Deploy Followers for Kubernetes

This topic describes how to deploy DAP Followers in a Kubernetes environment.

Prerequisites

The following prerequisites are assumed:

  • A DAP Docker image is accessible to the Kubernetes cluster. Use the same image (same version) as the one used to deploy the DAP Master. The scripts execute a local docker push to a remote registry. That registry must be accessible to the Kubernetes cluster.

  • You can log in to the Kubernetes cluster as a user with permissions to: 

    • Deploy applications
    • Create service accounts, roles and role bindings, namespaces, and secrets
    • Pull and push docker images
    • Exec into containers
  • You have all of the necessary utilities installed on your local machine to interact with your cluster. For example, you have docker or kubectl , and file management tools.

Deployment workflow

  1. Configure DAP for auto-enrollment of Followers
  2. Deploy Followers to Kubernetes

Configure DAP for auto-enrollment of Followers

In this section, you configure the Master to allow installed Followers to enroll and connect to the Master automatically, allowing for high-scalability without any manual intervention.

 

This process uses a seed service for auto enrolling the Followers.

The seed service does not support server key encryption.

If your environment has server key encryption enabled, contact your CyberArk support representative for an alternative solution for auto-enrolling the Followers.

  1. Create a policy that registers a Kubernetes (K8s) Authenticator, a Seed service, and a deployment host:

     
    # kubernetes-followers.yml
    # =================================================
    # == Enroll a new Kubernetes authentication service
    # =================================================
    - !policy
      id: conjur/authn-k8s/<authenticator name>
      body:
      # Runtime configuration variables required by the authenticator.
      # Variables prefixed with `kubernetes/*` are only required when
      # running outside of Kubernetes. Variables prefixed with `ca/*`
      # are always required.
      - !variable kubernetes/service-account-token
      - !variable kubernetes/ca-cert
      - !variable kubernetes/api-url
      - !variable ca/key
      - !variable ca/cert
      # This webservice represents the K8s authenticator
      - !webservice
      # The `apps` policy defines K8s resources that 
      # can be authenticated.
      - !policy
        id: apps
        body:
        # All application roles that are run in K8s must have
        # membership in the `apps` layer
        - !layer
        # `authenticated-resources` is an array of hosts that map to
        # resources in K8s
        - &authenticated-resources
          # this host will authenticate with Conjur to fetch the Follower seed
          - !host
            id: seed-fetcher-app
            annotations:
              authn-k8s/namespace: <dap follower namespace>
              authn-k8s/service-account: conjur-cluster
              authn-k8s/authentication-container-name: authenticator
        - !grant
          role: !layer
          members: *authenticated-resources
      # Members of `apps` are allowed to authenticate
      - !permit
        role: !layer apps
        privilege: [ authenticate ]
        resource: !webservice
    # =================================================
    # == Register the Seed Service
    # =================================================
    - !policy
      id: conjur/seed-generation
      body:
      # This webservice represents the Seed service API
      - !webservice
      # Hosts that generate seeds become members of the
      # `consumers` layer.
      - !layer consumers
      # Authorize `consumers` to request seeds
      - !permit
        role: !layer consumers
        privilege: [ "execute" ]
        resource: !webservice
    # =================================================
    # == Grant entitlements
    # =================================================
    # Give followers permission to consume seeds
    - !grant
      role: !layer conjur/seed-generation/consumers
      member: !host conjur/authn-k8s/<authenticator name>/apps/seed-fetcher-app

    Attribute

    Description

    authenticator name

    The logical name of the authenticator

    Example: staging

    dap follower namespace

    The namespace where DAP runs

    Example: dap

  2. Load the above policy into the root namespace:

     
    $ conjur policy load root kubernetes-followers.yml
  3. Save the following manifest locally:

     
    # conjur-role.yml
    ---
    apiVersion: v1
    kind: Namespace
    metadata:
      name: <dap follower namespace>
      labels:
        name: <dap follower namespace>
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: conjur-cluster
      namespace: <dap follower namespace>

    Attribute

    Description

    dap follower namespace

    The namespace defined in the policy created above.

    Example: dap

  4. Using the manifest, create the new namespace and service account for Followers:

     
    $ kubectl apply -f conjur-role.yml
  5. To authenticate Follower pods from outside of Kubernetes, the Master needs a service account token and the Kubernetes API CA certificate, both of which can be obtained from a secret created when creating the service account in the previous step. The Master also needs the URL of the Kubernetes API.

    1. Retrieve the name of the secret that stores the service account token:

       
      $ TOKEN_SECRET_NAME="$(kubectl get secrets -n <dap follower namespace> \
          | grep 'conjur.*service-account-token' \
          | head -n1 \
          | awk '{print $1}')"
    2. Using the retrieved name, store the CA certificate in DAP:

       
      $ conjur variable values add \
          conjur/authn-k8s/<authenticator name>/kubernetes/ca-cert \
          "$(kubectl get secret -n <dap follower namespace> $TOKEN_SECRET_NAME -o json \
            | jq -r '.data["ca.crt"]' \
            | base64 --decode)"
    3. Using the retrieved name, store the service account token in DAP:

       
      $ conjur variable values add \
          conjur/authn-k8s/<authenticator name>/kubernetes/service-account-token \
          "$(kubectl get secret -n <dap follower namespace> $TOKEN_SECRET_NAME -o json \
            | jq -r .data.token \
            | base64 --decode)"
    4. Finally, retrieve and store the URL of the Kubernetes API:

       
      $ conjur variable values add \
          conjur/authn-k8s/<authenticator name>/kubernetes/api-url \
          "$(kubectl config view --minify -o json \
            | jq -r '.clusters[0].cluster.server')"
  6. On the host running the Master container:

    1. Initialize the Conjur CA for the Kubernetes Authenticator:

       
      $ docker exec <dap master container name> \
          chpst -u conjur conjur-plugin-service possum \
            rake authn_k8s:ca_init["conjur/authn-k8s/<authenticator name>"]
    2. Add the Kubernetes Authenticator to the DAP authenticators:

       
      docker exec <dap master container name> bash -c \
          'echo CONJUR_AUTHENTICATORS=\"authn,authn-k8s/<authenticator name>\" >> \
            /opt/conjur/etc/conjur.conf && \
              sv restart conjur'
  7. Continue with the next section: Deploy Followers to Kubernetes.

Deploy Followers to Kubernetes

When you deploy a Follower, it uses the configuration above to connect to the Master.

To deploy a Follower to Kubernetes:

  1. Clone the cyberark/kubernetes-conjur-deploy repository from git:

     
    $ git clone https://github.com/cyberark/kubernetes-conjur-deploy.git
  2. Set the environment variables as described in https://github.com/cyberark/kubernetes-conjur-deploy/blob/master/bootstrap.env.

    For example:

     
    export CONJUR_VERSION=5
    export CONJUR_APPLIANCE_IMAGE=cyberark/conjur-appliance:10.9
    export CONJUR_APPLIANCE_URL=https://conjur.myorg.com
    export CONJUR_ACCOUNT=myorg
    
    export FOLLOWER_SEED="$CONJUR_APPLIANCE_URL/configuration/$CONJUR_ACCOUNT/seed/follower"
    
    export CONJUR_NAMESPACE_NAME=dap-follower
    export AUTHENTICATOR_ID=staging
    export CONJUR_FOLLOWER_COUNT=2
    
    export CONJUR_AUTHN_LOGIN=host/conjur/authn-k8s/$AUTHENTICATOR_ID/apps/seed-fetcher-app
    
    export PLATFORM=openshift
    export OSHIFT_CLUSTER_ADMIN_USERNAME=cluster-admin
    export OSHIFT_CONJUR_ADMIN_USERNAME=cluster-admin
    export DOCKER_REGISTRY_PATH=openshift.myorg.com
     

    The line export STOP_RUNNING_ENV="false" is required

  3. From the repository root, run the start script:

     
    $ cd kubernetes-conjur-deploy; ./start

    The script:

    • Creates the required namespace
    • Ensures that a proper DAP image is available
    • Deploys and configures the Follower in the target cluster
    • Deploys a readiness probe to monitor Follower health
 

For more information, see the Kubernetes-Conjur Deployment Readme.

Conjur cluster role

You need to add the role bindings to the ClusterRole for granting permissions to the Follower. For details, see Create a role binding for the ClusterRole.

 

For more information about the required Follower permissions, see Kubernetes RBAC Permissions.

Follower health check

The deployment scripts implement a readiness probe to monitor Follower health as follows:

 
readinessProbe:
  httpGet:
    path: /health
    port: 443
    scheme: HTTPS
  initialDelaySeconds: 15
  timeoutSeconds: 1

This probe runs automatically. If it detects a problem, the pod does not start.