Skip to content

Configuring the Venafi for Kubernetes Agent

The Venafi Kubernetes Agent monitors various Kubernetes resources and offers the flexibility to exclude them as needed. It ensures that no sensitive information is transmitted to Venafi Control Plane for evaluation.

Please be aware that the resource requirements for running the agent within a Kubernetes cluster may vary depending on the number of resources present in the cluster.

Certificate identification

The agent extracts certificate information from the following resources:

  • Certificate - A custom resource provided by a cert-manager instance that represents a single X.509 certificate.
  • CertificateRequest - A custom Kubernetes resource deployed by cert-manager. In certain cases, such as with istio-csr, this resource is used to store certificate data.
  • Secret - A native Kubernetes resource for secrets. This resource is where cert-manager typically stores X.509 certificates. The agent evaluates secrets, not limited to those of the "kubernetes.io/tls" type, to find certificates where the tls.crt and tls.key data fields are present.

By default, the agent collects information about pods and pod controller resources to identify where the certificate resources are being used, as well as other metadata for the platform.

For information on how to filter the resources, see the configuration section below.

Ingress identification

The agent identifies entry points to your workloads from the following resources:

  • Ingress - The native Kubernetes Ingress resource describes named routes to your Kubernetes services including the X.509 certificates they use to secure communication. Venafi Control Plane provides information on the security of these routes based on the certificates they use.
  • Route - The Red Hat OpenShift alternative to Ingress resources. These work in a similar fashion to native ingresses in that they specify routes and the X.509 certificates they use.

Issuer identification

By default, the agent supports all native cert-manager issuers, as well as the following external issuers:

As external cert-manager issuers come with their unique resource definitions, it's necessary to individually add support for them. If you are using an external issuer that is not yet supported, please reach out to Venafi for assistance.

Configuration

You configure the agent using a single YAML file that describes the resources you permit it to monitor. When you add your cluster to the Venafi Control Plane, it already includes all the recommended resources to watch. If you want to exclude any of these, simply remove those lines of configuration from the YAML configuration file.

This configuration is important for handling different Kubernetes distributions. For example, the Route resource is the alternative to the Ingress resource within a Red Hat OpenShift cluster.

Note

Removing monitoring of certain resources could limit your access to the complete range of features offered by Venafi Control Plane.

See the following example configuration file:

server: https://api.venafi.cloud/
venafi-cloud:
  uploader_id: "no"
  upload_path: "/v1/tlspk/upload/clusterdata"
data-gatherers:
# gather resources for cert-manager package
  - kind: "k8s-dynamic"
    name: "k8s/certificates"
    config:
      resource-type:
        group: cert-manager.io
        version: v1
        resource: certificates

Each element in the data-gatherers list provides some additional configuration values:

  • config.kubeconfig - Allows you to configure monitoring resources in an external cluster. The agent doesn't have to monitor resources purely in the cluster that it runs in, it can be run outside clusters and use kubeconfig files for authentication.
  • include-namespaces & exclude-namespaces - These values allow you to filter the namespaces that the agent monitors. By default, the agent watches resources in all namespaces within the cluster.

See the following examples that use these values:

data-gatherers:
  # include only the 'prod' namespace from another cluster

  - kind: "k8s-dynamic"
    name: "k8s/secrets"
    config:
      resource-type:
        version: v1
        resource: secrets
    include-namespaces:
      - prod
  # exclude the kube-system namespace
  - kind: "k8s-dynamic"
    name: "k8s/certificates"
    config:
      resource-type:
        group: cert-manager.io
        version: v1
        resource: certificates
    exclude-namespaces:
      - kube-system