Using Kubernetes discovery
Venafi Trust Protection Platform™'s Kubernetes discovery feature provides an easy and convenient way to monitor TLS certificates used on clusters managed by Venafi TLS Protect for Kubernetes module of the Venafi Control Plane. Certificates used in traditional devices and Kubernetes clusters will have operational status visibility and enforceable policy control to all Kubernetes clusters.
With the Kubernetes discovery feature, administrators will be able to create a new discovery job which imports certificates from all Kubernetes clusters registered to Venafi Control Plane. Once discovered, certificates are placed in containers (similar to policy folders) in corresponding clusters and namespaces. As an administrator you can apply policies to each container, cluster, or a namespace.
Non-compliant certificates can be found on the certificate inventory page in TLS Protect which provides a way to filter them by specifying a particular cluster, namespace, or container. Certificates which are used on Kubernetes clusters and are issued by Venafi Trust Protection Platform will be associated with the corresponding cluster and namespace objects. The allows administrators to see where they are used and what Kubernetes services are at risk.
Kubernetes Discovery jobs need network access to Venafi Control Plane to discover certificates within Kubernetes environments. To ensure Venafi Trust Protection Platform™ has access to Venafi Control Plane, customers need to add these endpoints to their network allowlist.
Venafi Control Plane Endpoints:
-
EU Region: api.venafi.eu
-
US Region: api.venafi.cloud
Required Access
-
Port: TCP 443
-
Protocol: HTTPS