diff --git a/content/operate/_index.md b/content/operate/_index.md
index 00e10da784..88ed416974 100644
--- a/content/operate/_index.md
+++ b/content/operate/_index.md
@@ -45,9 +45,9 @@ hideListLinks: true
 | | <nobr>{{<color-bubble color="bg-blue-bubble" >}} Redis</nobr> Cloud | <nobr>{{<color-bubble color="bg-yellow-bubble">}} Redis</nobr> Software | <nobr>{{<color-bubble color="bg-purple-bubble">}} Redis</nobr> Open Source | <nobr><div class="h-3 w-3 rounded-md border border-redis-pen-600 inline-block mr-1" style="background-color: #8A99A0"></div> Redis for</nobr> Kubernetes |
 |:-----------|:--------------|:-----------|:--------------|:--------------|
 | Transport Layer Security (TLS) | [TLS]({{<relref "/operate/rc/security/database-security/tls-ssl">}}) | [TLS]({{<relref "/operate/rs/security/encryption/tls">}}) | [TLS]({{< relref "/operate/oss_and_stack/management/security/encryption" >}}) | [REDB tlsMode]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_database_api/#spec">}}) |
-| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials/">}}) |
-| Lightweight Directory Access Protocol (LDAP) |  | [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}) |  | [Enable LDAP]({{<relref "/operate/kubernetes/security/ldap/">}}) |
+| Role-based access control (RBAC) | [Role-based access control]({{<relref "/operate/rc/security/access-control/data-access-control/role-based-access-control">}}) | [Access control]({{<relref "/operate/rs/security/access-control">}}) | [Access control list]({{< relref "/operate/oss_and_stack/management/security/acl" >}}) | [REC credentials]({{<relref "/operate/kubernetes/security/authentication/manage-rec-credentials/">}}) |
+| Lightweight Directory Access Protocol (LDAP) |  | [LDAP authentication]({{<relref "/operate/rs/security/access-control/ldap">}}) |  | [Enable LDAP]({{<relref "/operate/kubernetes/security/authentication/ldap/">}}) |
 | Single sign-on (SSO) | [SAML SSO]({{< relref "/operate/rc/security/access-control/saml-sso" >}}) |  |  |  |
-| Self-signed certificates |  | [Certificates]({{<relref "/operate/rs/security/certificates">}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{<relref "operate/kubernetes/security/manage-rec-certificates/">}}) |
-| Internode encryption | [Encryption at rest]({{< relref "/operate/rc/security/encryption-at-rest" >}}) | [Internode encryption]({{<relref "/operate/rs/security/encryption/internode-encryption">}}) |  | [Enable internode encryption]({{<relref "operate/kubernetes/security/internode-encryption/">}}) |
+| Self-signed certificates |  | [Certificates]({{<relref "/operate/rs/security/certificates">}}) | [Certificate configuration]({{< relref "/operate/oss_and_stack/management/security/encryption#certificate-configuration" >}}) | [REC certificates]({{<relref "operate/kubernetes/security/certificates/manage-rec-certificates/">}}) |
+| Internode encryption | [Encryption at rest]({{< relref "/operate/rc/security/encryption-at-rest" >}}) | [Internode encryption]({{<relref "/operate/rs/security/encryption/internode-encryption">}}) |  | [Enable internode encryption]({{<relref "operate/kubernetes/security/certificates/internode-encryption/">}}) |
 | Auditing |  | [Audit events]({{<relref "/operate/rs/security/audit-events">}}) | [Keyspace notifications]({{< relref "/develop/pubsub/keyspace-notifications" >}}) |  |
diff --git a/content/operate/kubernetes/_index.md b/content/operate/kubernetes/_index.md
index d387bafb00..ffb2408e2c 100644
--- a/content/operate/kubernetes/_index.md
+++ b/content/operate/kubernetes/_index.md
@@ -67,10 +67,10 @@ Set up globally distributed [Active-Active databases]({{< relref "/operate/kuber
 
 Manage [secure connections]({{< relref "/operate/kubernetes/security" >}}) and access control for your Redis Enterprise deployment.
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}})
-- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}})
+- [Manage REC credentials]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}})
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}})
+- [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}})
+- [LDAP authentication]({{< relref "/operate/kubernetes/security/authentication/ldap" >}})
 
 ## Reference
 
diff --git a/content/operate/kubernetes/active-active/_index.md b/content/operate/kubernetes/active-active/_index.md
index d271fd34f0..8507cdd046 100644
--- a/content/operate/kubernetes/active-active/_index.md
+++ b/content/operate/kubernetes/active-active/_index.md
@@ -72,7 +72,7 @@ For examples, see the [YAML examples]({{< relref "/operate/kubernetes/reference/
 
 The operator automates Active-Active certificate updates. When you update the proxy or syncer certificate secret on a participating cluster's REC, the operator detects the change and propagates the new certificate to the other participating clusters.
 
-For details, see [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) and [cert-manager integration]({{< relref "/operate/kubernetes/security/cert-manager" >}}).
+For details, see [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) and [cert-manager integration]({{< relref "/operate/kubernetes/security/certificates/cert-manager" >}}).
 
 ### Limitations
 
diff --git a/content/operate/kubernetes/active-active/create-aa-crdb-cli.md b/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
index bf6c86d8d6..32d1cb1379 100644
--- a/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
+++ b/content/operate/kubernetes/active-active/create-aa-crdb-cli.md
@@ -69,7 +69,7 @@ You'll need to create DNS aliases to resolve your API hostname `<api-hostname>`,
   - Description: Combined with database name to create the Active-Active database hostname
   - Format: string
   - Example value: `-cluster.ijk.example.com`
-- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) `<username> <password>`:
+- [**REC admin credentials**]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}}) `<username> <password>`:
   - Description: Admin username and password for the REC stored in a secret
   - Format: string
   - Example value: username: `user@example.com`, password: `something`
diff --git a/content/operate/kubernetes/architecture/_index.md b/content/operate/kubernetes/architecture/_index.md
index d92a0d1040..7443e0432b 100644
--- a/content/operate/kubernetes/architecture/_index.md
+++ b/content/operate/kubernetes/architecture/_index.md
@@ -84,25 +84,25 @@ See the [RedisEnterpriseDatabase (REDB) API Reference]({{<relref "/operate/kuber
 
 ## Security
 
-Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to manage your cluster credentials, cluster certificates, and client certificates. You can configure [LDAP]({{<relref "/operate/kubernetes/security/ldap">}}) and [internode encryption]({{<relref "/operate/kubernetes/security/internode-encryption">}}) using the [RedisEnterpriseCluster (REC)](#redisenterprisecluster-rec) spec.
+Redis Enterprise for Kubernetes uses [secrets](https://kubernetes.io/docs/concepts/configuration/secret/) to manage your cluster credentials, cluster certificates, and client certificates. You can configure [LDAP]({{<relref "/operate/kubernetes/security/authentication/ldap">}}) and [internode encryption]({{<relref "/operate/kubernetes/security/certificates/internode-encryption">}}) using the [RedisEnterpriseCluster (REC)](#redisenterprisecluster-rec) spec.
 
 ### REC credentials
 
 Redis Enterprise for Kubernetes uses the [RedisEnterpriseCluster (REC)]({{<relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api">}}) [custom resource](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) to create a Redis Enterprise cluster. During creation it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the name of the cluster.
 
-See [Manage REC credentials]({{<relref "/operate/kubernetes/security/manage-rec-credentials">}}) for more details.
+See [Manage REC credentials]({{<relref "/operate/kubernetes/security/authentication/manage-rec-credentials">}}) for more details.
 
 ### REC certificates
 
 By default, Redis Enterprise Software for Kubernetes generates TLS certificates for the cluster during creation. These self-signed certificates are generated on the first node of each Redis Enterprise cluster (REC) and are copied to all other nodes in the cluster.
 
-See [Manage REC certificates]({{<relref "/operate/kubernetes/security/manage-rec-certificates">}}) for more details.
+See [Manage REC certificates]({{<relref "/operate/kubernetes/security/certificates/manage-rec-certificates">}}) for more details.
 
 ### Client certificates
 
 For each client certificate you want to use, you need to create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/) to hold it. You can then reference that secret in your [Redis Enterprise database (REDB)](#redisenterprisedatabase-redb) custom resource.
 
-See [Add client certificates]({{<relref "/operate/kubernetes/security/add-client-certificates">}}) for more details.
+See [Add client certificates]({{<relref "/operate/kubernetes/security/certificates/add-client-certificates">}}) for more details.
 
 ## Storage
 
diff --git a/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md b/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md
index 28d266c67e..b386151d70 100644
--- a/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md
+++ b/content/operate/kubernetes/release-notes/8-0-6-releases/8-0-6-8-december2025.md
@@ -27,7 +27,7 @@ API support has been added for the following features:
 - REAADB alerts<!--RED-170896-->
 - User-defined modules <!--RED-168227-->
 - Redis Software [8.0.6-54]({{< relref "/operate/rs/release-notes/rs-8-0-releases/rs-8-0-6-54/" >}}) <!--RED-172935-->
-- User-defined certificates for [internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) <!--RED-173229-->
+- User-defined certificates for [internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) <!--RED-173229-->
 - SAML 2.0 single sign-on (SSO) authentication <!--RED-176765-->
 - Redis Flex
 
diff --git a/content/operate/kubernetes/security/_index.md b/content/operate/kubernetes/security/_index.md
index a04831b1ed..f9c0ef8acc 100644
--- a/content/operate/kubernetes/security/_index.md
+++ b/content/operate/kubernetes/security/_index.md
@@ -5,40 +5,30 @@ categories:
 - docs
 - operate
 - kubernetes
-description: Configure security settings for Redis Enterprise clusters and databases on Kubernetes.
+description: Configure security settings for Redis Software clusters and databases on Kubernetes.
 hideListLinks: true
 linkTitle: Security
 weight: 50
 ---
 
-Configure security settings for your Redis Enterprise deployment on Kubernetes. Redis Enterprise for Kubernetes provides comprehensive security features including TLS encryption, authentication, access control, and certificate management.
+Configure security settings for Redis for Kubernetes. Security covers access control, cluster credentials, external identity providers, TLS certificates and encryption, and external secret management.
 
-## Credentials and authentication
+## Access control
 
-Manage cluster credentials and authentication settings:
+- [Access control]({{< relref "/operate/kubernetes/security/access-control" >}}) — manage Redis Software users, roles, ACLs, and role bindings as Kubernetes custom resources.
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}}) - Configure and manage Redis Enterprise cluster credentials
-- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management
-- [LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}}) - Integrate with LDAP for centralized authentication
-- [SSO authentication]({{< relref "/operate/kubernetes/security/sso" >}}) - Enable SAML-based single sign-on for Cluster Manager UI access
+## Authentication
 
-## Certificates and encryption
+- [Authentication]({{< relref "/operate/kubernetes/security/authentication" >}}) — manage cluster credentials, LDAP, SAML SSO, and configuration secrets.
 
-Configure TLS certificates and encryption for secure communications:
+## Certificates and encryption
 
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - Configure cluster certificates for TLS encryption
-- [cert-manager integration]({{< relref "/operate/kubernetes/security/cert-manager" >}}) - Automate TLS certificate management with cert-manager
-- [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) - Set up client certificate authentication for databases
-- [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) - Enable encryption between cluster nodes and configure custom certificates
+- [Certificates and encryption]({{< relref "/operate/kubernetes/security/certificates" >}}) — provision TLS certificates, integrate cert-manager, add client certificates, and enable internode encryption.
 
 ## Secret management
 
-Configure external secret management systems:
-
-- [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}}) - Configure HashiCorp Vault as the centralized secret management system for Redis Enterprise for Kubernetes
+- [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}}) — use HashiCorp Vault as the centralized secret store for Redis for Kubernetes.
 
 ## Resource management
 
-Configure security-related resource settings:
-
-- [Allow resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}) - Enable automatic adjustment of system resources for security compliance
+- [Allow resource adjustment]({{< relref "/operate/kubernetes/security/allow-resource-adjustment" >}}) — enable automatic adjustment of system resources for security compliance.
diff --git a/content/operate/kubernetes/security/access-control/_index.md b/content/operate/kubernetes/security/access-control/_index.md
new file mode 100644
index 0000000000..7ade2e840a
--- /dev/null
+++ b/content/operate/kubernetes/security/access-control/_index.md
@@ -0,0 +1,72 @@
+---
+Title: Access control
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Manage Redis Software users, roles, ACLs, and role bindings on Kubernetes with custom resources.
+hideListLinks: true
+linkTitle: Access control
+weight: 20
+---
+
+Access control lets you manage Redis Software users, roles, ACLs, and role bindings as Kubernetes custom resources. The operator reconciles each resource into the corresponding Redis Software object, so you can use GitOps workflows and Kubernetes Secrets instead of working only through the Redis Software REST API or Cluster Manager UI.
+
+## How access control works on Redis for Kubernetes
+
+You declare these `app.redislabs.com/v1alpha1` custom resources:
+
+| Resource | Purpose |
+|---|---|
+| `RedisEnterpriseUser` | A Redis Software user, with credentials in a Kubernetes Secret. |
+| `RedisEnterpriseACL` | A Redis ACL rule, mapped to a Redis Software ACL object. |
+| `RedisEnterpriseDatabaseRole` | A database-scoped role (management role and optional ACL) applied to selected REDBs. |
+| `RedisEnterpriseDatabaseRoleBinding` | Assigns a `RedisEnterpriseDatabaseRole` to a user. |
+| `RedisEnterpriseClusterRole` | A cluster-scoped role (management role and optional ACL) applied across all REDBs. |
+| `RedisEnterpriseClusterRoleBinding` | Assigns a `RedisEnterpriseClusterRole` to a user. |
+
+When you apply one of these resources, the operator:
+
+1. Validates the spec.
+2. Creates or updates the matching object in Redis Software.
+3. Reports the resolved Redis Software UID and other state in the resource's `status`.
+4. Emits Kubernetes events on reconciliation problems.
+
+## What's the same as Redis Software
+
+The underlying Redis Software behavior is unchanged. For concepts and reference details, see the existing Redis Software docs:
+
+- [Cluster-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-cluster-roles" >}}) — what `Admin`, `ClusterMember`, `ClusterViewer`, and `UserManager` grant.
+- [Database-scoped role definitions]({{< relref "/operate/rs/security/access-control/create-db-roles" >}}) — what `DBMember` and `DBViewer` grant.
+- [Combined cluster and database roles]({{< relref "/operate/rs/security/access-control/create-combined-roles" >}}) — when a role grants both planes.
+- [Redis ACL syntax]({{< relref "/operate/rs/security/access-control/redis-acl-overview" >}}) — rule format for `RedisEnterpriseACL` resources.
+- [Login lockout and unlock]({{< relref "/operate/rs/security/access-control/manage-users/login-lockout" >}}) — how locked users are recovered.
+- [Password complexity rules]({{< relref "/operate/rs/security/access-control/manage-passwords/password-complexity-rules" >}}) and [password expiration]({{< relref "/operate/rs/security/access-control/manage-passwords/password-expiration" >}}) — applied by Redis Software regardless of how the password is delivered.
+- [Default user]({{< relref "/operate/rs/security/access-control/manage-users/default-user" >}}) — the built-in cluster admin account.
+
+## What's different on Kubernetes
+
+- **Resources are declarative.** You define users, roles, ACLs, and bindings in YAML and let the operator apply them. The Cluster Manager UI and REST API still work but are no longer the source of truth.
+- **Role assignment uses separate Binding resources.** In Redis Software, you assign roles by editing the user. On Kubernetes, `RedisEnterpriseUser.spec` has no role references. You create `RedisEnterpriseDatabaseRoleBinding` or `RedisEnterpriseClusterRoleBinding` resources instead.
+- **Passwords live in Kubernetes Secrets.** Each `RedisEnterpriseUser` references one or more Secrets. A `Rotatable` mode supports two Secrets at once for zero-downtime rotation. The operator marks Kubernetes Secrets immutable to prevent in-place edits.
+- **A user with no binding still gets a role.** The operator assigns the Redis Software `none` role, which grants no permissions, so every user has at least one role. Permissions take effect only after you add a binding.
+
+## Known limitations
+
+- Access control resources are reconciled only in the operator namespace. Password Secrets must live in the same namespace, and database scopes resolve to REDBs in that namespace.
+- A `RedisEnterpriseClusterRole` grants access cluster-wide, including to REDBs represented by resources in other namespaces. The access flows through Redis Software, not through explicit REDB references.
+- A role can reference at most one `RedisEnterpriseACL`. To apply different ACLs to different databases, create separate roles.
+
+## In this section
+
+- [Manage users]({{< relref "/operate/kubernetes/security/access-control/manage-users" >}}) — create `RedisEnterpriseUser` resources, rotate passwords, recover from lockouts.
+- [Manage roles]({{< relref "/operate/kubernetes/security/access-control/manage-roles" >}}) — create database and cluster roles with the right scope and management permissions.
+- [Manage ACLs]({{< relref "/operate/kubernetes/security/access-control/manage-acls" >}}) — create and update `RedisEnterpriseACL` resources used by roles.
+- [Manage role bindings]({{< relref "/operate/kubernetes/security/access-control/manage-bindings" >}}) — assign roles to users with `RedisEnterpriseDatabaseRoleBinding` and `RedisEnterpriseClusterRoleBinding`.
+- [Migrate from REDB rolesPermissions]({{< relref "/operate/kubernetes/security/access-control/migrate-rolespermissions" >}}) — move from the deprecated `RedisEnterpriseDatabase.spec.rolesPermissions` field to the new CRD model.
+
+## Related topics
+
+- [Redis for Kubernetes operator API reference]({{< relref "/operate/kubernetes/reference/api" >}}) — field-by-field specification for every CRD in the `app.redislabs.com/v1alpha1` group.
+- [Redis databases (REDB)]({{< relref "/operate/kubernetes/re-databases" >}}) — the resources that role scopes resolve against.
diff --git a/content/operate/kubernetes/security/allow-resource-adjustment.md b/content/operate/kubernetes/security/allow-resource-adjustment.md
index b3be0f7800..472c746b76 100644
--- a/content/operate/kubernetes/security/allow-resource-adjustment.md
+++ b/content/operate/kubernetes/security/allow-resource-adjustment.md
@@ -6,7 +6,7 @@ categories:
 description: Enable automatic system resource adjustments for Redis Enterprise to increase file descriptor limits.
 linkTitle: Auto resource adjustment
 title: Allow automatic resource adjustment
-weight: 98
+weight: 50
 ---
 
 Redis Enterprise for Kubernetes 7.22.0-6 introduces the ability to run with automatic resource adjustment disabled, which drops all capabilities from the Redis Enterprise container and sets `allowPrivilegeEscalation` to `false`. All other security-related settings remain the same as in automatic resource adjustment enabled. Automatic resource adjustment disabled is the default for installations and upgrades of the Redis Enterprise operator for versions 7.22.0-6 and later.
diff --git a/content/operate/kubernetes/security/authentication/_index.md b/content/operate/kubernetes/security/authentication/_index.md
new file mode 100644
index 0000000000..613935757e
--- /dev/null
+++ b/content/operate/kubernetes/security/authentication/_index.md
@@ -0,0 +1,45 @@
+---
+Title: Authentication
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Manage Redis Software cluster credentials, LDAP, SSO, and configuration secrets on Kubernetes.
+hideListLinks: true
+linkTitle: Authentication
+weight: 10
+---
+
+Authentication covers cluster credentials, external identity providers (LDAP and SAML SSO), and configuration secrets. The operator generates the initial cluster admin credentials, applies LDAP and SSO settings from the `RedisEnterpriseCluster` spec, and reads configuration values from Kubernetes Secrets you can update without a cluster restart.
+
+## How authentication works on Redis for Kubernetes
+
+- **Cluster credentials** are auto-generated at install and stored in a Kubernetes Secret named after the REC resource. Retrieve and update them with `kubectl`.
+- **LDAP** is configured on the `RedisEnterpriseCluster` spec. The operator applies the configuration through the Redis Software REST API.
+- **SAML SSO** is enabled on the REC spec. The operator configures the identity provider connection in Redis Software.
+- **Configuration secrets** let you store sensitive configuration items in Kubernetes Secrets that the operator references. Updates to the Secret reconcile automatically.
+
+## What's the same as Redis Software
+
+The underlying Redis Software behavior is unchanged. For concepts and reference details, see the existing Redis Software docs:
+
+- [LDAP authentication overview]({{< relref "/operate/rs/security/access-control/ldap" >}}) — server requirements, supported attributes, and the LDAP model.
+- [Enable role-based LDAP]({{< relref "/operate/rs/security/access-control/ldap/enable-role-based-ldap" >}}) — concepts behind role-based LDAP.
+- [Map LDAP groups to roles]({{< relref "/operate/rs/security/access-control/ldap/map-ldap-groups-to-roles" >}}) — group-to-role mapping rules.
+- [SAML single sign-on]({{< relref "/operate/rs/security/access-control/saml-sso" >}}) — identity provider requirements and SAML attribute mappings.
+- [Default user]({{< relref "/operate/rs/security/access-control/manage-users/default-user" >}}) — what the bootstrap admin account is for.
+
+## What's different on Kubernetes
+
+- **Initial credentials are auto-generated.** You don't choose them at install; you retrieve them from the credentials Secret after the REC is up.
+- **Change credentials by updating the Kubernetes Secret**, not by editing the user in the Cluster Manager UI.
+- **LDAP and SSO configuration is part of the REC spec.** The operator applies it through the Redis Software REST API, so the configuration is source-controlled.
+- **Sensitive values live in Kubernetes Secrets** (or HashiCorp Vault) instead of in Redis Software configuration files.
+
+## In this section
+
+- [Manage REC credentials]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}}) — retrieve and update the cluster admin credentials Secret.
+- [Configuration secrets]({{< relref "/operate/kubernetes/security/authentication/configuration-secrets" >}}) — store config items in Kubernetes Secrets and reconcile updates automatically.
+- [LDAP authentication]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}) — configure LDAP for Cluster Manager and database access.
+- [SSO authentication]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) — configure SAML single sign-on for the Cluster Manager UI.
diff --git a/content/operate/kubernetes/security/configuration-secrets.md b/content/operate/kubernetes/security/authentication/configuration-secrets.md
similarity index 92%
rename from content/operate/kubernetes/security/configuration-secrets.md
rename to content/operate/kubernetes/security/authentication/configuration-secrets.md
index aa432b10bb..6efa72a6e5 100644
--- a/content/operate/kubernetes/security/configuration-secrets.md
+++ b/content/operate/kubernetes/security/authentication/configuration-secrets.md
@@ -3,10 +3,11 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/configuration-secrets/]
 description: Store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management.
 linkTitle: Configuration secrets
 title: Store configuration in Kubernetes Secrets
-weight: 96
+weight: 20
 ---
 
 You can store Redis Enterprise configuration items in Kubernetes Secrets for automatic updates and secure management. When you update these Secrets, the operator immediately reads the changes and propagates them to the Redis Enterprise Cluster (REC).
@@ -70,7 +71,7 @@ You can customize the credential secret name during cluster creation using the `
 The `clusterCredentialSecretName` field cannot be changed after cluster creation.
 {{</note>}}
 
-For detailed instructions, see [Customize the credential secret name]({{< relref "/operate/kubernetes/security/manage-rec-credentials#customize-the-credential-secret-name" >}}).
+For detailed instructions, see [Customize the credential secret name]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials#customize-the-credential-secret-name" >}}).
 
 ## TLS certificate configuration
 
@@ -84,7 +85,7 @@ You can store TLS certificates in Kubernetes Secrets to secure communication bet
     kubectl -n <namespace> create secret generic client-cert-secret --from-file=cert=<path-to-cert>
     ```
 
-2. Add the secret to your REDB using the `clientAuthenticationCertificates` property. See [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) for details.
+2. Add the secret to your REDB using the `clientAuthenticationCertificates` property. See [Add client certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}}) for details.
 
 ### Service certificates
 
@@ -115,7 +116,7 @@ kubectl create secret generic dp-internode-cert \
   --from-literal=name=dp_internode_encryption
 ```
 
-Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) for complete configuration details.
+Reference these secrets in your REC specification under `spec.certificates`. See [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) for complete configuration details.
 
 ## Secrets and PEM files in Redis Enterprise pods
 
@@ -150,7 +151,7 @@ Field names vary by deployment.
 
 ## See also
 
-- [Manage REC credentials]({{< relref "/operate/kubernetes/security/manage-rec-credentials" >}})
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
-- [Add client certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}})
+- [Manage REC credentials]({{< relref "/operate/kubernetes/security/authentication/manage-rec-credentials" >}})
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}})
+- [Add client certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}})
 - [Redis Enterprise Cluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}})
diff --git a/content/operate/kubernetes/security/ldap.md b/content/operate/kubernetes/security/authentication/ldap.md
similarity index 99%
rename from content/operate/kubernetes/security/ldap.md
rename to content/operate/kubernetes/security/authentication/ldap.md
index e839618640..e106befad6 100644
--- a/content/operate/kubernetes/security/ldap.md
+++ b/content/operate/kubernetes/security/authentication/ldap.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/ldap/]
 description: Enable LDAP authentication for Redis Enterprise for Kubernetes.
 linkTitle: Enable LDAP
-weight: 95
+weight: 30
 ---
 
 ## LDAP support for Redis Enterprise Software
diff --git a/content/operate/kubernetes/security/manage-rec-credentials.md b/content/operate/kubernetes/security/authentication/manage-rec-credentials.md
similarity index 98%
rename from content/operate/kubernetes/security/manage-rec-credentials.md
rename to content/operate/kubernetes/security/authentication/manage-rec-credentials.md
index 6af331b9be..9924ede82b 100644
--- a/content/operate/kubernetes/security/manage-rec-credentials.md
+++ b/content/operate/kubernetes/security/authentication/manage-rec-credentials.md
@@ -5,8 +5,9 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/manage-rec-credentials/]
 linkTitle: Manage REC credentials
-weight: 93
+weight: 10
 ---
 Redis Enterprise for Kubernetes uses a custom resource called [`RedisEnterpriseCluster`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}}) to create a Redis Enterprise cluster (REC). During creation, it generates random credentials for the operator to use. The credentials are saved in a Kubernetes (K8s) [secret](https://kubernetes.io/docs/concepts/configuration/secret/). The secret name defaults to the cluster name and is specified by the `clusterCredentialSecretName` field in the REC specification.
 
diff --git a/content/operate/kubernetes/security/sso.md b/content/operate/kubernetes/security/authentication/sso.md
similarity index 99%
rename from content/operate/kubernetes/security/sso.md
rename to content/operate/kubernetes/security/authentication/sso.md
index 87f1b94cb7..81538dc629 100644
--- a/content/operate/kubernetes/security/sso.md
+++ b/content/operate/kubernetes/security/authentication/sso.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/sso/]
 description: Enable SAML-based SSO authentication for Redis Enterprise for Kubernetes.
 linkTitle: Enable SSO
-weight: 94
+weight: 40
 ---
 
 
diff --git a/content/operate/kubernetes/security/certificates/_index.md b/content/operate/kubernetes/security/certificates/_index.md
new file mode 100644
index 0000000000..f698cce5f6
--- /dev/null
+++ b/content/operate/kubernetes/security/certificates/_index.md
@@ -0,0 +1,48 @@
+---
+Title: Certificates and encryption
+alwaysopen: false
+categories:
+- docs
+- operate
+- kubernetes
+description: Manage TLS certificates, client certificates, and internode encryption for Redis Software on Kubernetes.
+hideListLinks: true
+linkTitle: Certificates and encryption
+weight: 30
+---
+
+Certificates and encryption use Kubernetes Secrets and cert-manager integration to provision, distribute, and rotate the TLS certificates that Redis Software relies on. The operator distributes referenced certificates across every cluster node.
+
+## How certificates work on Redis for Kubernetes
+
+- **Cluster certificates** live in Kubernetes Secrets that the `RedisEnterpriseCluster` spec references. The operator distributes them to every cluster node.
+- **cert-manager** can issue and rotate certificates automatically.
+- **Client certificates** live in a Secret that the database references for mutual TLS authentication.
+- **Internode encryption** is configured on the REC spec. The operator places the certificates on each node.
+
+## What's the same as Redis Software
+
+The underlying certificate roles, requirements, and TLS behavior are unchanged. For concepts and reference details, see the existing Redis Software docs:
+
+- [Certificate roles and types]({{< relref "/operate/rs/security/certificates" >}}) — which certificate is used for what.
+- [Create certificates]({{< relref "/operate/rs/security/certificates/create-certificates" >}}) — certificate requirements (SAN, CN, validity).
+- [Update certificates]({{< relref "/operate/rs/security/certificates/updating-certificates" >}}) — rotation considerations on Redis Software.
+- [Monitor certificates]({{< relref "/operate/rs/security/certificates/monitor-certificates" >}}) — certificate expiration alerts.
+- [Client certificate authentication]({{< relref "/operate/rs/security/certificates/certificate-based-authentication" >}}) — how the cluster validates client certificates.
+- [TLS protocols]({{< relref "/operate/rs/security/encryption/tls/tls-protocols" >}}) and [ciphers]({{< relref "/operate/rs/security/encryption/tls/ciphers" >}}) — protocol and cipher selection.
+- [Enable TLS]({{< relref "/operate/rs/security/encryption/tls/enable-tls" >}}) — TLS for management, replication, and client connections.
+- [Internode encryption]({{< relref "/operate/rs/security/encryption/internode-encryption" >}}) — purpose and scope.
+- [PEM encryption]({{< relref "/operate/rs/security/encryption/pem-encryption" >}}) — encrypted private keys.
+
+## What's different on Kubernetes
+
+- **Certificates live in Kubernetes Secrets**, not in `/etc/opt/redislabs/`. The REC spec references them by name.
+- **cert-manager can issue and rotate certificates automatically**, replacing manual rotation steps.
+- **The operator distributes certificates across cluster nodes**; you don't copy files between nodes yourself.
+
+## In this section
+
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) — configure cluster TLS certificates.
+- [cert-manager integration]({{< relref "/operate/kubernetes/security/certificates/cert-manager" >}}) — automate certificate issuance and rotation with cert-manager.
+- [Add client certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}}) — enable client certificate authentication for databases.
+- [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) — enable encryption between cluster nodes.
diff --git a/content/operate/kubernetes/security/add-client-certificates.md b/content/operate/kubernetes/security/certificates/add-client-certificates.md
similarity index 93%
rename from content/operate/kubernetes/security/add-client-certificates.md
rename to content/operate/kubernetes/security/certificates/add-client-certificates.md
index 3fe87b1828..082095a87b 100644
--- a/content/operate/kubernetes/security/add-client-certificates.md
+++ b/content/operate/kubernetes/security/certificates/add-client-certificates.md
@@ -3,10 +3,11 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/add-client-certificates/]
 description: Add client certificates to your REDB custom resource.
 linkTitle: Add client certificates
 title: Add client certificates
-weight: 95
+weight: 30
 ---
 
 For each client certificate you want to use with your database, you need to create a Kubernetes secret to hold it. You can then reference that secret in your Redis Enterprise database (REDB) custom resource spec.
diff --git a/content/operate/kubernetes/security/cert-manager.md b/content/operate/kubernetes/security/certificates/cert-manager.md
similarity index 98%
rename from content/operate/kubernetes/security/cert-manager.md
rename to content/operate/kubernetes/security/certificates/cert-manager.md
index 562d68e7fc..5cc3503781 100644
--- a/content/operate/kubernetes/security/cert-manager.md
+++ b/content/operate/kubernetes/security/certificates/cert-manager.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/cert-manager/]
 description: Automate TLS certificate management for Redis for Kubernetes using cert-manager.
 linkTitle: cert-manager
-weight: 89
+weight: 20
 ---
 
 [cert-manager](https://cert-manager.io/) is a Kubernetes add-on that automates the management and issuance of TLS certificates. The Redis operator integrates with cert-manager, so you can use automatically managed certificates for:
@@ -173,7 +174,7 @@ spec:
         port: 636
 ```
 
-For more details on LDAP configuration, see [Enable LDAP authentication]({{< relref "/operate/kubernetes/security/ldap" >}}).
+For more details on LDAP configuration, see [Enable LDAP authentication]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}).
 
 ## Active-Active databases with automatic certificate sync
 
@@ -371,7 +372,7 @@ If you encounter certificate chain validation errors:
 ## See also
 
 - [cert-manager documentation](https://cert-manager.io/docs/)
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}})
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}})
 - [RedisEnterpriseCluster API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api" >}})
 - [RedisEnterpriseDatabase API reference]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api" >}})
 - [HashiCorp Vault integration]({{< relref "/operate/kubernetes/security/vault" >}})
diff --git a/content/operate/kubernetes/security/internode-encryption.md b/content/operate/kubernetes/security/certificates/internode-encryption.md
similarity index 94%
rename from content/operate/kubernetes/security/internode-encryption.md
rename to content/operate/kubernetes/security/certificates/internode-encryption.md
index ffe28eea28..a72dfb07bc 100644
--- a/content/operate/kubernetes/security/internode-encryption.md
+++ b/content/operate/kubernetes/security/certificates/internode-encryption.md
@@ -4,9 +4,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/internode-encryption/]
 description: Enable encryption for communication between REC nodes and configure custom certificates.
 linkTitle: Internode encryption
-weight: 99
+weight: 40
 ---
 
 Internode encryption provides added security by encrypting communication between nodes in your Redis Enterprise cluster (REC).
@@ -130,6 +131,6 @@ When you remove a certificate secret reference from the REC specification, the o
 
 ## More info
 
-- [Manage REC certificates]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
-- [Configuration secrets]({{< relref "/operate/kubernetes/security/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
+- [Manage REC certificates]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) - General certificate management for Redis Enterprise clusters
+- [Configuration secrets]({{< relref "/operate/kubernetes/security/authentication/configuration-secrets" >}}) - Best practices for storing configuration in Kubernetes secrets
 - [Internode encryption for Redis Enterprise Software]({{< relref "/operate/rs/security/encryption/internode-encryption.md" >}}) - Detailed information about how internode encryption works
diff --git a/content/operate/kubernetes/security/manage-rec-certificates.md b/content/operate/kubernetes/security/certificates/manage-rec-certificates.md
similarity index 94%
rename from content/operate/kubernetes/security/manage-rec-certificates.md
rename to content/operate/kubernetes/security/certificates/manage-rec-certificates.md
index c51a2b1508..c6a5fbd2e1 100644
--- a/content/operate/kubernetes/security/manage-rec-certificates.md
+++ b/content/operate/kubernetes/security/certificates/manage-rec-certificates.md
@@ -5,9 +5,10 @@ categories:
 - docs
 - operate
 - kubernetes
+aliases: [/operate/kubernetes/security/manage-rec-certificates/]
 description: Install your own certificates to replace the self-signed certificates used by a Redis Enterprise cluster on Kubernetes.
 linkTitle: Manage REC certificates
-weight: 94
+weight: 10
 ---
 
 Redis Software for Kubernetes generates self-signed TLS certificates for each new cluster. You can replace any of those certificates with your own.
@@ -21,7 +22,7 @@ For the list of certificates and what each one encrypts, see the [certificates t
 
 ## Method 1: Manage certificates with the REC custom resource
 
-This is the Kubernetes-native method. The operator detects changes to a referenced secret and rotates the certificate without manual intervention. You can create the secret manually, or have [cert-manager]({{< relref "/operate/kubernetes/security/cert-manager" >}}) issue and renew it automatically.
+This is the Kubernetes-native method. The operator detects changes to a referenced secret and rotates the certificate without manual intervention. You can create the secret manually, or have [cert-manager]({{< relref "/operate/kubernetes/security/certificates/cert-manager" >}}) issue and renew it automatically.
 
 ### Supported certificates
 
@@ -65,7 +66,7 @@ The operator accepts several key names for the certificate and private key, so y
 
 {{<note>}}On Redis Software for Kubernetes versions older than 8.0.18, also include `--from-literal=name=<certificate-name>` in the `kubectl create secret` command, where `<certificate-name>` is the value from the **Certificate name in Redis Software** column in the [supported certificates](#supported-certificates) table.{{</note>}}
 
-For internode encryption certificates, see [Internode encryption]({{< relref "/operate/kubernetes/security/internode-encryption" >}}) for the full setup, which covers enabling internode encryption alongside the certificate configuration.
+For internode encryption certificates, see [Internode encryption]({{< relref "/operate/kubernetes/security/certificates/internode-encryption" >}}) for the full setup, which covers enabling internode encryption alongside the certificate configuration.
 
 ### Step 2: Reference the secret in the REC custom resource
 
@@ -116,7 +117,7 @@ After the update, verify the rotation as described in [Step 3](#step-3-verify-th
 
 The operator automates certificate updates for [Active-Active]({{< relref "/operate/kubernetes/active-active" >}}) databases. When you update the proxy or syncer certificate secret referenced by the REC, the operator detects the change and propagates the new certificate to all participating clusters.
 
-This automation applies whether you manage the secret directly or with [cert-manager]({{< relref "/operate/kubernetes/security/cert-manager#active-active-databases-with-automatic-certificate-sync" >}}).
+This automation applies whether you manage the secret directly or with [cert-manager]({{< relref "/operate/kubernetes/security/certificates/cert-manager#active-active-databases-with-automatic-certificate-sync" >}}).
 
 ## More info
 
diff --git a/content/operate/kubernetes/security/vault.md b/content/operate/kubernetes/security/vault.md
index 70bfbff9f1..08531d61cd 100644
--- a/content/operate/kubernetes/security/vault.md
+++ b/content/operate/kubernetes/security/vault.md
@@ -7,7 +7,7 @@ categories:
 - kubernetes
 description: Configure HashiCorp Vault as the centralized secret management system for Redis Enterprise for Kubernetes.
 linkTitle: HashiCorp Vault integration
-weight: 97
+weight: 40
 ---
 
 You can configure HashiCorp Vault as the centralized secret management system for the Redis Enterprise Kubernetes operator, replacing the default Kubernetes secrets. This integration provides enhanced security, centralized secret management, and advanced features like secret rotation and audit logging.
@@ -22,18 +22,18 @@ When Vault integration is enabled, all secrets referenced in Redis Enterprise cu
 | **Cluster secrets** |  |  |  |
 |  | [Cluster credentials]({{< relref "/operate/kubernetes/deployment/quick-start" >}}) | [`clusterCredentialSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | Authentication credentials for cluster access |
 |  | [License]({{< relref "/operate/kubernetes/deployment/quick-start#install-the-license" >}}) | [`licenseSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | Redis Enterprise license key |
-|  | [API certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`apiCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for API server |
-|  | [Cluster manager certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`cmCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for cluster manager |
+|  | [API certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`apiCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for API server |
+|  | [Cluster manager certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`cmCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for cluster manager |
 |  | [Metrics exporter certificate]({{< relref "/operate/kubernetes/re-clusters/connect-prometheus-operator" >}}) | [`metricsExporterCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for metrics exporter |
-|  | [Proxy certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`proxyCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for proxy |
+|  | [Proxy certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`proxyCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for proxy |
 |  | [Syncer certificate]({{< relref "/operate/kubernetes/active-active" >}}) | [`syncerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for Active-Active syncer |
-|  | [LDAP client certificate]({{< relref "/operate/kubernetes/security/ldap" >}}) | [`ldapClientCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for LDAP client authentication |
-|  | [LDAP bind credentials]({{< relref "/operate/kubernetes/security/ldap" >}}) | [`bindCredentialsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specldap" >}}) | Credentials for authenticating to the LDAP server |
-|  | [CPINE certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`cpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Control Plane Internode Encryption (CPINE) |
-|  | [DPINE certificate]({{< relref "/operate/kubernetes/security/manage-rec-certificates" >}}) | [`dpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Data Plane Internode Encryption (DPINE) |
-|  | [SSO service certificate]({{< relref "/operate/kubernetes/security/sso" >}}) | [`ssoServiceCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Service Provider (SP) certificate for SAML SSO |
-|  | [SSO issuer certificate]({{< relref "/operate/kubernetes/security/sso" >}}) | [`ssoIssuerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Identity Provider (IdP) public certificate for SAML SSO |
-|  | [SSO IdP metadata]({{< relref "/operate/kubernetes/security/sso" >}}) | [`idpMetadataSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specssosaml" >}}) | SAML Identity Provider metadata XML |
+|  | [LDAP client certificate]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}) | [`ldapClientCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#redisenterprisespec" >}}) | TLS certificate for LDAP client authentication |
+|  | [LDAP bind credentials]({{< relref "/operate/kubernetes/security/authentication/ldap" >}}) | [`bindCredentialsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specldap" >}}) | Credentials for authenticating to the LDAP server |
+|  | [CPINE certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`cpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Control Plane Internode Encryption (CPINE) |
+|  | [DPINE certificate]({{< relref "/operate/kubernetes/security/certificates/manage-rec-certificates" >}}) | [`dpInternodeEncryptionCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | TLS certificate for Data Plane Internode Encryption (DPINE) |
+|  | [SSO service certificate]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) | [`ssoServiceCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Service Provider (SP) certificate for SAML SSO |
+|  | [SSO issuer certificate]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) | [`ssoIssuerCertificateSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#speccertificates" >}}) | Identity Provider (IdP) public certificate for SAML SSO |
+|  | [SSO IdP metadata]({{< relref "/operate/kubernetes/security/authentication/sso" >}}) | [`idpMetadataSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specssosaml" >}}) | SAML Identity Provider metadata XML |
 |  | [User-defined module credentials]({{< relref "/operate/kubernetes/re-databases/modules" >}}) | [`credentialsSecret`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_cluster_api#specuserdefinedmodulessourcehttps" >}}) | Credentials for downloading user-defined modules from authenticated repositories |
 | **Database secrets** |  |  |  |
 |  | [Database passwords]({{< relref "/operate/kubernetes/networking/database-connectivity/#credentials-and-secrets-management" >}}) | Various | Passwords for Redis databases |
@@ -44,7 +44,7 @@ When Vault integration is enabled, all secrets referenced in Redis Enterprise cu
 |  | [Swift backup credentials]({{< relref "/operate/kubernetes/re-databases" >}}) | [`swiftSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}}) | Swift storage credentials for database backups |
 |  | [Azure Blob backup credentials]({{< relref "/operate/kubernetes/re-databases" >}}) | [`absSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}}) | Azure Blob storage credentials for database backups |
 |  | [Google Cloud backup credentials]({{< relref "/operate/kubernetes/re-databases" >}}) | [`gcsSecretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_database_api#redisenterprisedbspec" >}}) | Google Cloud storage credentials for database backups |
-|  | [Client authentication certificates]({{< relref "/operate/kubernetes/security/add-client-certificates" >}}) | Various | TLS client certificates for authentication |
+|  | [Client authentication certificates]({{< relref "/operate/kubernetes/security/certificates/add-client-certificates" >}}) | Various | TLS client certificates for authentication |
 | **Other secrets** |  |  |  |
 |  | [Remote cluster secrets]({{< relref "/operate/kubernetes/active-active" >}}) | [`secretName`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_remote_cluster_api#redisenterpriseremoteclusterspec" >}}) | Credentials for Redis Enterprise Remote Cluster (RERC) configurations |
 |  | [Active-Active database secrets]({{< relref "/operate/kubernetes/active-active" >}}) | [`globalConfigurations`]({{< relref "/operate/kubernetes/reference/api/redis_enterprise_active_active_database_api#redisenterpriseactiveactivedatabasespec" >}}) | All secret names specified in REAADB global configurations |