[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-linkedin-kubernetes-security-cert-manager-framework-zh":3,"article-related-linkedin-kubernetes-security-cert-manager-framework-zh":30,"series-tools-74973ee4-a982-4625-9223-74758ccd909b":81},{"id":4,"slug":5,"title":6,"content":7,"summary":8,"source":9,"source_url":10,"author":11,"image_url":12,"cover_image":12,"category":13,"language":14,"translated_content":11,"related_article_id":15,"keywords":16,"key_takeaways":22,"views":26,"created_at":27,"published_at":28,"topic_cluster_id":29},"74973ee4-a982-4625-9223-74758ccd909b","linkedin-kubernetes-security-cert-manager-framework-zh","LinkedIn 強化 Kubernetes 身分安全","\u003Cp data-speakable=\"summary\">LinkedIn 用 cert-manager 建了一套 Kubernetes 身分系統，讓工作負載自動拿到憑證並完成驗證。\u003C\u002Fp>\u003Cp>LinkedIn 在 5 月 22 日公開這套 Kubernetes 安全框架，核心是把每個 workload 綁定到可驗證的身分。系統會自動簽發、輪替與刪除憑證，也會做 attestation 和政策檢查，目標是減少身分偽冒與手動處理憑證的成本。\u003C\u002Fp>\u003Ctable>\u003Cthead>\u003Ctr>\u003Cth>項目\u003C\u002Fth>\u003Cth>數值\u003C\u002Fth>\u003C\u002Ftr>\u003C\u002Fthead>\u003Ctbody>\u003Ctr>\u003Ctd>發布日期\u003C\u002Ftd>\u003Ctd>May 22\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>閱讀時間\u003C\u002Ftd>\u003Ctd>8 min\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>規模\u003C\u002Ftd>\u003Ctd>Thousands of nodes\u003C\u002Ftd>\u003C\u002Ftr>\u003Ctr>\u003Ctd>Pod 規模\u003C\u002Ftd>\u003Ctd>Hundreds of thousands of pods per cluster\u003C\u002Ftd>\u003C\u002Ftr>\u003C\u002Ftbody>\u003C\u002Ftable>\u003Ch2>發生了什麼\u003C\u002Fh2>\u003Cp>LinkedIn 把 \u003Ca href=\"https:\u002F\u002Fcert-manager.io\u002F\" target=\"_blank\" rel=\"noopener\">cert-manager\u003C\u002Fa> 往前推了一步，讓它不只負責發證，還能處理 Kubernetes workload 的整個憑證生命週期。公司也加上 CSI driver，把憑證掛進容器，同時把私鑰留在 node 上，降低外洩風險。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779592546862-fcv4.png\" alt=\"LinkedIn 強化 Kubernetes 身分安全\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>這套設計分成兩條路徑：一條是給大多數服務用的 Fully Managed，\u003Ca href=\"\u002Fnews\u002Fwhy-hitachi-anthropic-partnership-matters-zh\">另一\u003C\u002Fa>條是給手動部署或外部系統用的 Self Serve。前者讓平台團隊統一控管，後者則保留彈性，避免所有例外都擠進同一套流程。\u003C\u002Fp>\u003Cul>\u003Cli>工作負載建立時就會拿到數位憑證。\u003C\u002Fli>\u003Cli>加上 `spiffe: enabled` 標籤後，會觸發 webhook 自動注入。\u003C\u002Fli>\u003Cli>CSI driver 會為每個 workload 建立 CertificateRequest。\u003C\u002Fli>\u003Cli>Lipki-Controller 先查內部 Identity Registry，再決定是否簽發。\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fkyverno.io\u002F\" target=\"_blank\" rel=\"noopener\">Kyverno\u003C\u002Fa> 規則限制誰能申請憑證。\u003C\u002Fli>\u003C\u002Ful>\u003Cp>LinkedIn 也把 \u003Ca href=\"https:\u002F\u002Fspiffe.io\u002F\" target=\"_blank\" rel=\"noopener\">SPIFFE\u003C\u002Fa> 風格的身分、mutual TLS，以及 Java、Go、\u003Ca href=\"\u002Ftag\u002Frust\">Rust\u003C\u002Fa> 的內部 auth library 串起來。對應用團隊來說，很多憑證細節被藏到基礎設施層，部分 Java 框架還能熱\u003Ca href=\"\u002Fnews\u002Fgoogle-cloud-latest-updates-ai-storage-gke-zh\">更新\u003C\u002Fa> TLS context，憑證輪替時不必重啟服務。\u003C\u002Fp>\u003Ch2>為什麼重要\u003C\u002Fh2>\u003Cp>對開發者來說，這種做法最直接的影響是少碰憑證、少寫身分膠水碼。當安全預設被放進部署流程，團隊就不用為每個服務、job 或資料庫連線手工處理憑證與驗證邏輯。\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779592552114-bjog.png\" alt=\"LinkedIn 強化 Kubernetes 身分安全\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>對平台與維運團隊來說，真正的壓力在規模。LinkedIn 面對的是 thousands of nodes、每個 cluster 內 hundreds of thousands of pods 的環境，還要支援多 cluster job 與頻繁調度，代表憑證系統不能只「能用」，還得在高 churn 下保持低延遲與一致性。\u003C\u002Fp>\u003Cp>這也反映出 Kubernetes 安全的方向正在變：靜態 secret 逐步讓位給 workload identity。當 attestation、政策引擎與可觀測性一起進場，開源元件就能被拼成企業級信任層，但前提是流程要夠自動化，否則安全\u003Ca href=\"\u002Fnews\u002Fwhy-claude-code-and-qoder-beat-chatty-ai-coding-tools-zh\">只會\u003C\u002Fa>變成另一層營運負擔。\u003C\u002Fp>\u003Cp>LinkedIn 的訊號很清楚：在大型 Kubernetes 環境裡，憑證自動化已經不是附加功能，而是基礎設施本身。問題只剩一個——你的團隊還在手管 secret，還是已經把身分當成平台的一部分？\u003C\u002Fp>","LinkedIn 公布一套 Kubernetes 身分安全架構，結合 cert-manager、SPIFFE 與內部驗證流程，自動簽發與輪替憑證，降低憑證外洩與人工維運負擔。","www.startuphub.ai","https:\u002F\u002Fwww.startuphub.ai\u002Fai-news\u002Ftech\u002F2026\u002Fkubernetes-security-goes-deep",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1779592546862-fcv4.png","tools","zh","575a28e5-32ca-4c6c-adef-1558718e2761",[17,18,19,20,21],"Kubernetes","cert-manager","SPIFFE","workload identity","零信任",[23,24,25],"LinkedIn 把 cert-manager 擴成工作負載身分系統，覆蓋簽發、輪替與刪除。","架構結合 CSI driver、SPIFFE、Kyverno 與內部 attestation，降低憑證外洩風險。","在超大規模 Kubernetes 環境裡，憑證自動化正在變成平台基礎能力。",7,"2026-05-24T03:15:27.379233+00:00","2026-05-24T03:15:27.318+00:00","c3c88dd2-a940-438a-b359-0e5a24562273",{"tags":31,"relatedLang":40,"relatedPosts":44},[32,34,36,37,39],{"name":17,"slug":33},"kubernetes",{"name":20,"slug":35},"workload-identity",{"name":18,"slug":18},{"name":19,"slug":38},"spiffe",{"name":21,"slug":21},{"id":15,"slug":41,"title":42,"language":43},"linkedin-kubernetes-security-cert-manager-framework-en","LinkedIn deepens Kubernetes security with cert-manager","en",[45,51,57,63,69,75],{"id":46,"slug":47,"title":48,"cover_image":49,"image_url":49,"created_at":50,"category":13},"5656a6ab-9e07-41be-9cea-3440fb8846e2","nvidia-lg-ai-collaboration-playbook-zh","Nvidia 和 LG 把 AI 合作變成模板","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781056994999-8eng.png","2026-06-10T02:02:46.590133+00:00",{"id":52,"slug":53,"title":54,"cover_image":55,"image_url":55,"created_at":56,"category":13},"e48be66d-d7de-419e-b5fd-805f0784ef15","ollama-best-free-ai-path-2026-zh","Ollama 是 2026 年真正適合工作的免費 AI 路徑","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781056077878-11pc.png","2026-06-10T01:47:24.632993+00:00",{"id":58,"slug":59,"title":60,"cover_image":61,"image_url":61,"created_at":62,"category":13},"9b53427c-8c2a-4960-a773-f14d4528caae","awesome-production-ml-turns-chaos-into-stack-zh","這份 MLOps 清單把混亂拆成堆疊","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781055220958-dmar.png","2026-06-10T01:33:14.850634+00:00",{"id":64,"slug":65,"title":66,"cover_image":67,"image_url":67,"created_at":68,"category":13},"d5af1522-28aa-4cfb-8779-1ecf168bc0b5","bentoml-turns-model-serving-into-python-apis-zh","BentoML 把模型服務變成 Python API","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781054310299-c1gm.png","2026-06-10T01:17:56.193093+00:00",{"id":70,"slug":71,"title":72,"cover_image":73,"image_url":73,"created_at":74,"category":13},"63d8b456-ad6b-475e-86e9-d4677ca226aa","magenta-realtime-2-score-inside-daw-zh","Magenta RealTime 2 讓你在 DAW 裡即時改曲","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781046204038-8tox.png","2026-06-09T23:02:55.9651+00:00",{"id":76,"slug":77,"title":78,"cover_image":79,"image_url":79,"created_at":80,"category":13},"f60261ff-a42e-4cfb-9f90-97785e633289","open-source-ai-tools-beat-claude-paid-tiers-zh","開源 AI 工具在價值上已經贏過 Claude 付費方案","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1781045266035-on7t.png","2026-06-09T22:47:20.195939+00:00",[82,87,92,97,102,107,112,117,122,127],{"id":83,"slug":84,"title":85,"created_at":86},"855cd52f-6fab-46cc-a7c1-42195e8a0de4","surepath-real-time-mcp-policy-controls-zh","SurePath 推出即時 MCP 政策控管","2026-03-26T07:57:40.77233+00:00",{"id":88,"slug":89,"title":90,"created_at":91},"9b19ab54-edef-4dbd-9ce4-a51e4bae4ebb","mcp-in-2026-the-ai-tool-layer-teams-use-zh","2026 年 MCP：團隊真的在用的 AI 工具層","2026-03-26T08:01:46.589694+00:00",{"id":93,"slug":94,"title":95,"created_at":96},"af9c46c3-7a28-410b-9f04-32b3de30a68c","prompting-in-2026-what-actually-works-zh","2026 提示工程，真正有用的是什麼","2026-03-26T08:08:12.453028+00:00",{"id":98,"slug":99,"title":100,"created_at":101},"05553086-6ed0-4758-81fd-6cab24b575e0","garry-tan-open-sources-claude-code-toolkit-zh","Garry Tan 開源 Claude Code 工具包","2026-03-26T08:26:20.068737+00:00",{"id":103,"slug":104,"title":105,"created_at":106},"042a73a2-18a2-433d-9e8f-9802b9559aac","github-ai-projects-to-watch-in-2026-zh","2026 必看 20 個 GitHub AI 專案","2026-03-26T08:28:09.619964+00:00",{"id":108,"slug":109,"title":110,"created_at":111},"a5f94120-ac0d-4483-9a8b-63590071ac6a","claude-code-vs-cursor-2026-zh","Claude Code 與 Cursor 深度對比：202…","2026-03-26T13:27:14.279193+00:00",{"id":113,"slug":114,"title":115,"created_at":116},"0975afa1-e0c7-4130-a20d-d890eaed995e","practical-github-guide-learning-ml-2026-zh","2026 機器學習入門 GitHub 實用指南","2026-03-27T01:16:49.712576+00:00",{"id":118,"slug":119,"title":120,"created_at":121},"bfdb467a-290f-4a80-b3a9-6f081afb6dff","aiml-2026-student-ai-ml-lab-repo-review-zh","AIML-2026：像課綱的學生實驗 Repo","2026-03-27T01:21:51.467798+00:00",{"id":123,"slug":124,"title":125,"created_at":126},"80cabc3e-09fc-4ff5-8f07-b8d68f5ae545","ai-trending-github-repos-and-research-feeds-zh","AI Trending：把 AI 資源收成一張表","2026-03-27T01:31:35.262183+00:00",{"id":128,"slug":129,"title":130,"created_at":131},"3ce6e6e2-bac5-463e-9f8d-45caabcc61f7","awesome-ai-for-science-research-tools-map-zh","AI 科研工具清單，開始像地圖了","2026-03-27T01:46:50.521945+00:00"]