Deploy Conjur

This topic describes how to deploy Conjur for Kuberenetes, OpenShift, and GKE.

Kubernetes RBAC Permissions

The service account used to deploy your application must be bound to a ClusterRole with the following permissions:




[get, list]


Enable Conjur to validate pod metadata

[create, get]



Enable Conjur to inject the client certificate needed for mutual TLS into the application pod.

[get, list]

Kubernetes or OpenShift resource type (deployment, service account) used to define an identity in Conjur policy for your application to authenticate with Conjur.

For details, see Machine Identity .

Enable Conjur to validate that the pod should be allowed to identify as the specified resource type before injecting a client certificate.

For details, see Create a role binding for the Conjur cluster role.

Deploy Conjur Open Source

Use one of the following methods to deploy a Conjur open source environment: