Skip to content

Reference: Kubernetes Clusters page

The Kubernetes Clusters page lists clusters you have connected to Venafi Control Plane in two sections: summary information about all clusters and a list of individual clusters. You can view details such as cluster status, certificates, and last check-in date.

Summary panel

The Summary panel displays metrics for your Kubernetes clusters, including connection health, unique certificates, and unhealthy certificates. It also shows the number of certificates not managed by cert-manager, unhealthy ingresses, and any non-Venafi issuers.

Item Description
Clusters with Unhealthy Connection The number of clusters with an unhealthy connection to Venafi Control Plane, broken down by type.
  • Total Clusters: Total number of clusters.
  • Healthy Clusters: Total number of healthy clusters.
  • Clusters Not Checked In: Clusters not checked in.
  • Cluster with Lost Connection: Clusters that have lost their connection to the Venafi Control Plane.
Unique Certificates Found in Clusters The number of unique certificates by validity period. Each certificate counts only once, even if found in multiple locations.
  • Total Certificates: Total unique certificates discovered across all validity categories.
  • Long-lived Certificates: Certificates valid for 90 days or longer.
  • Short-lived Certificates: Certificates valid for 7 to 89 days.
  • Ultra Short-lived Certificates: Certificates valid for less than 7 days.
Unhealthy Certificates in Inventory The number of certificates in the inventory, broken down by health status. Only certificates meeting the discovery rules are added. For example, certificates used on TLS endpoints are always added, but others are only added if valid for more than 7 days.
  • Total Certificates: Total number of certificates in inventory.
  • Healthy Certificates: Number of healthy certificates.
  • Expired Certificates: Number of expired certificates.
  • Expiring in 7 Days or Less: Number of certificates expiring in less than 7 days.
Certificates in Inventory Not Managed by cert-manager The number of certificates in the inventory, broken down by whether cert-manager manages them.
  • Total Certificates: Total number of certificates in inventory.
  • Managed by cert-manager: Number of certificates managed by cert-manager.
  • Not managed by cert-manager: Number of certificates not managed by cert-manager.
Unhealthy Ingresses The number of Kubernetes ingresses, broken down by the health of the certificates they use for TLS termination.
  • Total Ingresses: Total number of ingresses.
  • Healthy Ingresses: Number of ingresses with a healthy certificate.
  • Ingresses with expired certificates: Number of ingresses using expired certificates.
  • Ingresses with certificates expiring in 7 days or less: Number of ingresses with certificates expiring in 7 days or less.
Non-CyberArk Issuers The number of Total Issuers and a list of these by type. Cluster issuers operate cluster-wide, while Namespaced issuers are scoped to a namespace. All issuers are managed by cert-manager.
For example, the following issuers may appear:
  • CA Issuer (Cluster): Certificate Authority (CA) issuer for testing purposes. Not recommended for production due to the complexity of managing certificate rotation, trust store distribution, and disaster recovery.
  • Self Signed Issuer (Cluster): Issues certificates signed by the issuer itself. Useful for development environments, but not recommended for production.
  • ACME (Namespaced): Issuer for CAs such as Let's Encrypt, which use the ACME protocol.
  • Open-Source Issuer for CyberArk Certificate Manager (Namespaced): Community-developed issuer that integrates with CyberArk, but has limited functionality and support.