Kubernetes Authenticator

The OpenShift and Kubernetes integration enables applications running in Kubernetes to authenticate with Conjur using the Kubernetes authenticator.

For solution details, see Kubernetes, OpenShift, and GKE .

Authentication Flow

There are two parts to the OpenShift/Kubernetes integration.

  • The authn-k8s, a Conjur plugin, exposes additional endpoints in Conjur that knows how to authenticate OpenShift or Kubernetes resources.

  • The authenticator client, either the Conjur sidecar or the CyberArk Secrets Provider for Kubernetes runs in the application's pod and facilitates communication with the authn-k8s plugin. For details, see

  • The integration uses certificate-based mutual TLS to authenticate the application and provide a Conjur access token to the application pod. This access token can then be used by the application to retrieve secrets from Conjur.


Access to the OpenShift/Kubernetes integration is controlled by a Conjur policy, which must define:

  • Variables to store a Conjur's CA cert and key

  • A webservice that represents the OpenShift/Kubernetes integration

  • Host identities that the application will use to authenticate

  • Permit statements that whitelist the host identities to the webservice

For solution details, see Kubernetes, OpenShift, and GKE .