OpenShift, Kubernetes, and GKE

Overview

Integration with Kubernetes or OpenShift enables you to securely pass secrets stored in DAP to applications running in RedHat OpenShift, Google Kubernetes Engine (GKE), or other Kubernetes implementations. By configuring your environment to integrate with DAP, secrets are never exposed to third parties.

The DAP integration provides the following features for your Kubernetes or OpenShift environment:

  • End-to-end encryption of secrets through mutual TLS.

  • Robust authentication and authorization incorporating DAP policy, signed certificates, and an internal Kubernetes authenticator.

  • DAP policy provides separation of duties, letting your security teams control container access while development teams define application requirements.

  • Easy deployment of applications across environments and pods.

  • Secret rotation and centralized auditing.

  • Scalability and performance advantages of the DAP Master-Follower architecture. Followers provide read-only activity for clients. Scale-out by adding more Followers.

 
  • Unless otherwise noted, all references to Kubernetes applies to native Kubernetes as well as the OpenShift and GKE implementations of Kubernetes.
  • All references to Kubernetes namespaces intentionally includes the OpenShift concept of Project.

Requirements

Access to one of the following:

  • OpenShift environment (3.9 - 3.11; 4.x - 4.3.3) with an internal Docker registry

  • GKE cluster:

    • Version 1.9 or later is required for easy installation with Google Cloud Marketplace; version 1.10 is recommended
    • Version 1.5 and later are supported with Helm installation
  • Other Kubernetes environment (version 1.5 or later)

The following prerequisites are also necessary:

  • A license for a DAP HA cluster with a Master and at least two Standbys

  • An application environment outside of Kubernetes for hosting the DAP HA cluster
  • DAP licensing for at least two Followers

  • The latest conjur-appliance Docker image from your DAP support representative

In this section: