Zero trust workload identity manager generally available on Red Hat OpenShift

We’re excited to announce the general availability of zero trust workload identity manager, a Red Hat solution that delivers universal, runtime-attested identities for workloads in your cloud-native deployments.

Modern applications run across multiple clusters, clouds, and regions, and traditional identity mechanisms—long-lived secrets, static certificates, or provider-specific Identity and Access Management (IAM)—struggle to keep up. Zero trust workload identity manager solves this by issuing ephemeral, cryptographically attested identities to workloads at runtime. This enables your applications to prove what they are, not just where they run.

This universal workload identity model is foundational to building zero trust architectures:

• No workload is trusted by default.
• Every identity is issued only after successful attestation of the workload.
• Identities are automatically rotated and stored in a security-focused manner.
• Applications communicate securely across organizational, cluster, and cloud boundaries.

Based on upstream SPIRE

Zero trust workload identity manager is based on the upstream SPIRE project, the reference implementation of the SPIFFE standard for workload identity. SPIRE provides the control plane for attestation, identity issuance, rotation, and security-focused storage - enabling workloads to receive short-lived, verifiable identities that integrate into your existing infrastructure.

SPIFFE/SPIRE supports multiple workload form factors, including both virtual machines (VMs) and containers, and zero trust workload identity manager can provide consistent identity management across heterogeneous environments.

By building on SPIRE, Red Hat extends trusted, open source technology with enterprise-ready capabilities such as multicluster federation, bring-your-own database support, and flexible configuration options.

What zero trust workload identity manager delivers

Alt Text: Image showing flow of identity from development to production.

With general availability, zero trust workload identity manager brings together all the capabilities from technology preview and expands them with new enterprise-ready features, making it a comprehensive solution for workload identity in Red Hat OpenShift and beyond.

Core capabilities include:

• Runtime workload identity issuance, powered by SPIRE, so every VM or container receives a security-focused, short-lived identity.
   
• Federation across environments with support for both OpenID Connect (OIDC) federation as well as SPIRE server↔SPIRE server federation that helps enable multicluster, hybrid, and multicloud workloads to authenticate consistently.
   
• Secretless authentication with Vault integration, allowing workloads to obtain credentials using their SPIFFE ID instead of static secrets.
   
• Bring Your Own Database (BYODB) support, giving organizations the flexibility to use their own PostgreSQL instance for compliance, resilience, and operational consistency.
   
• Flexible configuration options, supporting both simplified automation and advanced customization for security-conscious environments.
   
• End-to-end attestation workflows that connect application identity to your existing security stack—policy engines, service meshes, and CI/CD systems.
   
• Secure and Validated APIs to embed workload identity into pipelines and application communication patterns.

Agentic AI and the need for strong identity

As agentic AI becomes part of enterprise systems, workloads and humans often operate side by side - with equal standing in decision-making, orchestration, and action. This raises the stakes for auditability and traceability.

Zero trust workload identity manager, powered by SPIRE, provides a foundation for securing agentic AI workloads with the same rigor as human-driven processes. By attesting workloads and issuing verifiable identities to AI agents at runtime, organizations can:

• Ensure accountability for every action, whether initiated by a human or an AI system.
• Maintain traceability across complex, multistep workflows where AI agents interact with infrastructure and services.
• Apply consistent policies that don’t distinguish between “human” and “AI” workloads but enforce the same zero trust principles across both.

Why it matters

By unifying these capabilities, zero trust workload identity manager provides a single, consistent way to establish trust across your entire application landscape. Organizations adopting it can:

• Safeguard onboard workloads across Kubernetes clusters, hybrid cloud environments, and geographic regions.
• Reduce reliance on static secrets and manual certificate management.
• Build applications that trust each other based on continuously attested, short-lived identities rather than network placement.

The zero trust workload identity solution is available with Red Hat OpenShift Platform Plus, making it easier to adopt universal workload identity as part of a comprehensive platform for building, securing, and scaling applications - covering both VMs and containers across your environment.

Looking ahead

General availability is just the beginning. We are working on deeper integrations with service meshes, observability platforms, and workflows so that universal workload identity is not an add-on but a default part of your cloud-native architecture. And as enterprises adopt agentic AI, zero trust workload identity manager will help ensure that identity, trust, and accountability remain at the center of security-focused innovation. This comprehensive solution extends its benefits to both VMs and containers, providing consistent identity management across your entire infrastructure. Find out more here.