Kubernetes Authenticator

The OpenShift and Kubernetes integration enables applications running in Kubernetes to authenticate with Conjur using the Kubernetes Authenticator.

For solution details, see OpenShift, Kubernetes.

Authentication Flow

There are two parts to the OpenShift/Kubernetes integration.

  • The authn-k8s, a Conjur plugin, exposes additional endpoints in Conjur that knows how to authenticate OpenShift or Kubernetes resources.

  • The Kubernetes Authenticator Client or the CyberArk Secrets Provider for Kubernetes runs and facilitates communication with the authn-k8s plugin.

  • The integration uses certificate-based mutual TLS to authenticate the application and provide a Conjur access token to the application pod. This access token can then be used by the application to retrieve secrets from Conjur.

    Configuration

Access to the OpenShift/Kubernetes integration is controlled by a Conjur policy, which must define:

  • Variables to store a Conjur's CA cert and key

  • A webservice that represents the OpenShift/Kubernetes integration

  • Host identities that the application will use to authenticate

  • Permit statements that allowlist the host identities to the webservice

For solution details, see OpenShift, Kubernetes.

Troubleshooting

This section provides troubleshooting for the Kubernetes Authenticator.

Common issues and resolutions

The table below describes common issues and their resolution:

Issue

Error code

Resolution

Conjur server failed to perform a handshake with the Kubernetes API server

CONJ00071E

Verify that the service account used to deploy your application is bound to a Role that has "[create, get]" permissions on "pods/exec". For more information, see Kubernetes RBAC Permissions.

Kubernetes API server failed to place the Conjur client certificate to the authenticator container

CONJ00072E

Retrieve the Kubernetes Authenticator Client container logs and search for the error code 'CAKC055'. This indicates the error that occurred in the process.