Skip to content

CSI driver

CSI driver enables issuing secretless X.509 certificates for pods using cert-manager.

cert-manager CSI driver is a Container Storage Interface (CSI) driver that facilitates mTLS of Pods running inside your cluster using cert-manager. It ensures that the private key and corresponding signed certificate are unique to each Pod and are stored on disk to the node that the Pod is scheduled to. The life cycle of the certificate key pair matches that of the Pod meaning that they will be created at Pod creation, and destroyed during termination. This driver also handles renewal on live certificates on the fly.

A CSI driver is a storage plugin that is deployed into your Kubernetes cluster that can honor volume requests specified on Pods, just like those enabled by default such as the Secret, ConfigMap, or hostPath volume drivers. In the case of the cert-manager CSI driver, it makes use of the ephemeral volume type. An ephemeral volume means that the volume is created and destroyed as the Pod is created and terminated, as well as specifying the volume attributes, without the need of a persistent volume. This permits not only having unique certificates and keys per Pod, where the private key never leaves the hosts node, but that the desired certificate for that Pod template can be defined in line with the deployment spec.


Use of the CSI driver is mostly intended for supporting a PKI of your cluster and facilitating mTLS, and as such, a private Certificate Authority thought Venafi Enhanced Issuer or other issuers. It is not recommended to use public Certificate Authorities, for example Let's Encrypt, which hold strict rate limits on the number of certificates that can be issued for a single domain. Like Pods, these certificate key pairs are designed to be non-immutable and can be created and destroyed at any time during normal operation.