Set up workloads (JWT-based authentication)
The following sections describe how to prepare the Kubernetes cluster with a Golden ConfigMap which contains Conjur connection credentials.
You then prepare the application namespace for application deployment.
Both of these tasks are achieved using Helm charts.
To perform these tasks, you need Kubernetes cluster admin permissions.
Supported workload setup methods
The following methods are supported for connecting to targets such as databases or web services.
|
Method |
Description |
Benefit |
|---|---|---|
| Kubernetes Authenticator Client |
Use to authenticate the Pod to Conjur. Use the API |
Generic method to connect to targets. You can use this method for any target system. |
|
Use an init container/sidecar or an application container to dynamically populate Kubernetes Secrets with the secrets from Conjur that are required by the application Pod. |
Use secrets stored and managed in the CyberArk Vault using Conjur to consume them as Kubernetes Secrets leveraging PAM security while seamlessly deploying Kubernetes containers. |
Before you start
-
Make sure you have Kubernetes admin permissions on a Kubernetes cluster (version 1.21 or later)
-
Make sure you have access to the Kubernetes namespace for your workload, for example,
test-app-namespace -
Make sure that Helm is installed and that you have access to the Helm charts for preparing namespaces in Kubernetes:
Method
Location
Helm charts Add the Helm chart repo to all Helm charts.
$
helm repo add cyberark https://cyberark.github.io/helm-charts helm repo update -
Make sure you have the Conjur CLI
-
Make sure you have access to a running
-
Make sure that a JWT Authenticator has been configured and
The examples in the following sections follow on from the example JWT Authenticator configuration described in JWT-based Kubernetes authentication.
-
Collect the following information from the Conjur admin:
JWT Authenticator
The name of the configured and
Example:
authn-jwt/dev-clusterConjur account
The account name used when deploying Conjur
Example:
myorgConjur URL
-
If you deployed the Follower outside of Kubernetes, this is the Follower load balancer URL.
Example:
https://follower-lb.example.com -
If you are deploying the Follower inside Kubernetes, this is the intended Conjur service URL within the Kubernetes cluster, in the following format:
https://<follower-service-account>.<follower-namespace>.svc.cluster.localExample:
https://conjur-follower.cyberark-conjur.svc.cluster.local
Conjur certificate file
The full path to the Conjur certificate file
Example:
path/to/conjur.pem -
-
Make sure the Kubernetes cluster can connect to Conjur. This can be achieved by retrieving Conjur's endpoint CA. Retrieve the Conjur endpoint CA in PEM format and save it to a file.
If you do not have a file containing the Conjur certificate, you can retrieve the Conjur certificate and save it to a file, for example, conjur.pem, with the command:
openssl s_client -connect {{CONJUR_MASTER_HOSTNAME}}:443 \ -showcerts </dev/null 2> /dev/null | \ awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print $0}' \ > "conjur.pem"
Prepare the Kubernetes cluster and Golden ConfigMap
In this section you install the cluster preparation Helm chart which creates a Golden ConfigMap, conjur-configmap, in the cyberark-conjur-jwt namespace in your cluster. The Golden ConfigMap contains Conjur connection details that can be used by all the supported workload setup methods.
Run the helm install command below, replacing:
-
Conjur connection details
-
JWT Authenticator endpoint name, for example
dev-cluster
helm install "cluster-prep" cyberark/conjur-config-cluster-prep -n "cyberark-conjur-jwt" \
--create-namespace \
--set conjur.account="<CONJUR_ACCOUNT>" \
--set conjur.applianceUrl="<CONJUR_URL>" \
--set conjur.certificateBase64=$(cat <CA_FILE_PATH> | base64) \
--set authnK8s.authenticatorID="<AUTHN_JWT_ENDPOINT>" \
--set authnK8s.clusterRole.create=false \
--set authnK8s.serviceAccount.create=falsePrepare the application namespace
In this section you prepare your application namespace and service account so that the workload can communicate with Conjur and retrieve secrets.
Once prepared, the application namespace contains the following resources:
|
Resource |
Description |
|---|---|
|
Conjur connection ConfigMap |
Contains references to Conjur credentials, taken from the Golden ConfigMap created in Prepare the Kubernetes cluster and Golden ConfigMap. |
|
Authenticator RoleBinding |
Grants permissions to the Conjur authenticator service account for the authenticator cluster role. This provides a list of Kubernetes API access permissions which are required to validate workload identities. |
You prepare the application namespace using the namespace preparation Helm chart.
For clarity and consistency, in this task we prepare the test-app-namespace and create the test-app-sa service account, and we use these throughout the examples in the workload setup sections that follow.
-
Run
helm installcommand, replacing the parameters where relevant. The following command prepares thetest-app-namespacenamespace:helm install namespace-prep cyberark/conjur-config-namespace-prep \ --create-namespace \ --namespace test-app-namespace \ --set conjurConfigMap.authnMethod="authn-jwt" \ --set authnK8s.goldenConfigMap="conjur-configmap" \ --set authnK8s.namespace="cyberark-conjur-jwt" \ --set authnRoleBinding.create="false" -
Create a Kubernetes service account for the workload. The following command creates the
test-app-saservice account intest-app-namespace:kubectl create serviceaccount test-app-sa -n test-app-namespaceWhen multiple workloads are running in the same namespace and each workload needs access to different secrets, a dedicated service account should be created for each workload and its workload identity in Conjur.
Each service account should be mapped into its relevant application Pod, and should be projected to the relevant application container.
Set up your workloads using one of the methods described in Supported workload setup methods.
