LinkedIn deepens Kubernetes security with cert-manager

LinkedIn built a Kubernetes identity system that automates certificate issuance and workload attestation.

LinkedIn detailed a new Kubernetes security framework that ties each workload to a verifiable identity, using automated certificate issuance, attestation, and policy checks across its infrastructure. The system is designed to cut identity spoofing risk while reducing manual credential work for developers.

What changed

The company extended cert-manager to issue, rotate, and delete certificates for Kubernetes workloads, with a CSI driver that mounts certs into containers while keeping private keys on the node. LinkedIn says that setup lowers exfiltration risk and lets identity follow the workload through its lifecycle.

LinkedIn split the rollout into two paths: a “Fully Managed” mode for most services and a “Self Serve” mode for manually deployed or external systems. A custom component called Lipki-Controller handles CertificateRequest approval and issuance after checking each request against an internal Identity Registry.

• Workloads get a digital credential when created.
• A `spiffe: enabled` label triggers webhook-based injection.
• The CSI driver creates CertificateRequest objects for each workload.
• Lipki-Controller attests identity before signing certificates.
• Kyverno policies limit who can request certificates.

LinkedIn also wired in SPIFFE-style identity, mutual TLS, and internal authentication libraries for Java, Go, and Rust. Those libraries hide most credential handling from application teams and support hot-reloadable TLS contexts in some Java frameworks, so renewed certs can be picked up without restarts.

Why it matters

For platform teams, the main gain is less toil. Security defaults move into the deployment path, so developers do not have to handcraft certificates or manage identity plumbing for every service, job, or database connection.

For operators, the bigger issue is scale. LinkedIn said the system has to work across multi-cluster jobs, deployment churn, and very large pod counts, which means certificate tooling must stay fast even when workloads are starting, stopping, and moving across clusters.

The architecture also shows how open-source components can be pushed into enterprise-grade identity systems when paired with internal attestation, policy enforcement, and observability. That mix is likely to matter for any company running large Kubernetes estates and trying to standardize trust without slowing delivery.

The takeaway: Kubernetes security is shifting from static secrets to workload identity, and LinkedIn is treating certificate automation as core infrastructure rather than a side tool.