Skip to content

Viewing Kubernetes cluster information

The Kubernetes Clusters page provides access to a wealth of information on the Kubernetes clusters connected to Venafi Control Plane, including certificate details.

Prerequisites

To view cluster information, you must have already connected one or more clusters to Venafi Control Plane. For more information on connecting Kubernetes clusters to Venafi Control Plane, see Connect a Kubernetes cluster.

Kubernetes Clusters Summary panel

The Summary panel at the top of the Kubernetes Clusters page provides information on the health of clusters, certificates in the inventory, and ingress health. It also shows data on the number of certificates found in clusters, how many certificates in the inventory are not managed by cert-manager, and the number of non-Venafi cert-manager issuers.

The Summary panel contains the following widgets:

  • Clusters with Unhealthy Connection

    This widget displays the number of unhealthy clusters broken down by type:

    • Cluster with lost connection: The count of cluster that have lost their connection to Venafi Control Plane.
    • Cluster not checked in: The count of clusters that are not checked in.
  • Unique Certificates Found in Clusters

    This widget displays the number of unique certificates found within Kubernetes clusters, categorized by their validity period. It ensures accurate counting by considering each certificate only once, regardless of its presence in multiple clusters or locations.

    • Total Certificates: The total count of unique certificates discovered across all validity categories.
    • Long-lived Certificates: Certificates valid for 90 days or longer.
    • Short-lived Certificates: Certificates valid for 7 days or longer, but less than 90 days.
    • Ultra Short-lived Certificates: Certificates valid for less than 7 days.
  • Unhealthy Certificates in Inventory

    This widget displays the number of certificates present in the Venafi’s certificate inventory found on Kubernetes clusters, categorized by their health status.

    • Total Certificates: The total count of certificates in inventory regardless of their health status.
    • Healthy Certificates: The count of certificates in inventory in a healthy state.
    • Expired Certificates: The count of expired certificates in inventory.
    • Certificates Not Managed by cert-manager: The count of certificates in inventory not managed by cert-manager.
  • Certificates in Inventory Not Managed by cert-manager

    This widget displays the breakdown of certificates present in the Venafi’s certificate inventory found on Kubernetes clusters. It's important to note that only certificates meeting the discovery rules are added to the Venafi's certificate inventory. These rules include:

    • Certificates used on TLS endpoints are always added.
    • Other certificates are only added if they have a validity period of more than 7 days.

    This breakdown shows the total number of certificates added to Venafi's certificate inventory, compared to those not managed by cert-manager.

    • Total Certificates: The total count of unique certificates discovered and added to Venafi's certificate inventory.
    • Managed by cert-manager: The count of certificates managed by cert-manager.
    • Not managed by cert-manager: The count of certificates not managed by cert-manager.
  • Unhealthy Ingresses

    This widget provides a breakdown of Kubernetes ingresses categorized by the health of the certificates they use for TLS termination.

    • Total Ingresses: This shows the total number of ingresses, regardless of the health status of the certificates they use.

    • Healthy Ingresses: This indicates the number of ingresses currently using a healthy certificate.

    • Ingresses with expired certificates: This represents the number of ingresses using expired certificates that require renewal action.

    • Ingresses with certificates expiring in 7 days or less: This shows the number of ingresses using certificates expiring in 7 days or less, requiring renewal action.

  • Non-Venafi cert-manager Issuers

    This widget provides an overview of cert-manager issuers configured on your Kubernetes clusters, categorized by type. Issuer kind is also indicated in brackets, and can be either cluster-wide or namespaced.

    • Total Issuers: Displays the total number of cert-manager issuers, regardless of their specific type or kind.

    • Venafi issuers: Organizations using Venafi issuers benefit from automated certificate issuance that follow pre-defined corporate issuance policies, ensuring certificate compliance.

      • Venafi Enhanced Issuer: The Venafi Enhanced Issuer integrates with the Venafi Control Plane and plays a crucial role in automating certificate management within Kubernetes clusters. It has rich functionalities and is supported by Venafi.

      • Venafi Firefly: Firefly is a high performing, lightweight micro-service for issuing machine identities quickly. Firefly fits well within globally distributed application architectures, and provides high-speed/high-volume certificate issuance capacity with enterprise trust and policy enforcement. Firefly is managed by TLS Protect Cloud and is part of the Venafi Control Plane.

    • Non-Venafi issuers: Issuers in this category require manual review as Venafi does not enforce issuance policies for them.

      • Open-Source Issuer for Venafi: While the open-source issuer integrates with Venafi, it's a community-developed project with limited functionality and support. For enhanced features and security, Venafi recommends using the Venafi Enhanced Issuer.

      • ACME issuer: The ACME issuer in cert-manager allows organizations to obtain certificates from a Certificate Authority (CA), such as Let's Encrypt, using the ACME protocol.

      • Self Signed issuer: Issues certificates signed by the issuer itself, useful for development environments but not recommended for production.

      • CA Issuer: For testing purposes, cert-manager offers a CA issuer. This issuer type is not recommended for production environments due to the complexity of managing certificate rotation, trust store distribution, and disaster recovery.

      • Other third-party issuers: Cert-manager allows integration with issuers developed by external vendors. While this offers flexibility, thoroughly evaluate these issuers before deploying them in a production environment.

To view Kubernetes cluster information

  1. Sign in to Venafi Control Plane.
  2. Click Installations > Kubernetes Clusters.
  3. Click the Name of the cluster whose details you want to view. Cluster information is displayed within a panel located on the right side of your screen.
  4. Click the View Certificates link below in the main title in the information panel to see information on the certificates installed on the cluster.

    The Certificates page appears listing all the certificates installed on the cluster.

  5. Click the Certificate Name of any certificate you want more information on. Details on the chosen certificate appear on a panel on the right of your screen.