Creating a new Kubernetes Discovery job
When configuring Kubernetes discovery jobs, you will first need to create a Venafi TLS Protect for Kubernetes service account.
To create a new Kubernetes Discovery job
-
From the TLS Protect menu bar, click Configuration > Jobs.
(Optional) To filter the Jobs list by one or more specific job types, use the Job Type filter. See Filtering the Jobs list by job type.
-
Click + Create New Job to start the Create New Job wizard.
-
On the Create New Job page, select Kubernetes Discovery, and then click Start.
- Under Job Details, in the Name field of the New Kubernetes Discovery Job page, type a name for your new Kubernetes Discovery job.
-
(Optional) In the Description field, type a description that describes the purpose for your new job.
A strong description can be useful in helping other administrators better understand the purpose of your new object (such as certificates, jobs, credentials, devices, trust stores, etc.), or to remind yourself later why you created it.
-
(Optional) In the Contacts field, begin typing the name a user name to specify one or more contacts for your new job.
To add multiple contact names, press Enter after finding each name.
-
(Conditional) If you do not have an existing Venafi TLS Protect for Kubernetes Service Account Credential, begin by clicking create a Service Account link. The Venafi TLS Protect for Kubernetes Login/Sign Up page will open in a new window.
-
Log In or Sign Up for a Venafi TLS Protect for Kubernetes account.
-
Select Organization > Manage > Service Accounts.
-
Click the CREATE SERVICE ACCOUNT button.
-
Enter service account name and click Create.
-
Using the copy icon, copy the User Id and User Secret. These credentials will be used when creating a new user credential for the Kubernetes Discovery job.
-
Return to the Trust Protection Platform New Kubernetes Discovery Job page and click Create New Credential.
-
Enter the details for the new user credential using the credentials from the service account you created in the User Name and Password fields.
-
Click Create.
-
-
Next, configure the job settings.
-
Indicate from which Kubernetes cluster you want to discover certificates. If you will only be discovering from selected clusters, use the controls to move the clusters into the Selected clusters box.
-
Select if you want to ignore certificates from inactive clusters.
Clusters are considered inactive when they do not report data to Venafi TLS Protect for Kubernetes, but they are still registered. -
Select if you want to include expired certificates.
-
Specify the minimum validity of the certificates which you want to discover.
-
Using the drop-down box select a folder where the discovered clusters and certificates should be placed.
-
In the Retirement section, select how the system should handle deleted Kubernetes clusters.
Clusters are considered deleted when removed from Venafi TLS Protect for Kubernetes. Based on your selection, the following details apply:-
Delete - When clusters are deleted from Venafi TLS Protect for Kubernetes, they will be removed from the Venafi Trust Protection Platform Inventory and their related certificates will be deleted if they are not associated with other applications, Kubernetes clusters, or namespaces. If there are certificates associated with another Kubernetes cluster or application, they are automatically moved into a new Kubernetes policy folder labeled Associated Certificates (automatically moved) under the same organization.
-
Move - When clusters are deleted from Venafi TLS Protect for Kubernetes, they will be moved to a new location. If their related certificates are associated to another application, Kubernetes cluster, or namespace, they will be moved to Associated Certificates (automatically moved). Otherwise, they will be moved to Archived.
-
-
Next, select how the system should handle deleted certificates.
-
Retire - When certificates are deleted from the Kubernetes cluster, certificates monitoring is disabled if the certificates are not in use by another application, Kubernetes cluster, or namespace. Certificates that are in use by another cluster or application are automatically moved to a new Kubernetes policy folder labeled Associated Certificates (automatically moved) and are not retired.
-
Revoke - When certificates are deleted from the Kubernetes cluster, and they are issued by Venafi, a revocation is requested if the certificates are not in use by another application, Kubernetes cluster, or namespace. Certificates that are in use by another cluster or application are automatically moved to a new Kubernetes policy folder labeled Associated Certificates (automatically moved) and revocation is not requested.
-
Specify certificate revocation for a number of days. In the event that a certificate is deleted from the Kubernetes cluster, it will not be immediately revoked for a specified period of time, but rather will be kept in a monitoring state during that time. This intentional delay is to allow time for any dependent systems or applications to be updated and avoid disruption. After the specified period of time, the certificate would then be revoked if it has not been reissued or renewed.
-
-
Delete - When certificates are deleted from the Kubernetes cluster, they are removed from the inventory if the certificates are not in use by another application, Kubernetes cluster, or namespace. Certificates that are in use by another cluster or application are automatically moved to a new Kubernetes policy folder labeled Associated Certificates (automatically moved).
-
Move - When certificates are deleted from the Kubernetes cluster, they are moved to the specified location if the certificates are not in use by another application, Kubernetes cluster, or namespace. Certificates that are in use by another cluster or application are automatically moved to a new Kubernetes policy folder labeled Associated Certificates (automatically moved).
-
-
Click Next.
-
-
Finally, select the frequency of when you would like the job to run.
- Click Create Job.