CONCEPT Cited by 1 source
Workload identity¶
A workload identity is a stable, fine-grained identifier naming the logical unit of software running on a host — typically more specific than "this instance" (AMI/VM) and as specific as "this container" or "this service". Workload identities are the canonical resolution target for concepts/ip-attribution: any given packet or flow should be attributable to the workload identity that owns it.
Provisioning¶
Two canonical shapes appear in Netflix's architecture:
- EC2-instance path. A boot-time provisioning service (Metatron at Netflix) issues an identity certificate per instance; the identity is readable from local disk by any process running on the instance.
- Container path. A per-host daemon
(IPManAgent) writes
IP → workload-ID(and(IP, port) → workload-IDfor shared-IP scenarios) into an eBPF map when each container starts; kernel-resident observers can resolve the workload owning a socket without a userspace round-trip (patterns/ebpf-map-for-local-attribution).
Why this matters¶
Workload identities turn "who is at this IP?" from a topology question into a queryable fact at capture time. Local workload identity resolution is the load-bearing move that makes accurate heartbeat-based ownership possible — every flow emerges pre-tagged with the local identity, so downstream attribution doesn't need to reconstruct it.
Adjacent but distinct¶
Workload identity ≠ concepts/workload-identity in the IAM / SPIFFE sense (which concerns authenticating a workload to other services). The Netflix post uses the term for the attribution side: who owns the packet, not who is allowed to send it. Both problems benefit from the same substrate (the Metatron cert), but the consumer surfaces are different.
Seen in¶
- sources/2025-04-08-netflix-how-netflix-accurately-attributes-ebpf-flow-logs — canonical instance; names Metatron certs (EC2 path) and IPMan's eBPF map (container path) as the two substrates from which FlowExporter resolves the local workload identity at flow-capture time.