Introduction

Kleym connects Gateway API Inference Extension resources to SPIFFE workload identity for Kubernetes.

The in-cluster kleym-operator watches inference intent from resources such as InferenceObjective and InferencePool, then compiles that intent into deterministic SPIFFE identities and materializes them as SPIRE Controller Manager ClusterSPIFFEID resources. The companion kleym CLI is a read-only inspection tool for the rendered identity state.

Overview

• primary input: InferencePool; optional objective subject: InferenceObjective
• primary output: deterministic ClusterSPIFFEID resources
• identity modes: PoolOnly and PerObjective
• safety model: namespace and service account selectors are always present; unsafe or ambiguous state is refused

Documentation Map

Operator docs

• Install: local run, deployment, GitOps install, metrics, and validation commands
• Concepts: GAIE inputs, identity modes, container discrimination, and selector safety
• Architecture: end-to-end reconcile flow from binding intent to SPIRE registration resources
• Demo: reference binding-to-ClusterSPIFFEID walkthrough
• Examples: concrete manifests and expected reconciliation outcomes
• Reference: API fields, conditions, managed resources, compatibility, dependencies, and GAIE compatibility
• Troubleshooting: binding conditions, missing CRDs, and collision triage
• Design: controller design notes and downstream handoff patterns

CLI docs

• CLI: read-only inspection usage, results, report shape, findings, and exit codes

Reference and specs

• Operator Spec: authoritative operator behavior and API contract
• CLI Spec: authoritative read-only inspection CLI contract
• Contributing: workflow, validation, and repository conventions

Project Links

• GitHub repository
• Release stream
• Contributing guide
• SPIFFE overview
• SPIRE concepts