Can SPIFFE/SPIRE Server be installed on GKE's any node? If yes, one node out of other nodes in cluster will have server and agents both installed. Is it required to have agent running on that node also who is running SPIRE Server?
Please explain.
As per the comment received on SPIRE Slack
On GKE (and other hosted k8s) you only get worker nodes, so there's no way to deploy to the master anyway. But, In the end, there's pluses (potential security) and minuses (scalability) to running SPIRE server on the master. In practice it's probably less likely than likely, but it's a fair debate. Typically, you would deploy SPIRE server as a StatefulSet to some number of nodes consistent with scalability and availability goals, and deploy SPIRE agent as a DaemonSet where it's going to run on every node in the cluster. Unless you are doing some very specific targeted deployments via the k8s scheduler, such as separate node pools or subsets of nodes scheduled via label selectors for very specific use-cases (where you won't run any SPIFFE workloads), that's the way I'd approach it - put SPIRE agent on all nodes so it's available for all workloads.