diff --git a/.yamllint.yml b/.yamllint.yml
index b2e6be5df558..e06b900f0e2c 100644
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -10,5 +10,6 @@ rules:
   # 80 chars should be enough, but don't fail if a line is longer
   line-length: disable
   indentation: disable
+  braces: disable
 
 ignore: scripts/aws/aws-k8s-cni.yaml
diff --git a/README.md b/README.md
index 6e044b994a6c..b677a5af03b9 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,7 @@ This repository provides kubernetes yaml deployments and markdown examples for N
     * [Basic examples](./examples/basic) 
     * [Interdomain and floating interdomain examples](./examples/interdomain)
     * [Features examples](./examples/features)
+        * [NSM+Istio example](./examples/nsm+istio)
         * [OPA example](./examples/features/opa)
         * [IPv6 examples](./examples/features/ipv6)
         * [DNS Example](./examples/features/dns)
diff --git a/examples/nsm+istio/.gitignore b/examples/nsm+istio/.gitignore
new file mode 100644
index 000000000000..bc946ca4e91d
--- /dev/null
+++ b/examples/nsm+istio/.gitignore
@@ -0,0 +1,2 @@
+!**/kustomization.yaml
+!**/patch-*.yaml
\ No newline at end of file
diff --git a/examples/nsm+istio/README-KIND.md b/examples/nsm+istio/README-KIND.md
new file mode 100644
index 000000000000..98f9d943c0df
--- /dev/null
+++ b/examples/nsm+istio/README-KIND.md
@@ -0,0 +1,316 @@
+# NSM + Istio interdomain example over kind clusters
+
+## Setup Clusters
+
+### KIND
+Setup
+
+```bash
+go install sigs.k8s.io/kind@v0.13.0 
+
+kind create cluster --config kind-cluster-config.yaml --name cluster-1
+kind create cluster --config kind-cluster-config.yaml --name cluster-2
+
+
+kind get kubeconfig --name cluster-1 > /tmp/config1
+kind get kubeconfig --name cluster-2 > /tmp/config2
+
+export KUBECONFIG1=/tmp/config1
+export KUBECONFIG2=/tmp/config2 
+```
+
+
+#### Kind Load balancer
+
+Make sure that CIDR is fine for your kind clusters
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/namespace.yaml
+kubectl --kubeconfig=$KUBECONFIG1 create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" 
+kubectl --kubeconfig=$KUBECONFIG1 apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/metallb.yaml
+cat > metallb-config.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: metallb-system
+  name: config
+data:
+  config: |
+    address-pools:
+    - name: default
+      protocol: layer2
+      addresses:
+      - 172.18.1.128/25
+EOF
+kubectl --kubeconfig=$KUBECONFIG1 apply -f metallb-config.yaml
+kubectl --kubeconfig=$KUBECONFIG1 wait --for=condition=ready --timeout=5m pod -l app=metallb -n metallb-system
+
+
+kubectl --kubeconfig=$KUBECONFIG2 apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/namespace.yaml
+kubectl --kubeconfig=$KUBECONFIG2 create secret generic -n metallb-system memberlist --from-literal=secretkey="$(openssl rand -base64 128)" 
+kubectl --kubeconfig=$KUBECONFIG2 apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/metallb.yaml
+cat > metallb-config.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: metallb-system
+  name: config
+data:
+  config: |
+    address-pools:
+    - name: default
+      protocol: layer2
+      addresses:
+      - 172.18.2.128/25
+EOF
+kubectl --kubeconfig=$KUBECONFIG2 apply -f metallb-config.yaml
+kubectl --kubeconfig=$KUBECONFIG2 wait --for=condition=ready --timeout=5m pod -l app=metallb -n metallb-system
+
+```
+
+
+## DNS
+
+Expose dns service for first cluster
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 expose service kube-dns -n kube-system --port=53 --target-port=53 --protocol=TCP --name=exposed-kube-dns --type=LoadBalancer
+```
+
+Wait for assigning IP address (note: you should see IP address in logs. If you dont see repeat this):
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}'
+ip1=$(kubectl --kubeconfig=$KUBECONFIG1 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}')
+if [[ $ip1 == *"no value"* ]]; then 
+    ip1=$(kubectl --kubeconfig=$KUBECONFIG1 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "hostname"}}')
+    ip1=$(dig +short $ip1 | head -1)
+fi
+echo Selected externalIP: $ip1 for cluster1
+```
+
+Expose dns service for the second cluster:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 expose service kube-dns -n kube-system --port=53 --target-port=53 --protocol=TCP --name=exposed-kube-dns --type=LoadBalancer
+```
+
+Wait for assigning IP address (note: you should see IP address in logs. If you dont see repeat this):
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}'
+ip2=$(kubectl --kubeconfig=$KUBECONFIG2 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}')
+if [[ $ip2 == *"no value"* ]]; then 
+    ip2=$(kubectl --kubeconfig=$KUBECONFIG2 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "hostname"}}')
+    ip2=$(dig +short $ip2 | head -1)
+fi
+echo Selected externalIP: $ip2 for cluster2
+```
+
+Add DNS forwarding from cluster1 to cluster2:
+```bash
+cat > configmap.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+            lameduck 5s
+        }
+        ready
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+            ttl 30
+        }
+        k8s_external my.cluster1
+        prometheus :9153
+        forward . /etc/resolv.conf {
+            max_concurrent 1000
+        }
+        loop
+        reload 5s
+    }
+    my.cluster2:53 {
+      forward . ${ip2}:53 {
+        force_tcp
+      }
+    }
+EOF
+kubectl --kubeconfig=$KUBECONFIG1 apply -f configmap.yaml
+```
+
+Add DNS forwarding from cluster2 to cluster1:
+```bash
+cat > configmap.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+            lameduck 5s
+        }
+        ready
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+            ttl 30
+        }
+        k8s_external my.cluster2
+        prometheus :9153
+        forward . /etc/resolv.conf {
+            max_concurrent 1000
+        }
+        loop
+        reload 5s
+    }
+    my.cluster1:53 {
+      forward . ${ip1}:53 {
+        force_tcp
+      }
+    }
+EOF
+
+kubectl --kubeconfig=$KUBECONFIG2 apply -f configmap.yaml
+```
+
+## SPIRE
+
+Install spire
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -k ./spire/cluster1
+kubectl --kubeconfig=$KUBECONFIG2 apply -k ./spire/cluster2
+```
+
+Setup bundle federation for each cluster
+```bash
+bundle1=$(kubectl --kubeconfig=$KUBECONFIG1 exec spire-server-0 -n spire -- bin/spire-server bundle show -format spiffe)
+bundle2=$(kubectl --kubeconfig=$KUBECONFIG2 exec spire-server-0 -n spire -- bin/spire-server bundle show -format spiffe)
+
+echo $bundle2 | kubectl --kubeconfig=$KUBECONFIG1 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster2"
+
+echo $bundle1 | kubectl --kubeconfig=$KUBECONFIG2 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster1"
+```
+
+
+
+## NSM SETUP
+
+Install NSM for two clusters:
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -k ./nsm/cluster1
+kubectl --kubeconfig=$KUBECONFIG2 apply -k ./nsm/cluster2
+```
+
+
+## Istio
+
+Install Istio for second cluster:
+```bash
+curl -sL https://istio.io/downloadIstioctl | sh -
+export PATH=$PATH:$HOME/.istioctl/bin
+istioctl  install --set profile=minimal -y --kubeconfig=$KUBECONFIG2
+istioctl --kubeconfig=$KUBECONFIG2 proxy-status
+```
+
+### Verify NSM+ISTIO
+
+Install networkservice for the second cluster:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -f networkservice.yaml
+```
+
+Start `productpage` networkservicemesh client for the first cluster:
+
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -f productpage/productpage.yaml
+```
+
+Start `auto-scale` networkservicemesh endpoint:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 apply -k nse-auto-scale 
+```
+
+Install istio booking example
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 label namespace default istio-injection=enabled
+
+kubectl --kubeconfig=$KUBECONFIG2 apply -f https://raw.githubusercontent.com/istio/istio/release-1.13/samples/bookinfo/platform/kube/bookinfo.yaml
+```
+
+Verify connectivity:
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 exec deploy/productpage-v1 -c cmd-nsc -- apk add curl
+kubectl --kubeconfig=$KUBECONFIG1 exec deploy/productpage-v1 -c cmd-nsc -- curl -s productpage.default:9080/productpage | grep -o "<title>.*</title>"
+```
+**Expected output** is `<title>Simple Bookstore App</title>`
+
+
+Port forward and check connectivity from NSM+Istio  by yourself!
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 port-forward deploy/productpage-v1  9080:9080
+```
+
+**Note:**
+You should correctly see the page without errors.
+
+Also, you should see different backend handlers for your requests:
+If `reviews-v1` handles your query then you will not see reviews.
+If `reviews-v2` handles your query then you will see black starts.
+If `reviews-v3` handles your query then you will see red starts.
+Otherwise you will see an error message.
+
+
+Now we're simulating that someting went wrong and ratings-v1 from the istio cluster is down.
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 delete deploy ratings-v1
+```
+
+
+Port forward and check that you see errors:
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 port-forward deploy/productpage-v1  9080:9080
+```
+
+Now lets start ratings on cluster1:
+```bash
+kubectl --kubeconfig=$KUBECONFIG1 apply -f ratings/ratings.yaml
+```
+
+Port forward and check that you dont errors:
+```bash
+kubectl --kubeconfig=$KUBECONFIG2 port-forward deploy/productpage-v1  9080:9080
+```
+
+Congratulations! 
+You have made a interdomain connection between GKE, AWS via NSM + Istio!
+
+## Cleanup
+
+
+```bash
+WH=$(kubectl --kubeconfig=$KUBECONFIG1 get pods -l app=admission-webhook-k8s -n nsm-system --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --kubeconfig=$KUBECONFIG1 delete mutatingwebhookconfiguration ${WH}
+
+WH=$(kubectl --kubeconfig=$KUBECONFIG2 get pods -l app=admission-webhook-k8s -n nsm-system --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --kubeconfig=$KUBECONFIG2 delete mutatingwebhookconfiguration ${WH}
+
+kubectl --kubeconfig=$KUBECONFIG1 delete -k ./nsm/cluster1
+kubectl --kubeconfig=$KUBECONFIG2 delete -k ./nsm/cluster2
+
+kubectl --kubeconfig=$KUBECONFIG2 delete crd spiffeids.spiffeid.spiffe.io
+kubectl --kubeconfig=$KUBECONFIG2 delete ns spire
+
+kubectl --kubeconfig=$KUBECONFIG1 delete crd spiffeids.spiffeid.spiffe.io
+kubectl --kubeconfig=$KUBECONFIG1 delete ns spire
+
+
+gcloud container clusters delete "cluster-nsm" 
+eksctl delete cluster --name "cluster-istio"
+```
\ No newline at end of file
diff --git a/examples/nsm+istio/README.md b/examples/nsm+istio/README.md
new file mode 100644
index 000000000000..55899770d8d8
--- /dev/null
+++ b/examples/nsm+istio/README.md
@@ -0,0 +1,304 @@
+# NSM + Istio interdomain example over GKE + AWS
+
+## Setup Clusters
+
+### AWS
+
+Install `eksctl`
+```bash
+/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
+brew tap weaveworks/tap
+brew install weaveworks/tap/eksctl
+brew upgrade eksctl && brew link --overwrite eksctl
+
+eksctl version
+```
+
+Create AWS clusters
+```bash
+export AWS_REGION=us-east-2
+export AWS_ACCESS_KEY_ID=***
+export AWS_SECRET_ACCESS_KEY=***
+
+eksctl create cluster  \
+--name cluster-istio \
+--version 1.22 \
+--nodegroup-name cluster-istio-workers \
+--node-type t2.xlarge \
+--nodes 2
+
+```
+
+### GKE
+
+Install `gcloud` via https://cloud.google.com/sdk/docs/install 
+
+Create a cluster
+```bash
+gcloud container clusters create "cluster-nsm" --machine-type="n1-standard-2" --num-nodes="2"
+```
+
+Replace `kube-dns` to `coredns` backend for GKE cluster
+```bash
+git clone https://github.com/coredns/deployment.git; \
+./deployment/kubernetes/deploy.sh | kubectl apply -f -; \
+kubectl scale --replicas=0 deployment/kube-dns-autoscaler --namespace=kube-system; \
+kubectl scale --replicas=0 deployment/kube-dns --namespace=kube-system; \
+rm -rf deployment; 
+```
+
+### Prepare contexts
+
+```bash
+kubect config get-contexts
+
+export CONTEXT1=***
+export CONTEXT2=***
+```
+
+
+## DNS
+
+Expose dns service for first cluster
+```bash
+kubectl --context=$CONTEXT1 expose service kube-dns -n kube-system --port=53 --target-port=53 --protocol=TCP --name=exposed-kube-dns --type=LoadBalancer
+```
+
+Wait for assigning IP address (note: you should see IP address in logs. If you dont see repeat this):
+```bash
+kubectl --context=$CONTEXT1 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}'
+ip1=$(kubectl --context=$CONTEXT1 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}')
+if [[ $ip1 == *"no value"* ]]; then 
+    ip1=$(kubectl --context=$CONTEXT1 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "hostname"}}')
+    ip1=$(dig +short $ip1 | head -1)
+fi
+echo Selected externalIP: $ip1 for cluster1
+```
+
+Expose dns service for the second cluster:
+```bash
+kubectl --context=$CONTEXT2 expose service kube-dns -n kube-system --port=53 --target-port=53 --protocol=TCP --name=exposed-kube-dns --type=LoadBalancer
+```
+
+Wait for assigning IP address (note: you should see IP address in logs. If you dont see repeat this):
+```bash
+kubectl --context=$CONTEXT2 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}'
+ip2=$(kubectl --context=$CONTEXT2 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "ip"}}')
+if [[ $ip2 == *"no value"* ]]; then 
+    ip2=$(kubectl --context=$CONTEXT2 get services exposed-kube-dns -n kube-system -o go-template='{{index (index (index (index .status "loadBalancer") "ingress") 0) "hostname"}}')
+    ip2=$(dig +short $ip2 | head -1)
+fi
+echo Selected externalIP: $ip2 for cluster2
+```
+
+Add DNS forwarding from cluster1 to cluster2:
+```bash
+cat > configmap.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+            lameduck 5s
+        }
+        ready
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+            ttl 30
+        }
+        k8s_external my.cluster1
+        prometheus :9153
+        forward . /etc/resolv.conf {
+            max_concurrent 1000
+        }
+        loop
+        reload 5s
+    }
+    my.cluster2:53 {
+      forward . ${ip2}:53 {
+        force_tcp
+      }
+    }
+EOF
+kubectl --context=$CONTEXT1 apply -f configmap.yaml
+```
+
+Add DNS forwarding from cluster2 to cluster1:
+```bash
+cat > configmap.yaml <<EOF
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns
+  namespace: kube-system
+data:
+  Corefile: |
+    .:53 {
+        errors
+        health {
+            lameduck 5s
+        }
+        ready
+        kubernetes cluster.local in-addr.arpa ip6.arpa {
+            pods insecure
+            fallthrough in-addr.arpa ip6.arpa
+            ttl 30
+        }
+        k8s_external my.cluster2
+        prometheus :9153
+        forward . /etc/resolv.conf {
+            max_concurrent 1000
+        }
+        loop
+        reload 5s
+    }
+    my.cluster1:53 {
+      forward . ${ip1}:53 {
+        force_tcp
+      }
+    }
+EOF
+
+kubectl --context=$CONTEXT2 apply -f configmap.yaml
+```
+
+## SPIRE
+
+Install spire
+```bash
+kubectl --context=$CONTEXT1 apply -k ./spire/cluster1
+kubectl --context=$CONTEXT2 apply -k ./spire/cluster2
+```
+
+Setup bundle federation for each cluster
+```bash
+bundle1=$(kubectl --context=$CONTEXT1 exec spire-server-0 -n spire -- bin/spire-server bundle show -format spiffe)
+bundle2=$(kubectl --context=$CONTEXT2 exec spire-server-0 -n spire -- bin/spire-server bundle show -format spiffe)
+
+echo $bundle2 | kubectl --context=$CONTEXT1 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster2"
+
+echo $bundle1 | kubectl --context=$CONTEXT2 exec -i spire-server-0 -n spire -- bin/spire-server bundle set -format spiffe -id "spiffe://nsm.cluster1"
+```
+
+
+
+## NSM SETUP
+
+Install NSM for two clusters:
+```bash
+kubectl --context=$CONTEXT1 apply -k ./nsm/cluster1
+kubectl --context=$CONTEXT2 apply -k ./nsm/cluster2
+```
+
+
+## Istio
+
+Install Istio for second cluster:
+```bash
+curl -sL https://istio.io/downloadIstioctl | sh -
+export PATH=$PATH:$HOME/.istioctl/bin
+istioctl  install --set profile=minimal -y --context=$CONTEXT2
+istioctl --context=$CONTEXT2 proxy-status
+```
+
+### Verify NSM+ISTIO
+
+Install networkservice for the second cluster:
+```bash
+kubectl --context=$CONTEXT2 apply -f networkservice.yaml
+```
+
+Start `productpage` networkservicemesh client for the first cluster:
+
+```bash
+kubectl --context=$CONTEXT1 apply -f productpage/productpage.yaml
+```
+
+Start `auto-scale` networkservicemesh endpoint:
+```bash
+kubectl --context=$CONTEXT2 apply -k nse-auto-scale 
+```
+
+Install istio booking example
+```bash
+kubectl --context=$CONTEXT2 label namespace default istio-injection=enabled
+
+kubectl --context=$CONTEXT2 apply -f https://raw.githubusercontent.com/istio/istio/release-1.13/samples/bookinfo/platform/kube/bookinfo.yaml
+```
+
+Verify connectivity:
+```bash
+kubectl --context=$CONTEXT1 exec deploy/productpage-v1 -c cmd-nsc -- apk add curl
+kubectl --context=$CONTEXT1 exec deploy/productpage-v1 -c cmd-nsc -- curl -s productpage.default:9080/productpage | grep -o "<title>.*</title>"
+```
+**Expected output** is `<title>Simple Bookstore App</title>`
+
+
+Port forward and check connectivity from NSM+Istio  by yourself!
+```bash
+kubectl --context=$CONTEXT1 port-forward deploy/productpage-v1  9080:9080
+```
+
+**Note:**
+You should correctly see the page without errors.
+
+Also, you should see different backend handlers for your requests:
+If `reviews-v1` handles your query then you will not see reviews.
+If `reviews-v2` handles your query then you will see black starts.
+If `reviews-v3` handles your query then you will see red starts.
+Otherwise you will see an error message.
+
+
+Now we're simulating that someting went wrong and ratings-v1 from the istio cluster is down.
+```bash
+kubectl --context=$CONTEXT2 delete deploy ratings-v1
+```
+
+
+Port forward and check that you see errors:
+```bash
+kubectl --context=$CONTEXT1 port-forward deploy/productpage-v1  9080:9080
+```
+
+Now lets start ratings on cluster1:
+```bash
+kubectl --context=$CONTEXT1 apply -f ratings/ratings.yaml
+```
+
+Port forward and check that you dont errors:
+```bash
+kubectl --context=$CONTEXT2 port-forward deploy/productpage-v1  9080:9080
+```
+
+Congratulations! 
+You have made a interdomain connection between GKE, AWS via NSM + Istio!
+
+## Cleanup
+
+
+```bash
+WH=$(kubectl --context=$CONTEXT1 get pods -l app=admission-webhook-k8s -n nsm-system --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --context=$CONTEXT1 delete mutatingwebhookconfiguration ${WH}
+
+WH=$(kubectl --context=$CONTEXT2 get pods -l app=admission-webhook-k8s -n nsm-system --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}')
+kubectl --context=$CONTEXT2 delete mutatingwebhookconfiguration ${WH}
+
+kubectl --context=$CONTEXT1 delete -k ./nsm/cluster1
+kubectl --context=$CONTEXT2 delete -k ./nsm/cluster2
+
+kubectl --context=$CONTEXT2 delete crd spiffeids.spiffeid.spiffe.io
+kubectl --context=$CONTEXT2 delete ns spire
+
+kubectl --context=$CONTEXT1 delete crd spiffeids.spiffeid.spiffe.io
+kubectl --context=$CONTEXT1 delete ns spire
+
+
+gcloud container clusters delete "cluster-nsm" 
+eksctl delete cluster --name "cluster-istio"
+```
\ No newline at end of file
diff --git a/examples/nsm+istio/kind-cluster-config.yaml b/examples/nsm+istio/kind-cluster-config.yaml
new file mode 100644
index 000000000000..f57c67e5b02b
--- /dev/null
+++ b/examples/nsm+istio/kind-cluster-config.yaml
@@ -0,0 +1,6 @@
+---
+kind: Cluster
+apiVersion: kind.x-k8s.io/v1alpha4
+nodes:
+  - role: control-plane
+  - role: worker
diff --git a/examples/nsm+istio/networkservice.yaml b/examples/nsm+istio/networkservice.yaml
new file mode 100644
index 000000000000..32450f877125
--- /dev/null
+++ b/examples/nsm+istio/networkservice.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: networkservicemesh.io/v1
+kind: NetworkService
+metadata:
+  name: autoscale-istio-proxy
+  namespace: nsm-system
+spec:
+  payload: IP
+  matches:
+    - source_selector:
+      fallthrough: true
+      routes:
+        - destination_selector:
+            podName: "{{ .podName }}"
+    - source_selector:
+      routes:
+        - destination_selector:
+            any: "true"
diff --git a/examples/nsm+istio/nse-auto-scale/kustomization.yaml b/examples/nsm+istio/nse-auto-scale/kustomization.yaml
new file mode 100644
index 000000000000..12f80f9b8329
--- /dev/null
+++ b/examples/nsm+istio/nse-auto-scale/kustomization.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/apps/nse-supplier-k8s?ref=36c45f669924a7fc2f070a9b5cb78951eedf272f
+
+patchesStrategicMerge:
+- patch-supplier.yaml
+
+configMapGenerator:
+  - name: supplier-pod-template-configmap
+    files:
+      - pod-template.yaml
+
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/examples/nsm+istio/nse-auto-scale/patch-supplier.yaml b/examples/nsm+istio/nse-auto-scale/patch-supplier.yaml
new file mode 100644
index 000000000000..214740f36e69
--- /dev/null
+++ b/examples/nsm+istio/nse-auto-scale/patch-supplier.yaml
@@ -0,0 +1,32 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nse-supplier-k8s
+spec:
+  template:
+    metadata:
+      labels:
+        sidecar.istio.io/inject: "false"
+    spec:
+      containers:
+        - name: nse-supplier
+          env:
+            - name: NSM_SERVICE_NAME
+              value: autoscale-istio-proxy
+            - name: NSM_LABELS
+              value: any:true
+            - name: NSM_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: NSM_POD_DESCRIPTION_FILE
+              value: /run/supplier/pod-template.yaml
+          volumeMounts:
+            - name: pod-file
+              mountPath: /run/supplier
+              readOnly: true
+      volumes:
+        - name: pod-file
+          configMap:
+            name: supplier-pod-template-configmap
diff --git a/examples/nsm+istio/nse-auto-scale/pod-template.yaml b/examples/nsm+istio/nse-auto-scale/pod-template.yaml
new file mode 100644
index 000000000000..c43077c69f07
--- /dev/null
+++ b/examples/nsm+istio/nse-auto-scale/pod-template.yaml
@@ -0,0 +1,56 @@
+---
+apiVersion: apps/v1
+kind: Pod
+metadata:
+  name: proxy-{{ index .Labels "podName" }}
+  labels:
+    app: {{ index .Labels "app" }}
+    "spiffe.io/spiffe-id": "true"
+    sidecar.istio.io/inject: "true"
+spec:
+  restartPolicy: Never
+  containers:
+    - name: nse
+      image: ghcr.io/networkservicemesh/ci/cmd-nse-istio-proxy:60c6f90
+      imagePullPolicy: IfNotPresent
+      env:
+        - name: SPIFFE_ENDPOINT_SOCKET
+          value: unix:///run/spire/sockets/agent.sock
+        - name: NSM_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAME
+          value: {{ index .Labels "podName" }}
+        - name: NSM_CONNECT_TO
+          value: unix:///var/lib/networkservicemesh/nsm.io.sock
+        - name: NSM_CIDR_PREFIX
+          value: 172.16.1.2/31
+        - name: NSM_SERVICE_NAMES
+          value: autoscale-istio-proxy
+        - name: NSM_LABELS
+          value: app:{{ index .Labels "app" }}
+        - name: NSM_IDLE_TIMEOUT
+          value: 240s
+        - name: NSM_LOG_LEVEL
+          value: TRACE
+      volumeMounts:
+        - name: spire-agent-socket
+          mountPath: /run/spire/sockets
+          readOnly: true
+        - name: nsm-socket
+          mountPath: /var/lib/networkservicemesh
+          readOnly: true
+      resources:
+        limits:
+          memory: 40Mi
+          cpu: 150m
+  volumes:
+    - name: spire-agent-socket
+      hostPath:
+        path: /run/spire/sockets
+        type: Directory
+    - name: nsm-socket
+      hostPath:
+        path: /var/lib/networkservicemesh
+        type: DirectoryOrCreate
diff --git a/examples/nsm+istio/nsm/cluster1/kustomization.yaml b/examples/nsm+istio/nsm/cluster1/kustomization.yaml
new file mode 100644
index 000000000000..a5ee48d3dccd
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster1/kustomization.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: nsm-system
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/apps/nsmgr?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/forwarder-vpp?ref=36c45f669924a7fc2f070a9b5cb78951eedf272f
+- https://github.com/networkservicemesh/deployments-k8s/apps/registry-k8s?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/registry-proxy-dns?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/nsmgr-proxy?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/admission-webhook-k8s?ref=36c45f669924a7fc2f070a9b5cb78951eedf272f
+
+resources:
+  - namespace.yaml
+
+patchesStrategicMerge:
+- patch-nsmgr-proxy.yaml
+- patch-registry-proxy-dns.yaml
+- patch-registry.yaml
diff --git a/examples/nsm+istio/nsm/cluster1/namespace.yaml b/examples/nsm+istio/nsm/cluster1/namespace.yaml
new file mode 100644
index 000000000000..e952c71a0b30
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster1/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nsm-system
diff --git a/examples/nsm+istio/nsm/cluster1/patch-nsmgr-proxy.yaml b/examples/nsm+istio/nsm/cluster1/patch-nsmgr-proxy.yaml
new file mode 100644
index 000000000000..9fb07692f30f
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster1/patch-nsmgr-proxy.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nsmgr-proxy
+spec:
+  template:
+    metadata:
+      annotations:
+        spiffe.io/federatesWith: nsm.cluster2
diff --git a/examples/nsm+istio/nsm/cluster1/patch-registry-proxy-dns.yaml b/examples/nsm+istio/nsm/cluster1/patch-registry-proxy-dns.yaml
new file mode 100644
index 000000000000..182decd8a73d
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster1/patch-registry-proxy-dns.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry-proxy
+spec:
+  template:
+    metadata:
+      annotations:
+        spiffe.io/federatesWith: nsm.cluster2
diff --git a/examples/nsm+istio/nsm/cluster1/patch-registry.yaml b/examples/nsm+istio/nsm/cluster1/patch-registry.yaml
new file mode 100644
index 000000000000..e53f70e7786b
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster1/patch-registry.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry-k8s
+spec:
+  template:
+    metadata:
+      annotations:
+        spiffe.io/federatesWith: nsm.cluster2
diff --git a/examples/nsm+istio/nsm/cluster2/kustomization.yaml b/examples/nsm+istio/nsm/cluster2/kustomization.yaml
new file mode 100644
index 000000000000..3e31ea7a303c
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster2/kustomization.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: nsm-system
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/apps/nsmgr?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/forwarder-vpp?ref=36c45f669924a7fc2f070a9b5cb78951eedf272f
+- https://github.com/networkservicemesh/deployments-k8s/apps/registry-k8s?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/registry-proxy-dns?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/nsmgr-proxy?ref=v1.3.1
+- https://github.com/networkservicemesh/deployments-k8s/apps/admission-webhook-k8s?ref=36c45f669924a7fc2f070a9b5cb78951eedf272f
+
+patchesStrategicMerge:
+- patch-nsmgr-proxy.yaml
+- patch-registry-proxy-dns.yaml
+- patch-registry.yaml
+
+resources:
+  - namespace.yaml
diff --git a/examples/nsm+istio/nsm/cluster2/namespace.yaml b/examples/nsm+istio/nsm/cluster2/namespace.yaml
new file mode 100644
index 000000000000..e952c71a0b30
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster2/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nsm-system
diff --git a/examples/nsm+istio/nsm/cluster2/patch-nsmgr-proxy.yaml b/examples/nsm+istio/nsm/cluster2/patch-nsmgr-proxy.yaml
new file mode 100644
index 000000000000..e0e5104dd5f7
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster2/patch-nsmgr-proxy.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nsmgr-proxy
+spec:
+  template:
+    metadata:
+      annotations:
+        spiffe.io/federatesWith: nsm.cluster1
diff --git a/examples/nsm+istio/nsm/cluster2/patch-registry-proxy-dns.yaml b/examples/nsm+istio/nsm/cluster2/patch-registry-proxy-dns.yaml
new file mode 100644
index 000000000000..9ae00b6e0476
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster2/patch-registry-proxy-dns.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry-proxy
+spec:
+  template:
+    metadata:
+      annotations:
+        spiffe.io/federatesWith: nsm.cluster1
diff --git a/examples/nsm+istio/nsm/cluster2/patch-registry.yaml b/examples/nsm+istio/nsm/cluster2/patch-registry.yaml
new file mode 100644
index 000000000000..2f1468c93b80
--- /dev/null
+++ b/examples/nsm+istio/nsm/cluster2/patch-registry.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry-k8s
+spec:
+  template:
+    metadata:
+      annotations:
+        spiffe.io/federatesWith: nsm.cluster1
diff --git a/examples/nsm+istio/productpage/productpage.yaml b/examples/nsm+istio/productpage/productpage.yaml
new file mode 100644
index 000000000000..8f8a4e45ad08
--- /dev/null
+++ b/examples/nsm+istio/productpage/productpage.yaml
@@ -0,0 +1,36 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: productpage-v1
+  labels:
+    app: productpage
+    version: v1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: productpage
+      version: v1
+  template:
+    metadata:
+      labels:
+        app: productpage
+        version: v1
+      annotations:
+        networkservicemesh.io: kernel://autoscale-istio-proxy@my.cluster2/nsm-1?app=productpage
+    spec:
+      containers:
+      - name: productpage
+        image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 9080
+        volumeMounts:
+        - name: tmp
+          mountPath: /tmp
+        securityContext:
+          runAsUser: 1000
+      volumes:
+      - name: tmp
+        emptyDir: {}
diff --git a/examples/nsm+istio/ratings/ratings.yaml b/examples/nsm+istio/ratings/ratings.yaml
new file mode 100644
index 000000000000..4f184444db4f
--- /dev/null
+++ b/examples/nsm+istio/ratings/ratings.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ratings-v1
+  labels:
+    app: ratings
+    version: v1
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ratings
+      version: v1
+  template:
+    metadata:
+      labels:
+        app: ratings
+        version: v1
+      annotations:
+        networkservicemesh.io: kernel://autoscale-istio-proxy@my.cluster2/nsm-1?app=ratings
+    spec:
+      containers:
+      - name: ratings
+        image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 9080
+        securityContext:
+          runAsUser: 1000
diff --git a/examples/nsm+istio/spire/cluster1/agent.conf b/examples/nsm+istio/spire/cluster1/agent.conf
new file mode 100644
index 000000000000..f16559085b72
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster1/agent.conf
@@ -0,0 +1,32 @@
+agent {
+    data_dir = "/run/spire"
+    log_level = "DEBUG"
+    server_address = "spire-server"
+    server_port = "8081"
+    socket_path = "/run/spire/sockets/agent.sock"
+    trust_bundle_path = "/run/spire/bundle/bundle.crt"
+    trust_domain = "nsm.cluster1"
+}
+
+plugins {
+    NodeAttestor "k8s_psat" {
+        plugin_data {
+            # NOTE: Change this to your cluster name
+            cluster = "nsm.cluster1"
+        }
+    }
+    KeyManager "memory" {
+        plugin_data {}
+    }
+    WorkloadAttestor "k8s" {
+        plugin_data {
+            # Defaults to the secure kubelet port by default.
+            # Minikube does not have a cert in the cluster CA bundle that
+            # can authenticate the kubelet cert, so skip validation.
+            skip_kubelet_verification = true
+        }
+    }
+    WorkloadAttestor "unix" {
+        plugin_data {}
+    }
+}
\ No newline at end of file
diff --git a/examples/nsm+istio/spire/cluster1/k8s-workload-registrar.conf b/examples/nsm+istio/spire/cluster1/k8s-workload-registrar.conf
new file mode 100644
index 000000000000..620eb39e29bc
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster1/k8s-workload-registrar.conf
@@ -0,0 +1,11 @@
+log_level = "debug"
+agent_socket_path = "/run/spire/sockets/agent.sock"
+server_socket_path = "/tmp/spire-server/private/api.sock"
+cluster = "nsm.cluster1"
+trust_domain = "nsm.cluster1"
+pod_controller = true
+add_svc_dns_names = true
+mode = "crd"
+webhook_enabled = true
+identity_template = "ns/{{.Pod.Namespace}}/pod/{{.Pod.Name}}"
+identity_template_label = "spiffe.io/spiffe-id"
\ No newline at end of file
diff --git a/examples/nsm+istio/spire/cluster1/kustomization.yaml b/examples/nsm+istio/spire/cluster1/kustomization.yaml
new file mode 100644
index 000000000000..1b7264f37b3a
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster1/kustomization.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: spire
+
+configMapGenerator:
+- name: spire-server
+  behavior: merge
+  namespace: spire
+  files:
+  - server.conf
+- name: spire-agent
+  behavior: merge
+  namespace: spire
+  files:
+  - agent.conf
+- name: k8s-workload-registrar
+  behavior: merge
+  namespace: spire
+  files:
+    - k8s-workload-registrar.conf
+
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/examples/spire?ref=v1.3.1
diff --git a/examples/nsm+istio/spire/cluster1/server.conf b/examples/nsm+istio/spire/cluster1/server.conf
new file mode 100644
index 000000000000..1b6b70570972
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster1/server.conf
@@ -0,0 +1,58 @@
+server {
+    bind_address = "0.0.0.0"
+    bind_port = "8081"
+    trust_domain = "nsm.cluster1"
+    data_dir = "/run/spire/data"
+    log_level = "DEBUG"
+    #AWS requires the use of RSA. EC cryptography is not supported
+    ca_key_type = "rsa-2048"
+    default_svid_ttl = "24h"
+    ca_subject = {
+        country = ["US"],
+        organization = ["SPIFFE"],
+        common_name = "",
+    }
+    federation {
+        bundle_endpoint {
+            address = "0.0.0.0"
+            port = 8443
+        }
+        federates_with "nsm.cluster2" {
+            bundle_endpoint_url = "https://spire-server.spire.my.cluster2:8443"
+            bundle_endpoint_profile "https_spiffe" {
+                endpoint_spiffe_id = "spiffe://nsm.cluster2/spire/server"
+            }
+        }
+    }
+}
+
+plugins {
+    DataStore "sql" {
+        plugin_data {
+            database_type = "sqlite3"
+            connection_string = "/run/spire/data/datastore.sqlite3"
+        }
+    }
+    NodeAttestor "k8s_psat" {
+        plugin_data {
+            clusters = {
+                # NOTE: Change this to your cluster name
+                "nsm.cluster1" = {
+                    use_token_review_api_validation = true
+                    service_account_allow_list = ["spire:spire-agent"]
+                }
+            }
+        }
+    }
+
+    KeyManager "disk" {
+        plugin_data {
+            keys_path = "/run/spire/data/keys.json"
+        }
+    }
+    Notifier "k8sbundle" {
+        plugin_data {
+            webhook_label = "spiffe.io/webhook"
+        }
+    }
+}
\ No newline at end of file
diff --git a/examples/nsm+istio/spire/cluster2/agent.conf b/examples/nsm+istio/spire/cluster2/agent.conf
new file mode 100644
index 000000000000..9408ea99577d
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster2/agent.conf
@@ -0,0 +1,32 @@
+agent {
+    data_dir = "/run/spire"
+    log_level = "DEBUG"
+    server_address = "spire-server"
+    server_port = "8081"
+    socket_path = "/run/spire/sockets/agent.sock"
+    trust_bundle_path = "/run/spire/bundle/bundle.crt"
+    trust_domain = "nsm.cluster2"
+}
+
+plugins {
+    NodeAttestor "k8s_psat" {
+        plugin_data {
+            # NOTE: Change this to your cluster name
+            cluster = "nsm.cluster2"
+        }
+    }
+    KeyManager "memory" {
+        plugin_data {}
+    }
+    WorkloadAttestor "k8s" {
+        plugin_data {
+            # Defaults to the secure kubelet port by default.
+            # Minikube does not have a cert in the cluster CA bundle that
+            # can authenticate the kubelet cert, so skip validation.
+            skip_kubelet_verification = true
+        }
+    }
+    WorkloadAttestor "unix" {
+        plugin_data {}
+    }
+}
\ No newline at end of file
diff --git a/examples/nsm+istio/spire/cluster2/k8s-workload-registrar.conf b/examples/nsm+istio/spire/cluster2/k8s-workload-registrar.conf
new file mode 100644
index 000000000000..7bfadcd15c63
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster2/k8s-workload-registrar.conf
@@ -0,0 +1,11 @@
+log_level = "debug"
+agent_socket_path = "/run/spire/sockets/agent.sock"
+server_socket_path = "/tmp/spire-server/private/api.sock"
+cluster = "nsm.cluster2"
+trust_domain = "nsm.cluster2"
+pod_controller = true
+add_svc_dns_names = true
+mode = "crd"
+webhook_enabled = true
+identity_template = "ns/{{.Pod.Namespace}}/pod/{{.Pod.Name}}"
+identity_template_label = "spiffe.io/spiffe-id"
\ No newline at end of file
diff --git a/examples/nsm+istio/spire/cluster2/kustomization.yaml b/examples/nsm+istio/spire/cluster2/kustomization.yaml
new file mode 100644
index 000000000000..5dc3696e0c8a
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster2/kustomization.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: spire
+
+configMapGenerator:
+- name: spire-server
+  behavior: merge
+  namespace: spire
+  files:
+  - server.conf
+- name: spire-agent
+  behavior: merge
+  namespace: spire
+  files:
+  - agent.conf
+- name: k8s-workload-registrar
+  behavior: merge
+  namespace: spire
+  files:
+    - k8s-workload-registrar.conf
+
+bases:
+- https://github.com/networkservicemesh/deployments-k8s/examples/spire?ref=v1.3.1
diff --git a/examples/nsm+istio/spire/cluster2/server.conf b/examples/nsm+istio/spire/cluster2/server.conf
new file mode 100644
index 000000000000..f8570910e0d1
--- /dev/null
+++ b/examples/nsm+istio/spire/cluster2/server.conf
@@ -0,0 +1,58 @@
+server {
+    bind_address = "0.0.0.0"
+    bind_port = "8081"
+    trust_domain = "nsm.cluster2"
+    data_dir = "/run/spire/data"
+    log_level = "DEBUG"
+    #AWS requires the use of RSA. EC cryptography is not supported
+    ca_key_type = "rsa-2048"
+    default_svid_ttl = "24h"
+    ca_subject = {
+        country = ["US"],
+        organization = ["SPIFFE"],
+        common_name = "",
+    }
+    federation {
+        bundle_endpoint {
+            address = "0.0.0.0"
+            port = 8443
+        }
+        federates_with "nsm.cluster1" {
+            bundle_endpoint_url = "https://spire-server.spire.my.cluster1:8443"
+            bundle_endpoint_profile "https_spiffe" {
+                endpoint_spiffe_id = "spiffe://nsm.cluster1/spire/server"
+            }
+        }
+    }
+}
+
+plugins {
+    DataStore "sql" {
+        plugin_data {
+            database_type = "sqlite3"
+            connection_string = "/run/spire/data/datastore.sqlite3"
+        }
+    }
+    NodeAttestor "k8s_psat" {
+        plugin_data {
+            clusters = {
+                # NOTE: Change this to your cluster name
+                "nsm.cluster2" = {
+                    use_token_review_api_validation = true
+                    service_account_allow_list = ["spire:spire-agent"]
+                }
+            }
+        }
+    }
+
+    KeyManager "disk" {
+        plugin_data {
+            keys_path = "/run/spire/data/keys.json"
+        }
+    }
+    Notifier "k8sbundle" {
+        plugin_data {
+            webhook_label = "spiffe.io/webhook"
+        }
+    }
+}
\ No newline at end of file