Kubernetes Authenticator

The OpenShift and Kubernetes integration enables applications running in Kubernetes to authenticate with DAP using the Kubernetes authenticator.

For solution details, see OpenShift, Kubernetes, and GKE.

Authentication Flow

There are two parts to the OpenShift/Kubernetes integration.

  • The authn-k8s, a DAP plugin, exposes additional endpoints in DAP that knows how to authenticate OpenShift or Kubernetes resources.

  • The authenticator client, either the Kubernetes Authenticator Client or the CyberArk Secrets Provider for Kubernetes runs in the application's pod and facilitates communication with the authn-k8s plugin.

  • The integration uses certificate-based mutual TLS to authenticate the application and provide a DAP access token to the application pod. This access token can then be used by the application to retrieve secrets from DAP.

    Configuration

Access to the OpenShift/Kubernetes integration is controlled by a DAP policy, which must define:

  • Variables to store a DAP's CA cert and key

  • A webservice that represents the OpenShift/Kubernetes integration

  • Host identities that the application will use to authenticate

  • Permit statements that allowlist the host identities to the webservice

For solution details, see OpenShift, Kubernetes, and GKE.