>
    Strata Copilot
    Kubernetes Components in Next-Gen Trust Security
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Discovery Overview
    6. Discover Certificates in Kubernetes Clusters
    7. Kubernetes Components in Next-Gen Trust Security
    Next‑Gen Trust Security

    Kubernetes Components in Next-Gen Trust Security

    Table of Contents

    Kubernetes Components in Next-Gen Trust Security

    Next-Gen Trust Security supports Kubernetes components that manage certificates and machine identities in your clusters. Monitor the health, version, and configuration of installed components from the Kubernetes Clusters page.
    Note: For installation and configuration steps—and release notes, see the NGTS developer documentation site, which focuses on developer and DevOps tasks.

    Component Details

    If installed in your cluster, most components appear in the details drawer, where you can check their health, configuration, and current version.
    The following table lists all Kubernetes components that you can use with Next-Gen Trust Security.
    ComponentDescription
    Approver PolicyA cert-manager approver that approves or denies certificate requests based on policies defined in your cluster.
    cert-managerAdds certificates and issuers as resource types in your clusters. Can request certificates from CAs configured in Next-Gen Trust Security or manage them independently.
    Connection resourceA custom resource that manages authentication between components in your cluster and Next-Gen Trust Security using Built-in Accounts. Does not appear on the Components tab.
    CSI DriverA Container Storage Interface (CSI) driver that provisions X.509 certificate key pairs to pods using cert-manager. Private keys and signed certificates are stored on the node and match the pod's lifecycle.
    CSI Driver for SPIFFEA CSI driver that provisions SPIFFE Verifiable Identity Documents (SVIDs) as X.509 certificate key pairs to pods using cert-manager.
    Discovery AgentConnects your clusters to Next-Gen Trust Security and continuously gathers certificate, ingress, and other machine identity data for display in the Next-Gen Trust Security user interface.
    Distributed IssuerA lightweight certificate issuer that operates in Kubernetes, OpenShift, and other cloud-native environments to deliver X.509 certificates over gRPC or REST.
    Enterprise IssuerA cert-manager issuer that allows your clusters to request certificates from CAs managed in Next-Gen Trust Security, following centrally managed policies.
    Istio CSRAn alternative to Istio's built-in CA server that delegates certificate signing to cert-manager, allowing Istio workloads to use any cert-manager-supported issuer.
    OpenShift Routes for cert-managerAutomatically provisions and renews certificates for OpenShift routes from any cert-manager issuer based on your route annotations. Does not appear on the Components tab.
    Trust ManagerA Kubernetes operator that combines trusted X.509 certificates from various sources into bundles and distributes them as ConfigMaps across your cluster. Does not appear on the Components tab.

    © 2026 Palo Alto Networks, Inc. All rights reserved.