Kubernetes uses base 64 encoding for storing them, which is not enough. You have to implement a number of security best practices to prevent possible …
Join the DZone community and get the full member experience. Secrets management is one of the important aspects of securing your Kubernetes cluster. Out of the box, Kubernetes uses base 64 encoding for storing them, which is not enough. You have to implement a number of security best practices on top, to prevent possible security breaches. Etcd encryption at rest, access control with RBAC, are a couple of examples of the same. Using secrets management solutions like CyberArk Conjur, not only secures them for Kubernetes but also provides other benefits as we will see in the post. CyberArk Conjur is a secrets manager. It helps you manage secrets in Kubernetes, as well as across applications, tools, and clouds. It offers Role Based Access Control (RBAC) with an audit trail to easily track each stored secret. It implements encryption at rest with AES-256-GCM and in transit using mTLS. Additionally, you can manage the access for each secret and can also rotate the secrets automatically. In this post, we will see how to install Conjur OSS on Kubernetes. We will go through a basic set of Conjur policies and will load them into Conjur. We’ll also see how to run an application in Kubernetes which uses secrets from Conjur by conforming to the defined policies. You may be already familiar with the way Kubernetes spec files are written in YAML. Although you also need to understand a few more YAML concepts to understand and define Conjur policies, viz. tags, anchors, and aliases. The Conjur website has a quick refresher on this. Alternatively, you can go through the full YAML documentation. The easiest way to Install Conjur on a Kubernetes cluster is by using the Helm chart. Let’s first create a custom values file for the Helm chart. The dataKey is used for encrypting the secrets in the DB. The ssl.altNames will be used for the SSL configuration of the Conjur service that the Helm chart will create. Install Conjur OSS on a Kubernetes cluster, with the following commands. The VERSION declared above is the Conjur Helm chart release version. As of writing this post, the latest Conjur OSS Helm chart version is 2.0.3. Refer to Conjur Helm chart releases for the latest Conjur Helm chart available. Once the helm chart is installed, it creates an admin user. You will need this key for the initial load of the Conjur policies, secrets, etc. You’ll also need it in the “break-glass” scenarios. Hence you need to store it in a safe place. You can fetch the same using the commands below. Verify the installation. Conjur policies help define objects in its database in a tree structure. Some examples of the objects defined in the policies are users, roles, secrets, and applications. It also defines rules for role-based access control. While the Conjur documentation defines the policy best practices, we will use one of the Conjur demo repositories to define policies.
