diff --git a/pkg/agent/endpoints/peertracker.go b/pkg/agent/endpoints/peertracker.go
index ebc35406e7..4a354e3e4d 100644
--- a/pkg/agent/endpoints/peertracker.go
+++ b/pkg/agent/endpoints/peertracker.go
@@ -31,7 +31,7 @@ func (a PeerTrackerAttestor) Attest(ctx context.Context) ([]*common.Selector, er
 
 	// Ensure that the original caller is still alive so that we know we didn't
 	// attest some other process that happened to be assigned the original PID
-	if err := watcher.IsAlive(); err != nil {
+	if err := watcher.IsAlive(meta); err != nil {
 		return nil, status.Errorf(codes.Unauthenticated, "could not verify existence of the original caller: %v", err)
 	}
 
diff --git a/pkg/agent/endpoints/peertracker_test.go b/pkg/agent/endpoints/peertracker_test.go
index f72dd07885..3b41fa034a 100644
--- a/pkg/agent/endpoints/peertracker_test.go
+++ b/pkg/agent/endpoints/peertracker_test.go
@@ -56,7 +56,7 @@ type FakeWatcher bool
 
 func (w FakeWatcher) Close() {}
 
-func (w FakeWatcher) IsAlive() error {
+func (w FakeWatcher) IsAlive(meta map[string]string) error {
 	if !w {
 		return errors.New("dead")
 	}
diff --git a/pkg/agent/endpoints/sdsv2/handler_test.go b/pkg/agent/endpoints/sdsv2/handler_test.go
index b289205e13..f189c11926 100644
--- a/pkg/agent/endpoints/sdsv2/handler_test.go
+++ b/pkg/agent/endpoints/sdsv2/handler_test.go
@@ -642,6 +642,6 @@ type FakeWatcher struct{}
 
 func (w FakeWatcher) Close() {}
 
-func (w FakeWatcher) IsAlive() error { return nil }
+func (w FakeWatcher) IsAlive(meta map[string]string) error { return nil }
 
 func (w FakeWatcher) PID() int32 { return 123 }
diff --git a/pkg/agent/endpoints/sdsv3/handler_test.go b/pkg/agent/endpoints/sdsv3/handler_test.go
index 4b49414f31..0136c44e1b 100644
--- a/pkg/agent/endpoints/sdsv3/handler_test.go
+++ b/pkg/agent/endpoints/sdsv3/handler_test.go
@@ -1407,7 +1407,7 @@ type FakeWatcher struct{}
 
 func (w FakeWatcher) Close() {}
 
-func (w FakeWatcher) IsAlive() error { return nil }
+func (w FakeWatcher) IsAlive(meta map[string]string) error { return nil }
 
 func (w FakeWatcher) PID() int32 { return 123 }
 
diff --git a/pkg/common/peertracker/peertracker.go b/pkg/common/peertracker/peertracker.go
index 505b734fde..72c40a91d1 100644
--- a/pkg/common/peertracker/peertracker.go
+++ b/pkg/common/peertracker/peertracker.go
@@ -28,7 +28,7 @@ type PeerTracker interface {
 
 type Watcher interface {
 	Close()
-	IsAlive() error
+	IsAlive(meta map[string]string) error
 	PID() int32
 }
 
diff --git a/pkg/common/peertracker/peertracker_test.go b/pkg/common/peertracker/peertracker_test.go
index c6d826d9fe..8810510b9d 100644
--- a/pkg/common/peertracker/peertracker_test.go
+++ b/pkg/common/peertracker/peertracker_test.go
@@ -104,12 +104,12 @@ func TestExitDetection(t *testing.T) {
 	require.True(t, ok)
 
 	// We're connected to ourselves - we should be alive!
-	require.NoError(t, conn.Info.Watcher.IsAlive())
+	require.NoError(t, conn.Info.Watcher.IsAlive(make(map[string]string)))
 
 	// Should return an error once we're no longer tracking
 	peer.disconnect()
 	conn.Close()
-	require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller is no longer being watched")
+	require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller is no longer being watched")
 
 	// Start a forking child and allow it to exit while the grandchild holds the socket
 	peer.connectFromForkingChild(t, test.addr, test.childPath, doneCh)
@@ -132,7 +132,7 @@ func TestExitDetection(t *testing.T) {
 	// Call to IsAlive should now return an error
 	switch runtime.GOOS {
 	case "darwin":
-		require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller exit detected via kevent notification")
+		require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller exit detected via kevent notification")
 		require.Len(t, test.logHook.Entries, 2)
 		firstEntry := test.logHook.Entries[0]
 		require.Equal(t, logrus.WarnLevel, firstEntry.Level)
@@ -141,7 +141,7 @@ func TestExitDetection(t *testing.T) {
 		require.Equal(t, logrus.WarnLevel, secondEntry.Level)
 		require.Equal(t, "Caller exit detected via kevent notification", secondEntry.Message)
 	case "linux":
-		require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller exit suspected due to failed readdirent")
+		require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller exit suspected due to failed readdirent")
 		require.Len(t, test.logHook.Entries, 2)
 		firstEntry := test.logHook.Entries[0]
 		require.Equal(t, logrus.WarnLevel, firstEntry.Level)
@@ -151,7 +151,7 @@ func TestExitDetection(t *testing.T) {
 		require.Equal(t, "Caller exit suspected due to failed readdirent", secondEntry.Message)
 		require.Equal(t, syscall.ENOENT, secondEntry.Data["error"])
 	case "windows":
-		require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller exit detected: exit code: 0")
+		require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller exit detected: exit code: 0")
 		require.Len(t, test.logHook.Entries, 2)
 		firstEntry := test.logHook.Entries[0]
 		require.Equal(t, logrus.WarnLevel, firstEntry.Level)
@@ -177,7 +177,7 @@ func TestExitDetection(t *testing.T) {
 	// the tracker has been closed
 	test.listener.Close()
 	test.listener = nil
-	require.EqualError(t, conn.Info.Watcher.IsAlive(), "caller is no longer being watched")
+	require.EqualError(t, conn.Info.Watcher.IsAlive(make(map[string]string)), "caller is no longer being watched")
 }
 
 func newFakePeer(t *testing.T) *fakePeer {
diff --git a/pkg/common/peertracker/tracker_linux.go b/pkg/common/peertracker/tracker_linux.go
index 35502e1020..ef394dd45f 100644
--- a/pkg/common/peertracker/tracker_linux.go
+++ b/pkg/common/peertracker/tracker_linux.go
@@ -99,7 +99,8 @@ func (l *linuxWatcher) Close() {
 	l.procfd = -1
 }
 
-func (l *linuxWatcher) IsAlive() error {
+func (l *linuxWatcher) IsAlive(meta map[string]string) error {
+	l.meta = meta
 	l.mtx.Lock()
 	defer l.mtx.Unlock()
 
@@ -152,14 +153,14 @@ func (l *linuxWatcher) IsAlive() error {
 		l.log.WithError(err).Warn("Caller exit suspected due to failed proc stat")
 		return errors.New("caller exit suspected due to failed proc stat")
 	}
-	if stat.Uid != l.uid {
+	if stat.Uid != l.uid && meta == nil {
 		l.log.WithFields(logrus.Fields{
 			telemetry.ExpectUID:   l.uid,
 			telemetry.ReceivedUID: stat.Uid,
 		}).Warn("New process detected: process uid does not match original caller")
 		return fmt.Errorf("new process detected: process uid %v does not match original caller %v", stat.Uid, l.uid)
 	}
-	if stat.Gid != l.gid {
+	if stat.Gid != l.gid && meta == nil {
 		l.log.WithFields(logrus.Fields{
 			telemetry.ExpectGID:   l.gid,
 			telemetry.ReceivedGID: stat.Gid,
diff --git a/pkg/server/api/middleware/audit.go b/pkg/server/api/middleware/audit.go
index a8127452a3..b12bff34f5 100644
--- a/pkg/server/api/middleware/audit.go
+++ b/pkg/server/api/middleware/audit.go
@@ -74,7 +74,7 @@ func fieldsFromTracker(ctx context.Context) (logrus.Fields, error) {
 		fields[telemetry.CallerPath] = addr
 	}
 
-	if err := watcher.IsAlive(); err != nil {
+	if err := watcher.IsAlive(make(map[string]string)); err != nil {
 		return nil, status.Errorf(codes.Internal, "peertracker fails: %v", err)
 	}
 	return fields, nil
diff --git a/spire-k8s-sat-plugin b/spire-k8s-sat-plugin
index 19273aeedf..70eb392710 160000
--- a/spire-k8s-sat-plugin
+++ b/spire-k8s-sat-plugin
@@ -1 +1 @@
-Subproject commit 19273aeedf350aa44c2b19820c9e39713502833b
+Subproject commit 70eb3927102568cc68a23552ce2e246b35a3609c
diff --git a/spire-k8s-secret-plugin b/spire-k8s-secret-plugin
index 903739da91..1452373d30 160000
--- a/spire-k8s-secret-plugin
+++ b/spire-k8s-secret-plugin
@@ -1 +1 @@
-Subproject commit 903739da91cf419de86e0600ba111f686cb5a95f
+Subproject commit 1452373d30e69ac5d4b7dc7c8f7aec19d8bfb5e4