary, cryptographically attested identities to workloads at runtime. This enables your applications to systematically prove what they are, not just where they run.
Zero trust workload identity manager version 1.1 is now generally available, delivering universal runtime-attested identities for workloads across your cloud native deployment fleet.
Production scaling with upstream SPIFFE and SPIRE
Built on the trusted foundation of the upstream SPIRE project, which is the reference implementation of the Secure Production Identity Framework for Everyone (SPIFFE) standard, zero trust workload identity manager abstracts complex configurations into an automated, enterprise-ready Day 2 operator.
If you're looking to scale your deployments and operate safely in high-traffic production environments, this solution offers a unified identity plane that bridges your container environments. By tying identity directly to continuous runtime attestation, the platform reduces reliance on static secrets and manual certificate management. While the upstream SPIFFE and SPIRE projects support both virtual machines and containers, we deliver these capabilities natively for containers within your Red Hat OpenShift environments. This targeted footprint allows platform teams to maximize container security and performance while leveraging our operator securely in high scale production environments.
What's new in zero trust workload identity manager operator 1.1
The release of zero trust workload identity manager operator 1.1 brings critical new features designed to help enterprises scale their production zero trust architectures.
Native SPIFFE Helper integration and modes
Adopting zero trust can be challenging when working with legacy applications or workloads that cannot interact directly with the SPIRE Workload API. Zero trust workload identity manager operator 1.1 introduces formal support for the SPIFFE Helper, a powerful utility designed to bridge this gap. Running alongside your workload, the SPIFFE Helper automatically fetches cryptographic identity credentials and keys, saving them to a shared volume. It supports multiple operational modes to monitor credential lifetimes, automatically rotate credentials, and signal or hot reload your application when credentials update, ensuring zero downtime without rewriting application source code.
Multi-cluster service mesh integration
While protecting communication within a single cluster is a solid starting point, production architectures demand security-focused cross boundary communication. Zero trust workload identity manager operator 1.1 features integration with Red Hat OpenShift Service Mesh based on Istio, extending cryptographic trust across multi-cluster environments. By facilitating automated server to server SPIRE federation, the operator allows distinct service meshes across disparate clusters, regions, or clouds to recognize and validate each other's identities. This enables seamless, strict mutual TLS across cluster boundaries, allowing distributed applications to communicate based on continuously attested cryptographic identities rather than vulnerable network placement or IP based firewalls.
Customizable enterprise SPIRE plug-ins and custom PKI integration
Production environments are rarely "one size fits all". To satisfy complex corporate compliance and integrate smoothly with existing security infrastructure, zero trust workload identity manager operator 1.1 introduces configuration support to enable cert manager and Vault plug-ins for UpstreamAuthority. This specific functionality enables an organization to bring its own PKI. With these plug-ins, the identity plane hooks directly into your established enterprise certificate management systems, allowing Red Hat OpenShift to issue cryptographically attested workload identities rooted entirely in your existing corporate trust chain.
Broadening access with expanded OpenShift entitlements
Previously packaged exclusively with Red Hat OpenShift Platform Plus, the zero trust workload identity manager operator is now also available to customers with standard Red Hat OpenShift Container Platform entitlements. This confirms that whether you are running a core OpenShift cluster or a comprehensive multi-cluster platform, you have immediate access to production ready, SPIFFE and SPIRE workload identity management.
Additionally, we're releasing an end to end example workflow with Open Policy Agent and OpenShift Service Mesh in the near future to help you fully implement these advanced security patterns.
Agentic AI and the imperative for strong identity
The technical enhancements in zero trust workload identity manager operator 1.1 arrive at a critical moment as enterprises actively deploy agentic AI. As autonomous AI agents operate side by side with humans, often possessing equal standing in decision making, orchestration, and action, the stakes for auditability and traceability are higher than ever. Today, almost all agent platforms and harnesses are using SPIFFE and SPIRE for workload identity based on zero-trust principles.
By attesting AI workloads at runtime and issuing verifiable identities to AI agents, zero trust workload identity manager ensures accountability for every action. This allows organizations to maintain traceability across complex, multistep workflows and apply consistent policies that enforce the same zero trust principles across both human and AI workloads.
Get started today
Ready to eliminate static secrets and scale your production zero trust security architecture?
- You can explore the updated Red Hat OpenShift documentation to view implementation guides for the SPIFFE Helper, multi-cluster service mesh integration, and custom plug-in configurations.
- Install the operator directly from your Red Hat OpenShift OperatorHub console using your standard Red Hat OpenShift Container Platform or Red Hat OpenShift Platform Plus entitlements.
Product trial
Red Hat OpenShift Container Platform | Product Trial
About the authors
Anjali Telang is a Principal Product Manager for Security and Identity in OpenShift at RedHat. She is a security and cloud enthusiast with over 16 years of experience in cloud, security and networking. Prior to leading Identity and Access Product Management (IAM) in RedHat OpenShift, she worked on Identity and Access Management in VMWare Tanzu and has held various product and engineering roles at RedHat, VMware and NetApp
More like this
Can't patch fast enough? Zero trust as a last line of defense
The path to zero trust: Bridging the gap between AI development and OpSec
Browse by channel
Automation
The latest on IT automation for tech, teams, and environments
Artificial intelligence
Updates on the platforms that free customers to run AI workloads anywhere
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
The latest on how we reduce risks across environments and technologies
Edge computing
Updates on the platforms that simplify operations at the edge
Infrastructure
The latest on the world’s leading enterprise Linux platform
Applications
Inside our solutions to the toughest application challenges
Virtualization
The future of enterprise virtualization for your workloads on-premise or across clouds