App owner: Set up workloads in Kubernetes
This section describes how to set up your workloads in Kubernetes so that they can retrieve secrets from Conjur.
For a comparison of the available methods for authenticating Kubernetes workloads to Conjur, see Authentication methods: certificate-based vs JWT -based
Secret retrieval methods for Kubernetes workloads
Kubernetes workloads can use the following methods to retrieve secrets:
Secrets retrieved from |
Method |
Description |
---|---|---|
Kubernetes secrets or share volume file |
Secrets Provider for Kubernetes |
The Secrets Provider for Kubernetes populates Kubernetes Secrets or a shared volume file with secrets stored and managed in Conjur. For more information, see CyberArk Secrets Provider for Kubernetes. |
Environment variables |
Kubernetes Authenticator Client |
Using Conjur client libraries |
Using the Conjur REST API The workload can use the access token provided by the authenticator to retrieve secrets from the Conjur REST API. |
||
Using Summon, CyberArk Conjur Open Source tool used to retrieve secrets from Conjur and push values into environment variables or a volume mount. On application startup, Summon waits for the sidecar to provide an access token for authentication with Conjur. |