[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-linkedin-kubernetes-security-cert-manager-framework-en":3,"article-related-linkedin-kubernetes-security-cert-manager-framework-en":30,"series-tools-575a28e5-32ca-4c6c-adef-1558718e2761":82},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":22,"views":26,"created_at":27,"published_at":28,"topic_cluster_id":29},"575a28e5-32ca-4c6c-adef-1558718e2761","linkedin-kubernetes-security-cert-manager-framework-en","LinkedIn deepens Kubernetes security with cert-manager","\u003Cp data-speakable=\"summary\">LinkedIn built a Kubernetes identity system that automates certificate issuance and workload attestation.\u003C\u002Fp>\u003Cp>LinkedIn detailed a new Kubernetes security framework that ties each workload to a verifiable identity, using automated certificate issuance, attestation, and policy checks across its infrastructure. The system is designed to cut identity spoofing risk while reducing manual credential work for developers.\u003C\u002Fp>\u003Ctable>\u003Cthead>\u003Ctr>\u003Cth>項目\u003C\u002Fth>\u003Cth>數值\u003C\u002Fth>\u003C\u002Ftr>\u003C\u002Fthead>\u003Ctbody>\u003Ctr>\u003Ctd>Publication date\u003C\u002Ftd>\u003Ctd>May 22\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Read time\u003C\u002Ftd>\u003Ctd>8 min\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Scale cited\u003C\u002Ftd>\u003Ctd>Thousands of nodes\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Scale cited\u003C\u002Ftd>\u003Ctd>Hundreds of thousands of pods per cluster\u003C\u002Ftd>\u003C\u002Ftr>\u003C\u002Ftbody>\u003C\u002Ftable>\u003Ch2>What changed\u003C\u002Fh2>\u003Cp>The company extended \u003Ca href=\"https:\u002F\u002Fcert-manager.io\u002F\" target=\"_blank\" rel=\"noopener\">cert-manager\u003C\u002Fa> to issue, rotate, and delete certificates for Kubernetes workloads, with a CSI driver that mounts certs into containers while keeping private keys on the node. LinkedIn says that setup lowers exfiltration risk and lets identity follow the workload through its lifecycle.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779592549275-atz7.png\" alt=\"LinkedIn deepens Kubernetes security with cert-manager\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>LinkedIn split the rollout into two paths: a “Fully Managed” mode for most services and a “Self Serve” mode for manually deployed or external systems. A custom component called Lipki-Controller handles CertificateRequest approval and issuance after checking each request against an internal Identity Registry.\u003C\u002Fp>\u003Cul>\u003Cli>Workloads get a digital credential when created.\u003C\u002Fli>\u003Cli>A `spiffe: enabled` label triggers webhook-based injection.\u003C\u002Fli>\u003Cli>The CSI driver creates CertificateRequest objects for each workload.\u003C\u002Fli>\u003Cli>Lipki-Controller attests identity before signing certificates.\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fkyverno.io\u002F\" target=\"_blank\" rel=\"noopener\">Kyverno\u003C\u002Fa> policies limit who can request certificates.\u003C\u002Fli>\u003C\u002Ful>\u003Cp>LinkedIn also wired in \u003Ca href=\"https:\u002F\u002Fspiffe.io\u002F\" target=\"_blank\" rel=\"noopener\">SPIFFE\u003C\u002Fa>-style identity, mutual TLS, and internal authentication libraries for Java, Go, and \u003Ca href=\"\u002Ftag\u002Frust\">Rust\u003C\u002Fa>. Those libraries hide most credential handling from application teams and support hot-reloadable TLS contexts in some Java frameworks, so renewed certs can be picked up without restarts.\u003C\u002Fp>\u003Ch2>Why it matters\u003C\u002Fh2>\u003Cp>For platform teams, the main gain is less toil. Security defaults move into the deployment path, so developers do not have to handcraft certificates or manage identity plumbing for every service, job, or database connection.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779592550462-mx7m.png\" alt=\"LinkedIn deepens Kubernetes security with cert-manager\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>For operators, the bigger issue is scale. LinkedIn said the system has to work across multi-cluster jobs, deployment churn, and very large pod counts, which means certificate tooling must stay fast even when workloads are starting, stopping, and moving across clusters.\u003C\u002Fp>\u003Cp>The architecture also shows how open-source components can be pushed into enterprise-grade identity systems when paired with internal attestation, policy enforcement, and observability. That mix is likely to matter for any company running large Kubernetes estates and trying to standardize trust without slowing delivery.\u003C\u002Fp>\u003Cp>The takeaway: Kubernetes security is shifting from static secrets to workload identity, and LinkedIn is treating certificate automation as core infrastructure rather than a side tool.\u003C\u002Fp>","LinkedIn built a workload-identity framework for Kubernetes that automates cert issuance, policy checks, and mTLS across large clusters.","www.startuphub.ai","https:\u002F\u002Fwww.startuphub.ai\u002Fai-news\u002Ftech\u002F2026\u002Fkubernetes-security-goes-deep",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779592549275-atz7.png","tools","en","74973ee4-a982-4625-9223-74758ccd909b",[17,18,19,20,21],"Kubernetes","cert-manager","workload identity","Kyverno","mTLS",[23,24,25],"LinkedIn automated Kubernetes workload identity with cert-manager and internal attestation.","Kyverno policies and an Identity Registry add guardrails around certificate issuance.","The design aims to reduce developer toil while handling very large multi-cluster scale.",5,"2026-05-24T03:15:28.251252+00:00","2026-05-24T03:15:28.244+00:00","e1ede1db-0a41-4013-a2f8-bc8f8d36f725",{"tags":31,"relatedLang":41,"relatedPosts":45},[32,34,36,38,39],{"name":21,"slug":33},"mtls",{"name":17,"slug":35},"kubernetes",{"name":19,"slug":37},"workload-identity",{"name":18,"slug":18},{"name":20,"slug":40},"kyverno",{"id":15,"slug":42,"title":43,"language":44},"linkedin-kubernetes-security-cert-manager-framework-zh","LinkedIn 強化 Kubernetes 身分安全","zh",[46,52,58,64,70,76],{"id":47,"slug":48,"title":49,"cover_image":50,"image_url":50,"created_at":51,"category":13},"6c73d853-b09f-4d14-ab64-549e19726135","cursors-latest-update-ide-workflow-tools-en","Cursor’s latest update proves IDEs must become workflow tools","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781491673281-ub6v.png","2026-06-15T02:47:20.88317+00:00",{"id":53,"slug":54,"title":55,"cover_image":56,"image_url":56,"created_at":57,"category":13},"33220b48-098e-4417-90f2-681787bbb128","cursor-bugbot-before-push-not-pr-en","Cursor’s Bugbot belongs before the push, not in the PR","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781490763751-pnh5.png","2026-06-15T02:32:16.801116+00:00",{"id":59,"slug":60,"title":61,"cover_image":62,"image_url":62,"created_at":63,"category":13},"6997fa46-16f8-48bd-80dc-fe20f08815a2","prompt-engineering-writing-skill-not-magic-trick-en","Prompt engineering is a writing skill, not a magic trick","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781470978720-rxo2.png","2026-06-14T21:02:28.362525+00:00",{"id":65,"slug":66,"title":67,"cover_image":68,"image_url":68,"created_at":69,"category":13},"50c2cc6b-fdf4-425a-aa80-05be0dee9815","open-notebook-turns-notebooklm-into-open-source-en","Open-Notebook turns NotebookLM into open source","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781450301942-cx4t.png","2026-06-14T15:17:50.526134+00:00",{"id":71,"slug":72,"title":73,"cover_image":74,"image_url":74,"created_at":75,"category":13},"1871beaf-fb67-4bc8-bffc-0b2cca267767","gpu-mag-list-turns-gpu-tests-into-workflow-en","GPU Mag’s list turns GPU tests into a workflow","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781440408229-5thl.png","2026-06-14T12:33:00.989747+00:00",{"id":77,"slug":78,"title":79,"cover_image":80,"image_url":80,"created_at":81,"category":13},"aad700b5-14b0-4350-83d9-33610b119087","openai-pricing-turns-token-math-into-budgets-en","OpenAI pricing turns token math into budgets","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781436806476-wy8s.png","2026-06-14T11:32:54.284793+00:00",[83,88,93,98,103,108,113,118,123,128],{"id":84,"slug":85,"title":86,"created_at":87},"8008f1a9-7a00-4bad-88c9-3eedc9c6b4b1","surepath-ai-mcp-policy-controls-en","SurePath AI's New MCP Policy Controls Enhance AI Security","2026-03-26T01:26:52.222015+00:00",{"id":89,"slug":90,"title":91,"created_at":92},"27e39a8f-b65d-4f7b-a875-859e2b210156","mcp-standard-ai-tools-2026-en","MCP Standard in 2026: Integrating AI Tools","2026-03-26T01:27:43.127519+00:00",{"id":94,"slug":95,"title":96,"created_at":97},"165f9a19-c92d-46ba-b3f0-7125f662921d","rag-2026-transforming-enterprise-ai-en","How RAG in 2026 is Transforming Enterprise AI","2026-03-26T01:28:11.485236+00:00",{"id":99,"slug":100,"title":101,"created_at":102},"6a2a8e6e-b956-49d8-be12-cc47bdc132b2","mastering-ai-prompts-2026-guide-en","Mastering AI Prompts: A 2026 Guide for Developers","2026-03-26T01:29:07.835148+00:00",{"id":104,"slug":105,"title":106,"created_at":107},"3ab2c67e-4664-4c67-a013-687a2f605814","garry-tan-open-sources-claude-code-toolkit-en","Garry Tan Open-Sources a Claude Code Toolkit","2026-03-26T08:26:20.245934+00:00",{"id":109,"slug":110,"title":111,"created_at":112},"66a7cbf8-7e76-41d4-9bbf-eaca9761bf69","github-ai-projects-to-watch-in-2026-en","20 GitHub AI Projects to Watch in 2026","2026-03-26T08:28:09.752027+00:00",{"id":114,"slug":115,"title":116,"created_at":117},"9f332fda-eace-448a-a292-2283951eee71","practical-github-guide-learning-ml-2026-en","A Practical GitHub Guide to Learning ML in 2026","2026-03-27T01:16:50.125678+00:00",{"id":119,"slug":120,"title":121,"created_at":122},"1b1f637d-0f4d-42bd-974b-07b53829144d","aiml-2026-student-ai-ml-lab-repo-review-en","AIML-2026 Is a Bare-Bones Student Lab Repo","2026-03-27T01:21:51.661231+00:00",{"id":124,"slug":125,"title":126,"created_at":127},"6d1bf3f6-e191-4d30-b55b-8a0722fa6afe","ai-trending-github-repos-and-research-feeds-en","AI Trending Tracks Repos and Research Feeds","2026-03-27T01:31:35.709532+00:00",{"id":129,"slug":130,"title":131,"created_at":132},"010539a1-4c3a-4bd3-937a-26616422ee0d","awesome-ai-for-science-research-tools-map-en","Awesome AI for Science Is Becoming a Real Research Map","2026-03-27T01:46:50.89513+00:00"]