Skip to main content
banner image
venafi logo

Do You Know How Many cert-manager Instances Your Developers are Using? Are They All Using the Latest Stable Version?

Do You Know How Many cert-manager Instances Your Developers are Using? Are They All Using the Latest Stable Version?

cert-manager-instances
July 27, 2022 | Anastasios Arampatzis

If you’re running Kubernetes or OpenShift, you likely have cert-manager spun up to help you manage the load of installing, deploying and renewing the certificates within your clusters. And we have Jetstack to thank for that. However, you’ll need to do more to bridges the gaps.

Zero Trust with cert-manager, Istio and Kubernetes. Find out more.
">

--How do you manage deployment of cert-manager instances when new releases come out?

--How do you view every identity issued from every instance in every cluster?

--And how do you manage all platforms on which your Kubernetes clusters could be running?

To answer those questions, Jetstack has partnered with Venafi to create Jetstack Secure, a solution that fills in the gaps and provides singular control over any certificate, instance or cluster across any Kubernetes platform. Here’s how it works.

What gaps does basic cert-manager leave behind?
Cert-manager instances ensure certificates are updated – but what updates the instances? First, let’s review what cert-manager is meant to do:
  • Automate certificate issuance and renewal, protecting Ingress with TLS
  • Work with Public and private Certificate Authorities (Let’sEncrypt, HashiCorp Vault, Venafi and others)
  • Secure pod-to-pod communication
  • Provide certificates for web-facing and internal workloads
  • Offer cloud-native protection with open-source add-ons for additional security
  • Make sure certificates are valid and up to date:

While cert-manager is an effective, general-purpose certificate management controller for Kubernetes, it lacks higher-up oversight to ensure it is using the latest stable version. You can’t just set it and forget it – the instances themselves need to be updated upon every new release. And, when you might have clusters running on a multitude of Kubernetes platforms – in the cloud, through a CSP, or in a virtual environment running as OpenShift – how do you ensure the rollout effectively finds and reaches all instances? Do you even know where all instances are?

While powerful and effective at deploying and updating the certificates themselves, there are overall management functions cert-manager is not equipped to do:
  • Cert-manger will not automatically update instances to the most recent version. This leaves your team to manually handle deployment of all cert-manger instances as new releases are made available – across whatever platform your Kubernetes clusters may reside.
  • It does not give you visibility into every machine identity (certificate) issued by every instance in every cluster. If you want the full picture, you must hunt down the parts and piece them together.
  • Even if you could get a configuration management database (CMDB) to do the hard work of discovering disparate security resources across your enterprise, the most it will do is provide the data in a report, leaving time-consuming analysis to your team.

Cert-manager is only half of the Kubernetes security puzzle. Jetstack Secure now provides the other half.

How does Jetstack Secure help?

If cert-manager provides Kubernetes the certificates it needs, Jetstack Secure provides the certificate management. Jetstack and Venafi worked together to create a cloud-native solution that would provide control of X.509 configuration across Kubernetes and OpenShift clusters. No more deploying cert-manager instances across multiple platforms and losing track of them. No more being in the dark about which ones are running the most stable version, or manually investigating numerous instances to find the answer - or ignoring the question altogether.

With Jetstack Secure, you’re able to see critical information like certificate origins, the CA that issued them, their compliance with your corporate policy, and why you may have failed a policy check. With this platform-agnostic solution, you can gain visibility of all deployed certificates in whatever cluster they may be, all from a single control panel. Jetstack Secure provides the way to aggregate, audit and manage machine identities deployed within Kubernetes, and complements, enhances and contextualizes the work of cert-manager.

Use Jetstack Secure to:

  • Avoid certificate misconfigurations.
  • Know if any cert-manager deployed in any cluster isn’t running the latest version and needs to be upgraded.
  • Have immediate visibility into new clusters as they are onboarded into Jetstack Secure (wherever it’s running) as they pop up on the dashboard.

In short, a full, live inventory of all cert-manager instances, whether they are running the latest stable version, and what machine identities they provision within your Kubernetes environment. Cert-manager is only as good as the visibility you have into your ecosystem because losing track of any machine identity puts your whole Kubernetes or OpenShift workload at risk.

Related Posts

 

Like this blog? We think you will love this.
cloud-native-security-kubernetes
Featured Blog

Traditional Security Won’t Cut It for Secure Cloud-Native Applications: Here’s Why

The risks of securing cloud-native with traditional security measu

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Anastasios Arampatzis
Anastasios Arampatzis

Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years of experience in evaluating cybersecurity and managing IT projects. He works as an informatics instructor at AKMI Educational Institute, while his interests include exploring the human side of cybersecurity.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more