Enterprise-wide machine identity management is vital for organizations of any size to guarantee the confidentiality and integrity of communication between machines. Malicious attackers can easily take advantage of compromised machine identities to steal sensitive data or masquerade as a legitimate machine that your network will inadvertently trust.
Jetstack previously donated the cert-manager project to the Cloud Native Computing Foundation® (CNCF®), allowing developers to quickly and securely manage all machine identities and secure applications. Jetstack is now proudly expanding cloud agnostic certificate management solutions to enterprises big and small.
Last week's quarterly CNCF End User Technology Radar offered a new insight into how enterprise end users are adopting security tools related to certificate management. The report especially highlighted the rise of cert-manager - a CNCF Sandbox project - as one of the most highly adopted. This pointed to interesting behaviors in the way enterprises no longer solely rely on Cloud Service Providers to automatically manage certain cloud security elements. Among the findings of this report, certificate management was called out as being particularly relevant. Certificate management in general is “top of mind” for many enterprises, hence the importance of cert-manager as a proven and well-established solution to easily automate TLS certificates was a strong highlight.
cert-manager is a highly popular open source project, first created by Jetstack and now part of the CNCF Sandbox, which has grown to become the de facto solution for managing X.509 certificates in Kubernetes. Secrets management is of course inherently needed for storing public and private keys for TLS certificates. cert-manager uses the native Kubernetes secrets resource and is more generally used for automating machine identity management for workloads.
The survey showed that certificate management is increasingly important for Kubernetes end users and there is great interest in cloud agnostic solutions. This finding in particular signals a shift in how enterprises choose to consume cloud security services. It is also interesting to note the rise in multi-cloud patterns and solutions being adopted by enterprises which can explain why cloud-agnostic tools like cert-manager are becoming popular. This adoption is driven by increased usage of Kubernetes in enterprises with large estates of legacy applications and a need to support hybrid and multi-cloud infrastructure. Given this interest in multi-cloud, it is inevitable that usage of service meshes will also increase and cert-manager, with its support for Istio and Open Service Mesh, with more to come, is perfectly placed to provide a cloud agnostic, cross-cluster certificate management solution.
cert-manager adoption is centered on X.509 certificates being used to automate machine identity management for Kubernetes workloads. It builds in native support for certificates and certificate authorities, integrating with a range of popular public and private providers. Platform and operations teams can rely on cert-manager to automatically issue and renew certificates. This capability is primarily used to secure ingress resources, with public CAs such as Let’s Encrypt, but there is now increasing interest to use cert-manager to secure workload identities with mesh and mesh-like systems. All this delivers a level of certainty and security for development and platform teams. cert-manager’s growth is down to its demonstrable appeal as a consistent, reliable and agnostic solution for machine identity automation.
Enterprises are increasingly comfortable with solutions which can be properly evaluated and are backed up with a strong community of contributors and users from across the ecosystem. The cert-manager community has grown to over 275 contributors since its first commit back in 2017, including a team at Jetstack who support the development full-time, together with individual maintainers and CNCF end users.
Ingress protection is of course vital, but in parallel enterprises see cert-manager as a compelling choice to easily automate certificate management to secure intra-pod traffic and control workload security and access for internal traffic; easily integrating enterprise CAs to issue private certificates; control workloads to operate across different cloud providers; operating Istio service mesh so that control plane communication across the mesh is automated using mTLS.
Enterprises that are committing more resources to scale their Kubernetes infrastructure across multiple cloud providers evidently are not looking solely to the Cloud Service Providers to support their need for certificate management. The survey suggests cert-manager is firmly established as the solution of choice to meet many large enterprises’ need for Kubernetes certificate management - this is great to see for a CNCF sponsored project. The general factor which explains the increased adoption of cert-manager is it aligns with enterprises' plans for expanding infrastructure. cert-manager has shown it is a great fit for the many use cases in which automated certificates are needed. As enterprises transform their infrastructure with Kubernetes and build out a multi-cloud strategy, we’re delighted that a cloud native, CNCF-backed project, is meeting their needs.