Skip to content

CSI driver

CSI driver enables issuing secretless X.509 certificates for pods using cert-manager.

cert-manager CSI driver is a Container Storage Interface (CSI) driver that facilitates mTLS of Pods running inside your cluster using cert-manager. It ensures that the private key and corresponding signed certificate are unique to each Pod and are stored on disk to the node that the Pod is scheduled to. The life cycle of the certificate key pair matches that of the Pod meaning that they will be created at Pod creation, and destroyed during termination. This driver also handles renewal on live certificates on the fly.

A CSI driver is a storage plugin that is deployed into your Kubernetes cluster that can honor volume requests specified on Pods, just like those enabled by default such as the Secret, ConfigMap, or hostPath volume drivers. In the case of the cert-manager CSI driver, it makes use of the ephemeral volume type. An ephemeral volume means that the volume is created and destroyed as the Pod is created and terminated, as well as specifying the volume attributes, without the need of a persistent volume. This permits not only having unique certificates and keys per Pod, where the private key never leaves the hosts node, but that the desired certificate for that Pod template can be defined in line with the deployment spec.


Use of the CSI driver is mostly intended for supporting PKI in your cluster and facilitating mTLS. As such, using a private Certificate Authority through Venafi Enhanced Issuer or other issuers is the recommended deployment strategy. It is not recommended to use public Certificate Authorities, such as Let's Encrypt, which enforce strict rate limits on the number of certificates that can be issued for a single domain. Certificate key pairs from CSI driver are designed to be short-lived and can be created and destroyed at any time during normal operation.