Checkpoint 3: Router → Workload Manager Auth

Service-to-service AuthN/AuthZ

Maintainer requirement: Router → Workload Manager authn/authz. This demo shows the two recommended approaches: ServiceAccount TokenReview + SubjectAccessReview or SPIFFE/SPIRE mTLS.

Auth method

Target namespace

Simulation output

Click “Simulate” to generate TokenReview / SubjectAccessReview (or SPIFFE) flow output.

Why this matters in AgentCube

Workload Manager must verify the Router’s identity (avoid spoofed internal callers).
Workload Manager must authorize Router for create sandboxes in the requested namespace.
SPIFFE/SPIRE reduces reliance on long-lived shared secrets and enables mTLS by default.