Scale Machine Identity Management with Kubernetes Policy [Nirmata]

We know that DevOps and engineering teams are moving fast to innovate, test, and deploy. We also know that the open-source solution cert-manager is the industry standard for securely managing machine identities with Kubernetes. Deploying and configuring cert-manager consistently at scale—that’s a challenge that many large organizations have faced.

Nirmata is a unified management plane for Kubernetes clusters and workloads built for enterprise DevOps teams. We enable self-service cluster provisioning, provide visibility, health, metrics, and alerts, ensure compliance via workload policies, and streamline application deployments across clusters. Given these capabilities, we felt uniquely capable of solving the challenge of scaling Kubernetes consistently. And now, we can extend those benefits through Machine Identity Management Development Fund sponsorship, which will allow the Nirmata DevSecOps Platform to add support for cert-manager. Read on to learn how.

Deploying cert-manager as an add-on

The open-source solution cert-manager, created and maintained by the Venafi company Jetstack, is now available in the default-addon-catalog on the Nirmata Platform. The catalog application for cert-manager uses the public GitHub repository for cert-manager add-on.

Since cert-manager is already in the catalog, it is now available to be deployed as an add-on to any cluster. Developers can select cert-manager when creating a cluster type, so cert-manager is easily deployed to any cluster created with that cluster type. For users of the Nirmata platform, this gives platform teams a fast way to deploy cert-manager since it will be important to ensure cert-manager is running in all clusters.

Automatic upgrades for cert-manager

Any catalog application that is deployed using a Git repository is automatically upgraded whenever a new commit is made to the git repository or if a new branch is selected in the Git settings for the application. This process can be used to upgrade cert-manager when it is deployed on multiple clusters at the same time.

Creating cluster issuers

Once cert-manager is deployed to a cluster, you can easily use the primary functions of cert-manager to create cluster issues. The following cluster issues can be created for machine identities:

• Self-Signed certificates
• CA certificates
• Vault secrets
• Venafi machine identities

You can follow the instructions to create any type of cluster issue. Some cluster issuers require a secret prior to creating the cluster issue. Secrets can be created directly from the cluster Issuers panel using the Create Secret menu. This secret will be created in the cert-manager namespace.

cert-manager Policies

Developers can also use cert-manager to create issuers instead of using the cluster issuer. While this is a powerful capability, the cluster administrator may want to restrict the creation of certificates to their own domain or create certificates with a single DNS name entry. This can be done using policies. Clusters that are deployed using the Nirmata platform always include the Kyverno policy engine. Sample policies for cert-manager can be found here.

Summary

Nirmata DevSecOps Platform now automates the lifecycle management for certificates in Kubernetes clusters by integrating with cert-manager. In addition to deploying and managing cert-manager, you can also create cluster issuers to automatically generate certificates and deploy Kyverno policies to ensure that the generated certificates are compliant with the company requirements.

The Nirmata and cert-manager integration is now available! Visit Nirmata on the Venafi Marketplace for more information. You can also explore Nirmata for free at: https://try.nirmata.io

This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.

Related Posts

• Open Source Makes Machine Identities on Kubernetes Accessible for All
• [How-To Guide] PKI Pain Relief and Crypto Agility in a Kubernetes World
• Kubernetes Certificate Security: What You Need to Know