Secrets Provider for Kubernetes - Init Container

This topic describes how to set up the CyberArk Secrets Provider for Kubernetes as an init container, cyberark-secrets-provider-for-k8s, to populate Kubernetes Secrets with secrets stored in Conjur.

As an init container, the Secrets Provider for Kubernetes is deployed in the same pod as the application container, and serves only that application.

How the Secrets Provider init container works

  1. The cyberark-secrets-provider-for-k8s init container, starts and authenticates to the Conjur server using the Kubernetes Authenticator (authn-k8s).​

  2. The cyberark-secrets-provider-for-k8s init container reads all Kubernetes Secrets required by the pod.

  3. For each mapped Kubernetes secret, the cyberark-secrets-provider-for-k8s init container:

    1. Retrieves Conjur secrets

    2. Updates the Kubernetes secret with the Conjur secret value

  4. The cyberark-secrets-provider-for-k8s init container runs to completion.

  5. Your application container starts and consumes the Kubernetes Secrets.

Set up Secrets Provider as an init container

This section describes how to set up the Secrets Provider for Kubernetes as an init container.

Troubleshooting

This section describes how to troubleshoot common Secrets Provider for Kubernetes issues.

Enable logs

To enable logs, add the debug parameter to the application deployment manifest. For details, see Enable debug logs.

Display logs

To display the Secrets Provider for Kubernetes logs:

Common issues and resolutions

The table below describes common issues and their resolution:

Issue

Error code

Resolution

CONTAINER_MODE variable is set with an invalid value

CSPFK007E

Check that the CONTAINER_MODE variable is defined as either init or application.

The Service Account doesn’t have permissions to fetch Kubernetes secrets data

CSPFK020E

Check that the Service Account assigned to the pod has get permissions on the secrets resource.

For details, see Create and bind a role to the application service account.

The Service Account doesn’t have permissions to update Kubernetes secrets data

CSPFK022E

Check that the Service Account assigned to the pod has update permissions on the secret's resource.

For details, see Create and bind a role to the application service account.

CyberArk Secrets Provider for Kubernetes is unable to authenticate

CSPFK010E

First, check that you provided the correct host name in the manifest for the init container that authenticates to Conjur. For details, see CONJUR_AUTHN_LOGIN.

Second, validate that you assigned the correct permissions to the authn-k8s service.

Kubernetes Secrets resources that are defined in the K8S_SECRETS environment variable are not defined in Kubernetes

CSPFK020E

Check that all Kubernetes Secrets resources defined for the K8S_SECRETS environment variable exist in Kubernetes.

For details, see Map Conjur variables to Kubernetes Secrets.

Conjur secrets are not accessible

CSPFK034E

Check all Conjur variable paths defined in the conjur-map data entry can be retrieved by the Conjur host identity.

For details, see Define the application as a Conjur host in policy.

Client application failed because of invalid or non existing Kubernetes secrets data

No error is raised by the cyberark-secrets-provider-for-k8s init container

Check that the secrets-provider-for-k8s image is configured as an init container.

For details, see Create and bind a role to the application service account.

Kubernetes Secrets resources defined in the K8S_SECRETS environment variable are not properly configured.

CSPFK028E

Check all Kubernetes Secrets resources are defined in the K8S_SECRETS environment variable are configured with a conjur-map data entry.

For details, see Map Conjur variables to Kubernetes Secrets.