{"id":1644,"date":"2023-10-05T12:22:12","date_gmt":"2023-10-05T12:22:12","guid":{"rendered":"https:\/\/imesh.ai\/blog\/?p=1644"},"modified":"2024-01-18T14:36:48","modified_gmt":"2024-01-18T14:36:48","slug":"istio-spire-workload-identity","status":"publish","type":"post","link":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/","title":{"rendered":"How to Integrate Istio and SPIRE for Secure Workload Identity"},"content":{"rendered":"\n<p><a href=\"https:\/\/imesh.ai\/blog\/what-is-istio\/\">Istio<\/a> provides strong identities for workloads running in the mesh by default.&nbsp;<\/p>\n\n\n\n<p>Istio control plane (<em>istiod<\/em>) and Istio agents (that run on each pod, within the <a href=\"https:\/\/imesh.ai\/blog\/what-is-envoy-proxy\/\">Envoy proxy<\/a> container) work together to sign, distribute, and rotate X.509 certificates to workloads (see Fig.A).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"960\" height=\"540\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-certificate-and-identity-mechanism.png\" alt=\"Istio certificate and identity mechanism\" class=\"wp-image-1645\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-certificate-and-identity-mechanism.png 960w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-certificate-and-identity-mechanism-300x169.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-certificate-and-identity-mechanism-768x432.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-certificate-and-identity-mechanism-400x225.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-certificate-and-identity-mechanism-800x450.png 800w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"has-text-align-center\">Fig. A &#8211; Istio certificate and identity mechanism<\/p>\n\n\n\n<p>When Istio has such a robust <a href=\"https:\/\/istio.io\/latest\/docs\/concepts\/security\/#pki\">certificate and identity mechanism<\/a>, why should DevSecOps folks look into Istio-SPIRE integration?<\/p>\n\n\n\n<p>Let us see why, and then I will show you a simple demo where two workloads authenticate each other using SPIFFE ID.<\/p>\n\n\n\n<p>But before proceeding, please read the introduction to SPIFFE and SPIRE if you are new or would like to refresh your understanding: <a href=\"https:\/\/imesh.ai\/blog\/spiffe-spire\/\">SPIFFE\/SPIRE: An Introduction<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Why Istio-SPIRE makes sense for Kubernetes workloads<\/h2>\n\n\n\n<p><a href=\"https:\/\/github.com\/spiffe\/spire\">SPIRE<\/a> is a production-ready implementation of SPIFFE standards that provide identity for workloads deployed in a heterogeneous environment. <strong>Using a dedicated identity mechanism like SPIRE with Istio gives the advantage of flexibility, scalability, and added granularity for in-depth defense.<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>While Istio primarily uses attributes based on Kubernetes metadata, like namespace, service account, and labels, the scope of SPIRE\u2019s workload authentication spans beyond them. Using SPIRE, DevSecOps can set granular identity based on the following attributes and more:<br>\n<ul class=\"wp-block-list\">\n<li>Node characteristics \u2013 host machine, hardware<\/li>\n\n\n\n<li>Environment metadata \u2013 cloud provider, region, network configs<\/li>\n\n\n\n<li>Vendor-specific labels \u2013 instance type or instance ID in AWS<br><\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>SPIRE provides workload identity regardless of where the workload is deployed. It can easily and securely authenticate a VM workload to the services in the mesh by deploying Istio sidecar and SPIRE agent in the VM.<br><\/li>\n\n\n\n<li>SPIRE allows federation between trust domains. For example, let us say you have a few clusters with a different <em>trustDomain<\/em> value per cluster. When you want to securely authenticate workloads from clusters with different <em>trustDomain <\/em>values, Istio root CA might fail to issue certs. Here DevSecOps can use Istio-SPIRE, as SPIRE can establish trust and federate communication between trust domains using trust bundles.<\/li>\n<\/ul>\n\n\n\n<p>When you have SPIRE agents and server running in the mesh, this is how the certificate and private key distribution flow would look like:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"960\" height=\"540\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-spire-certificate-and-private-key-flow.png\" alt=\"Istio-spire certificate and private key flow\" class=\"wp-image-1646\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-spire-certificate-and-private-key-flow.png 960w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-spire-certificate-and-private-key-flow-300x169.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-spire-certificate-and-private-key-flow-768x432.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-spire-certificate-and-private-key-flow-400x225.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/Istio-spire-certificate-and-private-key-flow-800x450.png 800w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"has-text-align-center\">Istio-SPIRE certificate and private key distribution flow<\/p>\n\n\n\n<p>Note that the SPIRE agent runs on each node as a daemon. The SPIRE server can be in the same node or a different one, or in a different cluster altogether.<\/p>\n\n\n\n<p>Now let us see how to implement SPIRE with Istio and use SPIRE control manager to issue identities for workloads in the mesh.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Istio-SPIRE: Prerequisites<\/h2>\n\n\n\n<p>There are two ways to register workloads in a SPIRE server: <a href=\"https:\/\/istio.io\/latest\/docs\/ops\/integrations\/spire\/#option-2-configuration-for-manual-workload-registration-with-spire\">manual<\/a> and <a href=\"https:\/\/istio.io\/latest\/docs\/ops\/integrations\/spire\/#option-1-configuration-for-workload-registration-with-the-spire-controller-manager\">automatic<\/a>.&nbsp;<\/p>\n\n\n\n<p>I\u2019m using the automatic method where I deploy the <a href=\"https:\/\/github.com\/spiffe\/spire-controller-manager\">SPIRE control manager<\/a> along with the SPIRE server, which automatically registers new entries for each new pod that matches the selector defined in a <a href=\"https:\/\/github.com\/spiffe\/spire-controller-manager\/blob\/main\/docs\/clusterspiffeid-crd.md\"><em>ClusterSPIFFEID<\/em><\/a> custom resource.<\/p>\n\n\n\n<p>I\u2019m using a single cluster, 2-node setup locally, with a service deployed in each node. This is how it would look like in the end:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"960\" height=\"540\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-and-agents-in-Kubernetes-cluster.png\" alt=\"spire server and agents in Kubernetes cluster\" class=\"wp-image-1647\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-and-agents-in-Kubernetes-cluster.png 960w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-and-agents-in-Kubernetes-cluster-300x169.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-and-agents-in-Kubernetes-cluster-768x432.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-and-agents-in-Kubernetes-cluster-400x225.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-and-agents-in-Kubernetes-cluster-800x450.png 800w\" sizes=\"(max-width: 960px) 100vw, 960px\" \/><\/figure>\n<\/div>\n\n\n<p>To carry out this demo, all you need are Istioctl and Kubectl command-line tools. You can see the YAMLs used for the demo <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/commit\/3f66810cd6bb22acee4e4bbc56b73a57b8802dd6\">here<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Steps to integrate SPIRE with Istio<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"#install-spire\">Step #1: Install SPIRE to Kubernetes<\/a><\/li>\n\n\n\n<li><a href=\"#apply-cluster\">Step #2: Apply <em>ClusterSPIFFEID <\/em>to generate certificates for workloads<\/a><\/li>\n\n\n\n<li><a href=\"#install-custom-istio\">Step #3: Install custom Istio<\/a><\/li>\n\n\n\n<li><a href=\"#deploy-workloads\">Step #4: Deploy workloads into Istio-enabled namespace<\/a><\/li>\n\n\n\n<li><a href=\"#commnication-pods\">Step #5: Initiate communication between pods<\/a><\/li>\n<\/ul>\n\n\n\n<p>Before you begin, make sure that Istio is not installed in your cluster. The SPIRE server has to be deployed in the cluster before Istio so that the <a href=\"https:\/\/imesh.ai\/blog\/how-to-use-istio-ingress-gateway-as-application-load-balancer-alb\/\">Istio ingress gateway<\/a> can get its certificate from the SPIRE server. Check step #3 for more details.<\/p>\n\n\n\n<p>Watch the following video to see the demo in action:<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<iframe title=\"Configuring Istio and SPIRE for Secure Workload Identity | SPIRE | IMESH | Demo\" width=\"1130\" height=\"636\" src=\"https:\/\/www.youtube.com\/embed\/kcr-VaXRe0k?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" allowfullscreen><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading install-spire\" id=\"install-spire\">Step #1: Install SPIRE to Kubernetes&nbsp;<\/h3>\n\n\n\n<p>Apply <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/commit\/3f66810cd6bb22acee4e4bbc56b73a57b8802dd6#diff-e2e62cb7af13dcd2945c10f553481d0a6fad2e0b2eec838e101ff641b18d4f90\"><em>spire-quickstart.yaml<\/em><\/a><em> <\/em>to install SPIRE. The configuration has everything you need to install SPIRE. It includes definitions for the namespace, SPIRE server and agent, cluster role configurations, webhooks to validate the cluster, and the SPIRE control manager.<\/p>\n\n\n\n<p>The configuration comes by default with Istio and you can find it at <em>\/istio-(your_version)\/samples\/security\/spire<\/em>. Apply it to install SPIRE in your cluster:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f spire-quickstart.yaml<\/code><\/pre>\n\n\n\n<p>As mentioned above, I\u2019m using a 2-node setup locally. That means a SPIRE agent on each node and a SPIRE server they talk to. You can see the deployments in <em>spire <\/em>namespace using the following command:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl get all -n spire<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1003\" height=\"133\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-deployments.png\" alt=\"Spire Deployment\" class=\"wp-image-1649\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-deployments.png 1003w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-deployments-300x40.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-deployments-768x102.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-deployments-400x53.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-deployments-800x106.png 800w\" sizes=\"(max-width: 1003px) 100vw, 1003px\" \/><\/figure>\n\n\n\n<p>The SPIRE agent pods house <em>spire-agent<\/em>, <a href=\"https:\/\/github.com\/spiffe\/spiffe-csi\"><em>spiffe-csi-driver<\/em><\/a>, and <em>node-driver-registrar <\/em>containers, while the SPIRE server pod has <em>spire-server<\/em> and <em>spire-control-manager <\/em>in it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading apply-cluster\" id=\"apply-cluster\">Step #2: Apply <em>ClusterSPIFFEID<\/em> to generate certificates for workloads<\/h3>\n\n\n\n<p>Apply <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/commit\/3f66810cd6bb22acee4e4bbc56b73a57b8802dd6#diff-aed36f5d8621520cf2a0af865a08c95399a30c0475e9d2870d8c008081289a51\"><em>cluster-spiffe-id.yaml<\/em><\/a><em> <\/em>(given below) to generate certificates for workloads by the SPIRE control manager.<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>apiVersion: spire.spiffe.io\/v1alpha1\nkind: ClusterSPIFFEID\nmetadata:\n&nbsp; name: spiffe-id\nspec:\n&nbsp; spiffeIDTemplate: \"spiffe:\/\/{{ .TrustDomain }}\/ns\/{{ .PodMeta.Namespace }}\/sa\/{{ .PodSpec.ServiceAccountName }}\"\n&nbsp; podSelector:\n&nbsp; &nbsp; matchLabels:\n&nbsp; spiffe.io\/spire-managed-identity: \"true\"<\/code><\/pre>\n\n\n\n<p>In the yaml, we provide a match<em> <\/em>that whenever a pod comes with the label<em>, spiffe.io\/spire-managed-identity: &#8220;true&#8221;, <\/em>the SPIRE control manager provides a SPIFFE ID for that workload. You can also set a custom <em>spiffeIDTemplate<\/em>. I\u2019ve used the default one here. Apply the yaml:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f cluster-spiffe-id.yaml<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading install-custom-istio\" id=\"install-custom-istio\">Step #3: Install custom Istio<\/h3>\n\n\n\n<p>Since we want Istio Ingress Gateway to get certificates from the SPIRE control manager, we annotate <em>ingressGateways <\/em>in the <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/commit\/3f66810cd6bb22acee4e4bbc56b73a57b8802dd6#diff-d524c9178036544c3c27215e9e0ce5cb9ca5949ac46d676518b1b5233909a599\"><em>custom-istio.yaml<\/em><\/a> with the label \u2014 <em>spiffe.io\/spire-managed-identity: &#8220;true&#8221; <\/em>\u2014 used in the above step. I\u2019m using <em>istioctl <\/em>to deploy <em>custom-istio.yaml<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>istioctl install --skip-confirmation -f custom-istio.yaml<\/code><\/pre>\n\n\n\n<p>To verify if Istio Ingress Gateway is registered with SPIRE, <em>exec <\/em>into the SPIRE server container inside the SPIRE server pod and check the entries:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl exec -t spire-server-d456d6b54-q9b5g -n spire -c spire-server -- .\/bin\/spire-server entry show<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"164\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server-1024x164.png\" alt=\"istio ingress gateway entry in spire server\" class=\"wp-image-1650\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server-1024x164.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server-300x48.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server-768x123.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server-400x64.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server-800x128.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server-1160x186.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/istio-ingress-gateway-entry-in-spire-server.png 1221w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>You can see the <em>istio-ingressgateway-service-account <\/em>entry in the SPIRE server and its SPIFFE ID.<\/p>\n\n\n<!-- Ad space powered by WP AdCenter v2.5.7 - https:\/\/wpadcenter.com\/ --><div class=\"wpadcenter-ad-container\" ><div id=\"wpadcenter-ad-1874\" class=\"ad-970x250 wpadcenter-970x250 ad-placement  wpadcenter-alignnone alignnone\"><div class=\"wpadcenter-ad-inner\" ><a id=\"wpadcenter_ad\" data-value=1874 data-placement=\"\" href=\"https:\/\/imesh.ai\/istio-service-mesh-case-studies.html?utm_source=Click&utm_medium=banner-ebook&utm_campaign=SPIRE+for+Secure+Workload+Identity&utm_id=read-case-study&utm_term=download+ebook\" target=\"_self\" class=\"wpadcenter-ad-inner__item\" ><img loading=\"lazy\" decoding=\"async\" width=\"970\" height=\"250\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/01\/Mindtickle-case-study-1.png\" class=\"attachment-post-thumbnail size-post-thumbnail wp-post-image\" alt=\"Mindtickle case study\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/01\/Mindtickle-case-study-1.png 970w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/01\/Mindtickle-case-study-1-300x77.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/01\/Mindtickle-case-study-1-768x198.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/01\/Mindtickle-case-study-1-400x103.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2024\/01\/Mindtickle-case-study-1-800x206.png 800w\" sizes=\"(max-width: 970px) 100vw, 970px\" \/><\/a><\/div><\/div><\/div>\n\n\n\n<h3 class=\"wp-block-heading deploy-workloads\" id=\"deploy-workloads\">Step #4: Deploy workloads into Istio-enabled namespace<\/h3>\n\n\n\n<p>I\u2019m deploying two services, <em>echoserver-service <\/em>and <em>sleep<\/em>, into istio-injection enabled <em>ns1 <\/em>namespace. I have annotated both services with <em>clusterSPIFFEID<\/em>\u2019s match label, as I did in step #3 so that the SPIRE control manager generates workload identity for them.<\/p>\n\n\n\n<p>Also, I have annotated both the services with <em>inject.istio.io\/templates: &#8220;sidecar, spire&#8221; <\/em>since they will need <a href=\"https:\/\/github.com\/spiffe\/spiffe-csi\">SPIFFE CSI<\/a> driver volume to access the respective agent socket it is being deployed with. The SPIRE injection template is defined in <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/commit\/3f66810cd6bb22acee4e4bbc56b73a57b8802dd6#diff-d524c9178036544c3c27215e9e0ce5cb9ca5949ac46d676518b1b5233909a599\"><em>custom-istio.yaml<\/em><\/a>.<\/p>\n\n\n\n<p><strong>Note:<\/strong> SPIRE agent uses SPIFFE CSI driver to inject a Unix Domain Socket in the pods so that Envoy proxy can fetch identities from SPIRE. You can add volume to the CSI driver instead of annotating services. But annotating as I showed above is the easier way to get started.<\/p>\n\n\n\n<p>Let us deploy <a href=\"https:\/\/github.com\/imesh-ai\/webinar\/commit\/3f66810cd6bb22acee4e4bbc56b73a57b8802dd6#diff-a0703643d7df8dbd9fc4a75b9630cd38d422087e99f17d574aef0a759ccd3a8f\"><em>workload.yaml<\/em><\/a><em> <\/em>that contains the above configurations:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl apply -f workload.yaml<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"851\" height=\"92\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/workloads-running-successfully.png\" alt=\"workloads running successfully\" class=\"wp-image-1651\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/workloads-running-successfully.png 851w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/workloads-running-successfully-300x32.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/workloads-running-successfully-768x83.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/workloads-running-successfully-400x43.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/workloads-running-successfully-800x86.png 800w\" sizes=\"(max-width: 851px) 100vw, 851px\" \/><\/figure>\n\n\n\n<p>We can see that workloads are running fine. Now let us verify whether the workloads have received SPIFFE IDs like we verified Istio Ingress Gateway in step #3. Run:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl exec -t spire-server-d456d6b54-q9b5g -n spire -c spire-server -- .\/bin\/spire-server entry show<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"430\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries-1024x430.png\" alt=\"spire server registry with 3 entries\" class=\"wp-image-1652\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries-1024x430.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries-300x126.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries-768x322.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries-400x168.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries-800x336.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries-1160x487.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/spire-server-registry-with-3-entries.png 1303w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>You can see there are three entries for Istio Ingress Gateway, Echo service, and Sleep service, respectively, in the SPIRE server registry.<\/p>\n\n\n\n<h3 class=\"wp-block-heading commnication-pods\" id=\"commnication-pods\">Step #5: Initiate communication between pods and verify SPIRE authentication<\/h3>\n\n\n\n<p>Use the following command to <em>exec <\/em>into the <em>sleep <\/em>pod and <em>curl<\/em> <em>echoserver-service<\/em>:<\/p>\n\n\n\n<pre class=\"wp-block-code has-white-color has-black-background-color has-text-color has-background\"><code>kubectl exec deploy\/sleep-depl-ns1 -n ns1 -- curl -s http:\/\/echoserver-service-ns1.ns1.svc.cluster.local<\/code><\/pre>\n\n\n\n<p>If the connection is successful, among other information, it will return Envoy cluster details and the client certificate, which is a SPIFFE ID followed by a hash (see the image below).<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"271\" src=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id-1024x271.png\" alt=\"envoy cluster details and client spiffe id\" class=\"wp-image-1653\" srcset=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id-1024x271.png 1024w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id-300x79.png 300w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id-768x203.png 768w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id-400x106.png 400w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id-800x212.png 800w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id-1160x307.png 1160w, https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/envoy-cluster-details-and-client-spiffe-id.png 1325w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">Zero trust networks with Istio-SPIRE integration<\/h2>\n\n\n\n<p>SPIRE lays the foundation for <a href=\"https:\/\/imesh.ai\/blog\/zero-trust-network-for-microservices-with-istio\/\">zero trust networks<\/a> by issuing and attesting identity for workloads. Istio-SPIRE integration makes SPIRE the identity provider for services running in the mesh. It gives flexibility for DevSecOps folks, allowing them to set identities based on granular attributes and federation of trust domains.<\/p>\n\n\n\n<p>Try it out to see how it works. <a href=\"https:\/\/imesh.ai\/talk-to-an-istio-expert.html\">Talk to one of our Istio experts<\/a> if you need help with configuring Istio-SPIRE enterprise-wide, or any help with Istio in general for that matter.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Istio provides strong identities for workloads running in the mesh by default.&nbsp;<span class=\"excerpt-more\"><\/span><\/p>\n","protected":false},"author":9,"featured_media":1654,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[32,36],"tags":[106,53,89,69],"class_list":["post-1644","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-istio-service-mesh","category-security","tag-authentication","tag-istio","tag-microservices","tag-security"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>How to Integrate Istio and SPIRE for Secure Workload Identity<\/title>\n<meta name=\"description\" content=\"Learn how to issue and attest identity certificates from SPIRE to Istio sidecars for Kubernetes workloads.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to Integrate Istio and SPIRE for Secure Workload Identity\" \/>\n<meta property=\"og:description\" content=\"Learn how to issue and attest identity certificates from SPIRE to Istio sidecars for Kubernetes workloads.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/\" \/>\n<meta property=\"og:site_name\" content=\"IMESH\" \/>\n<meta property=\"article:published_time\" content=\"2023-10-05T12:22:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-18T14:36:48+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1280\" \/>\n\t<meta property=\"og:image:height\" content=\"720\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Md Azmal\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Md Azmal\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/\"},\"author\":{\"name\":\"Md Azmal\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10\"},\"headline\":\"How to Integrate Istio and SPIRE for Secure Workload Identity\",\"datePublished\":\"2023-10-05T12:22:12+00:00\",\"dateModified\":\"2024-01-18T14:36:48+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/\"},\"wordCount\":1243,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png\",\"keywords\":[\"authentication\",\"istio\",\"microservices\",\"security\"],\"articleSection\":[\"Istio service mesh\",\"Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/\",\"url\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/\",\"name\":\"How to Integrate Istio and SPIRE for Secure Workload Identity\",\"isPartOf\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png\",\"datePublished\":\"2023-10-05T12:22:12+00:00\",\"dateModified\":\"2024-01-18T14:36:48+00:00\",\"description\":\"Learn how to issue and attest identity certificates from SPIRE to Istio sidecars for Kubernetes workloads.\",\"breadcrumb\":{\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png\",\"width\":1280,\"height\":720,\"caption\":\"How to Integrate Istio and SPIRE for Secure Workload Identity\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/imesh.ai\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Integrate Istio and SPIRE for Secure Workload Identity\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/imesh.ai\/blog\/#website\",\"url\":\"https:\/\/imesh.ai\/blog\/\",\"name\":\"IMESH Blog\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/imesh.ai\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/imesh.ai\/blog\/#organization\",\"name\":\"IMESH\",\"url\":\"https:\/\/imesh.ai\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg\",\"width\":2560,\"height\":1665,\"caption\":\"IMESH\"},\"image\":{\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/imeshai\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10\",\"name\":\"Md Azmal\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/imesh.ai\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg\",\"contentUrl\":\"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg\",\"caption\":\"Md Azmal\"},\"description\":\"Azmal is one of the founding engineers at IMESH, who focuses on boosting enterprise performance and security using Istio and Envoy. He's a versatile full-stack developer skilled in building scalable and performant applications in the cloud. Azmal's interest in cybersecurity and networking has led him to work on various research projects in network security.\",\"sameAs\":[\"https:\/\/imesh.ai\",\"https:\/\/www.linkedin.com\/in\/md-azmal-570308160\"],\"url\":\"https:\/\/imesh.ai\/blog\/author\/azmal-mdimesh-ai\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to Integrate Istio and SPIRE for Secure Workload Identity","description":"Learn how to issue and attest identity certificates from SPIRE to Istio sidecars for Kubernetes workloads.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/","og_locale":"en_US","og_type":"article","og_title":"How to Integrate Istio and SPIRE for Secure Workload Identity","og_description":"Learn how to issue and attest identity certificates from SPIRE to Istio sidecars for Kubernetes workloads.","og_url":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/","og_site_name":"IMESH","article_published_time":"2023-10-05T12:22:12+00:00","article_modified_time":"2024-01-18T14:36:48+00:00","og_image":[{"width":1280,"height":720,"url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png","type":"image\/png"}],"author":"Md Azmal","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Md Azmal","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#article","isPartOf":{"@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/"},"author":{"name":"Md Azmal","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10"},"headline":"How to Integrate Istio and SPIRE for Secure Workload Identity","datePublished":"2023-10-05T12:22:12+00:00","dateModified":"2024-01-18T14:36:48+00:00","mainEntityOfPage":{"@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/"},"wordCount":1243,"commentCount":0,"publisher":{"@id":"https:\/\/imesh.ai\/blog\/#organization"},"image":{"@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage"},"thumbnailUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png","keywords":["authentication","istio","microservices","security"],"articleSection":["Istio service mesh","Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/","url":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/","name":"How to Integrate Istio and SPIRE for Secure Workload Identity","isPartOf":{"@id":"https:\/\/imesh.ai\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage"},"image":{"@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage"},"thumbnailUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png","datePublished":"2023-10-05T12:22:12+00:00","dateModified":"2024-01-18T14:36:48+00:00","description":"Learn how to issue and attest identity certificates from SPIRE to Istio sidecars for Kubernetes workloads.","breadcrumb":{"@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#primaryimage","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png","width":1280,"height":720,"caption":"How to Integrate Istio and SPIRE for Secure Workload Identity"},{"@type":"BreadcrumbList","@id":"https:\/\/imesh.ai\/blog\/istio-spire-workload-identity\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/imesh.ai\/blog\/"},{"@type":"ListItem","position":2,"name":"How to Integrate Istio and SPIRE for Secure Workload Identity"}]},{"@type":"WebSite","@id":"https:\/\/imesh.ai\/blog\/#website","url":"https:\/\/imesh.ai\/blog\/","name":"IMESH Blog","description":"","publisher":{"@id":"https:\/\/imesh.ai\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/imesh.ai\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/imesh.ai\/blog\/#organization","name":"IMESH","url":"https:\/\/imesh.ai\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/IMESH-LOGO-scaled.jpg","width":2560,"height":1665,"caption":"IMESH"},"image":{"@id":"https:\/\/imesh.ai\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/imeshai"]},{"@type":"Person","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/fdb37d3095697308d103c83ffdf37f10","name":"Md Azmal","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/imesh.ai\/blog\/#\/schema\/person\/image\/","url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg","contentUrl":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/03\/1563300189291-150x150.jpg","caption":"Md Azmal"},"description":"Azmal is one of the founding engineers at IMESH, who focuses on boosting enterprise performance and security using Istio and Envoy. He's a versatile full-stack developer skilled in building scalable and performant applications in the cloud. Azmal's interest in cybersecurity and networking has led him to work on various research projects in network security.","sameAs":["https:\/\/imesh.ai","https:\/\/www.linkedin.com\/in\/md-azmal-570308160"],"url":"https:\/\/imesh.ai\/blog\/author\/azmal-mdimesh-ai\/"}]}},"jetpack_featured_media_url":"https:\/\/imesh.ai\/blog\/wp-content\/uploads\/2023\/10\/How-to-Integrate-Istio-and-SPIRE-for-Secure-Workload-Identity.png","_links":{"self":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/1644","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/comments?post=1644"}],"version-history":[{"count":7,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/1644\/revisions"}],"predecessor-version":[{"id":1875,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/posts\/1644\/revisions\/1875"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/media\/1654"}],"wp:attachment":[{"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/media?parent=1644"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/categories?post=1644"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/imesh.ai\/blog\/wp-json\/wp\/v2\/tags?post=1644"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}