Deploy Conjur - Kubernetes/OpenShift Integration

This topic describes how to deploy the Conjur - Kubernetes/OpenShift integration.

Kubernetes RBAC Permissions

The service account used to deploy your application must be bound to a ClusterRole with the following permissions:

Permissions

On...

To...

[get, list]

Pods

Enable Conjur to validate pod metadata

[create, get]

Pods

Exec

Enable Conjur to inject the client certificate needed for mutual TLS into the application pod.

[get, list]

Kubernetes or OpenShift resource type (deployment, service account) used to define an identity in Conjur policy for your application to authenticate with Conjur.

For details, see Application Identity in OpenShift/Kubernetes.

Enable Conjur to validate that the pod should be allowed to identify as the specified resource type before injecting a client certificate.

Create a role binding for the ClusterRole

The Conjur deployment scripts create a ClusterRole for granting permissions to the Conjur server. You need to add role bindings to grant appropriate privileges to the Conjur server.

 

The role bindings must be added into each namespace where you intend to deploy applications that use the Kubernetes Authenticator to authenticate to Conjur.

The required role binding configuration for a namespace looks as follows:

 
# role-binding.yml
---
kind: RoleBinding
# Change the following to match your K8s version
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: <CONJUR_SERVER_AUTHN_ROLE_BINDING_NAME>
  namespace: <APP_NAMESPACE>
subjects:
- kind: ServiceAccount
  name: <SERVICE_ACCOUNT_NAME>
  namespace: <CONJUR_SERVER_NAMESPACE>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: <CLUSTER_ROLE_NAME>

Attribute

Description

CONJUR_SERVER_NAMESPACE

The namespace where the Conjur Server runs.

APP_NAMESPACE

The namespace of the application that needs to be authenticated.

For example:

 
# role-binding.yml
---
kind: RoleBinding
# Change the following to match your K8s version
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: conjur-server-authn-role-binding
  namespace: my-app-namespace
subjects:
- kind: ServiceAccount
  name: conjur-cluster
  namespace: conjur-server
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: my-cluster-role

Using the role binding template above, create the role binding as follows:

 
$ kubectl apply -f role-binding.yml
  1. Install and configure Open Source Conjur. See instructions on our GitHub page.

  2. Configure applications in the Kubernetes cluster to access secrets in Conjur. See Deploy Applications.