OpenShift/Kubernetes

Integration of Conjur with supported Kubernetes-based implementations, such as Red Hat OpenShift, GKE, and EKS enables applications running on your Kubernetes platform to retrieve secrets stored in Conjur securely, without ever exposing the secrets to third parties.

 

Supported Kubernetes-based environments

Supported Kubernetes-based environments

Vendor

Cert-based

JWT-based

OpenShift

v4.11-4.13

v4.11-4.13

Google Kubernetes Engine (GKE)

All GKE supported versions

1.26,1.27

Other Kubernetes environments (EKS, AKS)

1.26,1.27

1.26,1.27

Rancher

2.x

Not supported

Rancher support indicated in the preceding table describes the ability of a Kubernetes Authenticator to scope host access to a Rancher project, which is a group of namespaces. Both cert-based and JWT-based Kubernetes Authenticators can scope host access to a single namespace in a Rancher-managed cluster, but only cert-based Kubernetes Authenticators can scope host access to a group of namespaces.

What does the integration provide?

The Conjur - Kubernetes integration provides the following:

  • End-to-end encryption of secrets through mutual TLS (certificate-based authentication only)

  • Robust authentication and authorization incorporating security policy, signed certificates (certificate-based authentication only), and native Conjur authenticators:

    • Kubernetes Authenticator for certificate -based authentication

    • JWT Authenticator for JWT-based authentication

  • Security policy provides separation of duties, letting your security teams control container access while development teams define application requirements

  • Deployment of applications across environments and Pods

  • Secret rotation and centralized auditing

  • Scalability and performance advantages of the Conjur Leader-Follower architecture: Followers provide read-only activity for clients; automatic scale-up by the auto-enrollment of Followers as needed