Visibility

After installing cert-orchestrator on the designated cluster and enabling the certificate discovery feature, AppViewX will create an inventory of Kubernetes certificates found across all your Kubernetes clusters. This centralized view allows you to proactively manage all your certificates.

Managing Certificate Groups for Kubernetes Clusters

When the Discovery Feature Gate is enabled with the Auto Create Certificate Groups option (enabled by default), the platform automatically organizes certificates based on Kubernetes clusters and namespaces. This feature helps in efficiently managing Kubernetes certificates by automatically grouping them under a structured hierarchy, ensuring better organization and access control.

Cluster-Based Grouping:

  • The platform creates a certificate group for each discovered Kubernetes cluster.

Namespace-Based Grouping:

  • Within each cluster group, namespace-specific certificate groups are automatically created.

  • These namespace groups act as child groups under their respective Kubernetes cluster group.

Parent Group for Kubernetes Certificates:

  • All Kubernetes-related certificate groups are mapped under a Parent Group called "Kube Plus Group".

  • This ensures clear segregation between Kubernetes certificates and other certificates.

Key Benefits

Automatic Organization – No need for manual certificate group creation; Kubernetes certificates are automatically structured.

Fine-Grained Access Control – Admins can assign permissions at the cluster and namespace levels, ensuring secure access management.

Simplified Certificate Management – Certificates are categorized in a logical structure, making them easier to locate and manage.

Certificate Endpoint View – Understanding Where Certificates Are Used

Inventory View: The Certificate Endpoint View feature allows users to identify where a certificate is used within a Kubernetes environment. By enabling Kube Attributes in the inventory view, users can see detailed information about the certificate’s usage across clusters, namespaces, and Kubernetes objects. This feature helps in troubleshooting, auditing, and managing certificates effectively.

Holistic View

The certificate details and connector actions can be viewed by clicking on the common name of the certificate in the certificate inventory.

  • For certificates found in Kubernetes Secrets, the connector name will start with the prefix "Secret".

  • For certificates discovered through Routes, the connector name will start with the prefix "Route."

  • For certificates discovered from configmap objects, the connector name will start with the prefix "configmap".

The Certificate Inventory, where certificates discovered from Kubernetes clusters are managed, is further classified into:

  1. Ingress certificates - Certificates which are used by Ingress controllers.

  2. Infrastructure certificates - Certificate discovered from Kubernetes control plane components.

  3. Service Mesh - Certificates which are enrolled from AppViewX for Service Mesh for mTLS authentications.

  4. Others - Certificates which are not of any of the above 3 classifications will be classified as Others.

Note: To see all certificates across all categories, use the "All" option.