Skip to main content
banner image
venafi logo

Scale Machine Identity Management with Kubernetes Policy [Nirmata]

Scale Machine Identity Management with Kubernetes Policy [Nirmata]

October 14, 2021 | Ritesh Patel, Nirmata

We know that DevOps and engineering teams are moving fast to innovate, test, and deploy. We also know that the open-source solution cert-manager is the industry standard for securely managing machine identities with Kubernetes. Deploying and configuring cert-manager consistently at scale—that’s a challenge that many large organizations have faced.

Nirmata is a unified management plane for Kubernetes clusters and workloads built for enterprise DevOps teams. We enable self-service cluster provisioning, provide visibility, health, metrics, and alerts, ensure compliance via workload policies, and streamline application deployments across clusters. Given these capabilities, we felt uniquely capable of solving the challenge of scaling Kubernetes consistently. And now, we can extend those benefits through Machine Identity Management Development Fund sponsorship, which will allow the Nirmata DevSecOps Platform to add support for cert-manager. Read on to learn how.

Ready to learn more about Machine Identity Management? Download the e-Book now!
Deploying cert-manager as an add-on

The open-source solution cert-manager, created and maintained by the Venafi company Jetstack, is now available in the default-addon-catalog on the Nirmata Platform. The catalog application for cert-manager uses the public GitHub repository for cert-manager add-on.

Since cert-manager is already in the catalog, it is now available to be deployed as an add-on to any cluster. Developers can select cert-manager when creating a cluster type, so cert-manager is easily deployed to any cluster created with that cluster type. For users of the Nirmata platform, this gives platform teams a fast way to deploy cert-manager since it will be important to ensure cert-manager is running in all clusters.

Automatic upgrades for cert-manager

Any catalog application that is deployed using a Git repository is automatically upgraded whenever a new commit is made to the git repository or if a new branch is selected in the Git settings for the application. This process can be used to upgrade cert-manager when it is deployed on multiple clusters at the same time.

Creating cluster issuers

Once cert-manager is deployed to a cluster, you can easily use the primary functions of cert-manager to create cluster issues. The following cluster issues can be created for machine identities:

  • Self-Signed certificates
  • CA certificates
  • Vault secrets
  • Venafi machine identities

You can follow the instructions to create any type of cluster issue. Some cluster issuers require a secret prior to creating the cluster issue. Secrets can be created directly from the cluster Issuers panel using the Create Secret menu. This secret will be created in the cert-manager namespace.

cert-manager Policies

Developers can also use cert-manager to create issuers instead of using the cluster issuer. While this is a powerful capability, the cluster administrator may want to restrict the creation of certificates to their own domain or create certificates with a single DNS name entry. This can be done using policies. Clusters that are deployed using the Nirmata platform always include the Kyverno policy engine. Sample policies for cert-manager can be found here.


Nirmata DevSecOps Platform now automates the lifecycle management for certificates in Kubernetes clusters by integrating with cert-manager. In addition to deploying and managing cert-manager, you can also create cluster issuers to automatically generate certificates and deploy Kyverno policies to ensure that the generated certificates are compliant with the company requirements.

The Nirmata and cert-manager integration is now available! Visit Nirmata on the Venafi Marketplace for more information. You can also explore Nirmata for free at:

This blog features solutions from the ever-growing Venafi Ecosystem, where industry leaders are building and collaborating to protect more machine identities across organizations like yours. Learn more about how the Venafi Technology Network is evolving above and beyond just technical integrations.

Related Posts

Like this blog? We think you will love this.
Featured Blog

Cloud Native Machine Identity Management for Zero Trust

Richard: Tell us about Pomerium and the role machine ide

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Ritesh Patel, Nirmata
Ritesh Patel, Nirmata
Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more