App owner: Set up workloads in Kubernetes

This section describes how to set up your workloads in Kubernetes so that they can retrieve secrets from Conjur.

For a comparison of the available methods for authenticating Kubernetes workloads to Conjur, see Authentication methods: certificate-based vs JWT-based

Secret retrieval methods for Kubernetes workloads

Kubernetes workloads can use the following methods to retrieve secrets:

Secrets retrieved from



Kubernetes secrets or share volume file

Secrets Provider for Kubernetes

The Secrets Provider for Kubernetes populates Kubernetes Secrets or a shared volume file with secrets stored and managed in Conjur. For more information, see CyberArk Secrets Provider for Kubernetes.

Environment variables

Kubernetes Authenticator Client

Using Conjur client libraries

Using the Conjur REST API

The workload can use the access token provided by the authenticator to retrieve secrets from the Conjur REST API. For more information, see Authenticate using REST APIs.

Using Summon, CyberArk Conjur Open Source tool used to retrieve secrets from Conjur and push values into environment variables or a volume mount. On application startup, Summon waits for the sidecar to provide an access token for authentication with Conjur.