Deploy Conjur

This topic describes how to deploy the Conjur - Kubernetes/OpenShift integration.

Kubernetes RBAC Permissions

The service account used to deploy your application must be bound to a ClusterRole with the following permissions:




[get, list]


Enable Conjur to validate pod metadata

[create, get]



Enable Conjur to inject the client certificate needed for mutual TLS into the application pod.

[get, list]

Kubernetes or OpenShift resource type (deployment, service account) used to define an identity in Conjur policy for your application to authenticate with Conjur.

For details, see Application Identity in OpenShift/Kubernetes.

Enable Conjur to validate that the pod should be allowed to identify as the specified resource type before injecting a client certificate.

Create a role binding for the ClusterRole

The follower deployment scripts create a ClusterRole for granting permissions to the Conjur server.

You need to add the role bindings to grant appropriate privileges to the Conjur server. The role bindings must be added into each namespace where you intend to deploy applications that use the K8s Authenticator to authenticate to Conjur.

The required role binding configuration for a namespace looks as follows:

# role-binding.yml
kind: RoleBinding
# Change the following to match your K8s version
name: application-conjur-authenticator-role-binding-<Conjur  namespace>
namespace: <Application namespace>
- kind: ServiceAccount
  name: conjur-cluster
  namespace: <Conjur  namespace>
kind: ClusterRole



Conjur follower namespace

The namespace where Conjur runs.

Application namespace

The namespace of the application that needs to be authenticated.

Using the role binding template above, create the role binding as follows:

$ kubectl apply -f role-binding.yml

Deploy Conjur Open Source

Use one of the following methods to deploy a Conjur open source environment: