Using Kubernetes discovery

CyberArk Trust Protection Foundation™'s Kubernetes discovery feature provides an easy and convenient way to monitor TLS certificates used on clusters managed by the Certificate Manager for Kubernetes module of Certificate Manager - SaaS. Certificates used in traditional devices and Kubernetes clusters will have operational status visibility and enforceable policy control to all Kubernetes clusters.

With the Kubernetes discovery feature, administrators will be able to create a new discovery job which imports certificates from all Kubernetes clusters registered to Certificate Manager - SaaS. Once discovered, certificates are placed in containers (similar to policy folders) in corresponding clusters and namespaces. As an administrator you can apply policies to each container, cluster, or a namespace.

Non-compliant certificates can be found on the certificate inventory page in TLS Protect which provides a way to filter them by specifying a particular cluster, namespace, or container. Certificates which are used on Kubernetes clusters and are issued by CyberArk Trust Protection Foundation will be associated with the corresponding cluster and namespace objects. The allows administrators to see where they are used and what Kubernetes services are at risk.

Kubernetes Discovery jobs need network access to Certificate Manager - SaaS to discover certificates within Kubernetes environments. To ensure CyberArk Trust Protection Foundation™ has access to Certificate Manager - SaaS, customers need to add these endpoints to their network allowlist.

Certificate Manager - SaaS endpoints:

• EU Region: api.venafi.eu

• US Region: api.venafi.cloud

Required access

• Port: TCP 443

• Protocol: HTTPS