Workload attestation fails in k8s/quickstart #75
Description
I followed the K8S quickstart guide https://spiffe.io/docs/latest/try/getting-started-k8s/ but the final step failed:
$ kubectl exec -it $(kubectl get pods -o=jsonpath='{.items[0].metadata.name}' \
-l app=client) -- /bin/sh
/opt/spire # /opt/spire/bin/spire-agent api fetch -socketPath /run/spire/sockets/agent.sock
rpc error: code = PermissionDenied desc = no identity issued
From the spire-agent logs it seems like there are only unix selectors available but the registration entry uses k8s selectors:
time="2022-04-22T09:14:17Z" level=debug msg="PID attested to have selectors" pid=5532 selectors="[type:\"unix\" value:\"uid:0\" type:\"unix\" value:\"user:root\" type:\"unix\" value:\"gid:0\" type:\"unix\" value:\"group:root\" type:\"unix\" value:\"supplementary_gid:1\" type:\"unix\" value:\"supplementary_group:bin\" type:\"unix\" value:\"supplementary_gid:2\" type:\"unix\" value:\"supplementary_group:daemon\" type:\"unix\" value:\"supplementary_gid:3\" type:\"unix\" value:\"supplementary_group:sys\" type:\"unix\" value:\"supplementary_gid:4\" type:\"unix\" value:\"supplementary_group:adm\" type:\"unix\" value:\"supplementary_gid:6\" type:\"unix\" value:\"supplementary_group:disk\" type:\"unix\" value:\"supplementary_gid:10\" type:\"unix\" value:\"supplementary_group:wheel\" type:\"unix\" value:\"supplementary_gid:11\" type:\"unix\" value:\"supplementary_group:floppy\" type:\"unix\" value:\"supplementary_gid:20\" type:\"unix\" value:\"supplementary_group:dialout\" type:\"unix\" value:\"supplementary_gid:26\" type:\"unix\" value:\"supplementary_group:tape\" type:\"unix\" value:\"supplementary_gid:27\" type:\"unix\" value:\"supplementary_group:video\"]" subsystem_name=workload_attestor
time="2022-04-22T09:14:17Z" level=error msg="No identity issued" method=FetchX509SVID pid=5532 registered=false service=WorkloadAPI subsystem_name=endpoints