In the dynamic world of containers there are challenges around providing secrets needed for a containerized workflow without hurting the velocity of development.
- Secrets can be easily exposed
- There is no runtime authentication process of the calling container – making sure that it is in fact the application container
- Lack of segregation of duties between different application containers and also between the application secrets and the container platform admin
- No audit trail
- No rotation of secrets
The integration between Kubernetes and CyberArk Conjur Enterprise simplifies secrets management for containers and strengthens container security in a seamless and native way. Now organizations using Kubernetes can leverage Conjur Enterprise to secure, manage and rotate secrets and other credentials by authenticating the calling pod and securely passing secrets stored in Conjur to applications containers running in Kubernetes. CyberArk Conjur ensures secrets are never exposed to third parties. The Conjur integration enhances security for Kubernetes environments by providing:
- End-to-end encryption of secrets through mutual TLS (Transport Layer Security) using SPIFFE-compliant resource identifiers.
- Robust authentication and authorization incorporating Conjur policy, signed certificates, and an internal Kubernetes authenticator.
- Separation of duties and other policies by letting Kubernetes security teams control container access while development teams define application requirements.
- Scalability and performance advantages of the Conjur master-follower architecture. Followers handle read-only requests for client containers and allow the cluster to scale-out easily through the addition of more followers.
- High availability is provided with the multiple followers running inside Kubernetes, making secrets local cache available also if network suffers
- Secret rotation, centralized auditing, and all other advantages of Enterprise Conjur.
Most importantly, developers are able to easily meet security requirements without changing their application code by using Summon – an open source tool that fetch the secrets for the application and making them available in memory only. REST APIs and SDKs are also available to support different flows and use cases.
Conjur was designed specifically for developers with the goal of letting developers focus on development without them needing to worry about security. For examples, security policies are written and managed as code (yaml files), allowing them to be checked into version control and re-used across Development, Testing, and Production environments.
No “Security Islands” Credential Management across the Enterprise
An additional advantage of using CyberArk solutions is that enterprises have the ability for true end-to-end, policy based secrets and credential management across their entire enterprise. CyberArk is widely deployed by enterprises across the globe. The integration between CyberArk Conjur Enterprise and the CyberArk Enterprise Password Vault enables secrets and credential managed by the CyberArk Vault to be automatically replicated into Conjur and provided to containers running in Kubernetes. Organizations can now centrally manage access to credentials and secrets across on-premises, hybrid and native cloud environments, as well as for Kubernetes containers and other DevOps tools. Of course, Conjur can also be used as a standalone solution that can be integrated if and when the enterprise is ready.
How It Works – Kubernetes and Conjur
The deployment scripts deploy a Conjur cluster in a Kubernetes project (Kubernetes 1.5 and up). User applications are then deployed in different projects, which get access to Conjur through authenticated login orchestrated by an authentication sidecar. For additional details refer to the integration reference materials.
Conjur Open Source Also Available
CyberArk Conjur Open Source is freely available to download on GitHub or Conjur.org. With Conjur Open Source, you can also join the CyberArk Commons to communicate directly with our engineers to ask questions and provide product feedback.
Thank you for reading!