// Product / QHx Attestor

The machine proves before it participates.

QHx Attestor verifies node evidence before identity is issued, and that trusted node identity becomes the basis for workload identity.

Hardware-rooted trustPKI integration →

// Why posture matters

Claims need measurements.

Before a node or workload receives identity, QHx can require evidence that the platform is permitted to join the cluster.

  • Two-phase modelNode attestation establishes trust in the platform; workload attestation identifies the process running on it.
  • Multiple attestation strategiesTPM with PCR policy where hardware-rooted assurance is required. Projected Service Account Tokens where the orchestrator is the right authority. Cloud instance identity documents in AWS, GCP, and Azure. Join tokens where none of those are available.
  • Policy-bound admissionIdentity is issued only when attestation data satisfies configured policy.
  • Parent-child identityWorkload identities are linked to the node identity on which they run.

An unmeasured platform cannot ground a workload identity.