Managing Secrets in OpenShift Containers with CyberArk Conjur and the CyberArk Vault

Introduction

The integration between OpenShift and CyberArk Conjur Enterprise simplifies secrets management, strengthens container security and gives organizations the flexibility to more securely deploy enterprise applications at scale. Now organizations using OpenShift can leverage Conjur Enterprise to secure, manage and rotate secrets and other credentials, by securely passing secrets stored in Conjur to applications running in OpenShift. CyberArk Conjur ensures secrets are never exposed to third parties. The Conjur integration enhances security for OpenShift environments by providing:

  • End-to-end encryption of secrets through mutual TLS (Transport Layer Security).
  • Robust authentication and authorization incorporating Conjur policy, signed certificates, and an internal Kubernetes authenticator.
  • Separation of duties and other policies by letting OpenShift security teams control container access while development teams define application requirements.
  • Easy deployment of applications across environments and pods.
  • Scalability and performance advantages of the Conjur master-follower architecture. As Followers provide read-only activity for client containers and applications, scale-out is easy by simply adding more followers.
  • Secret rotation, centralized auditing, and all other advantages of Enterprise Conjur.
    Most importantly, developers are able to easily meet security requirements by using APIs and code to secure secrets and access credentials without impacting velocity. Conjur was designed specifically for developers with the goal of letting developers focus on development without them needing to worry about security. For examples, security policies can be written and managed as-code, enabling security policies to be more easily established and managed.

CyberArk Conjur

CyberArk Conjur Enterprise is an enterprise-class secrets management solution designed to meet the needs of high velocity, dynamic DevOps environments, and CI/CD pipelines. Like other CyberArk solutions, Conjur Enterprise is security focused and incorporates robust security principals including machine identity, least privilege, role-based access control, policy as code, as well as segregation of duties for both human and non-human users (e.g., containers, micro-services, scripts, and machines).

True End to End Credential Management Across The Enterprise

An additional advantage of using CyberArk solutions is that enterprises have the ability for true end-to-end, policy-based secrets and credential management across their entire enterprise. CyberArk is widely deployed by enterprises across the globe, including over half of the Fortune 100, and is recognized as the #1 provider in privileged access security. So, importantly, with the integration between CyberArk Conjur Enterprise and Red Hat OpenShift, the CyberArk Enterprise Password Vault enables secrets and credential managed by the CyberArk Vault to be automatically replicated into OpenShift. Organizations can now consistently manage access credentials and secrets across on-premises, hybrid and native cloud environments, as well as for OpenShift and other DevOps tools. Of course, Conjur can also be used as a standalone solution that can be integrated if and when the enterprise is ready.

How It Works – OpenShift and Conjur

The deployment scripts deploy a Conjur cluster in an OpenShift project (OpenShift 3.3 or later). User applications are then deployed in different projects, which get access to Conjur through authenticated login orchestrated by an authentication sidecar. For additional details refer to the integration reference materials.

Getting Started with Conjur Enterprise and OpenShift

The CyberArk Conjur OpenShift Integration is available now. To learn more view the OpenShift Commons Briefing: CyberArk Conjur Secrets Management demo and webinar, contact sales, or visit CyberArk.com/Conjur. You can also have a demo at Red Hat Summit – booth#932.

Conjur Open Source Also Available

CyberArk Conjur Open Source is freely available and available for trial or download on GitHub or Conjur.org and with Conjur Open Source, you can also join the Conjur Slack to communicate directly with our engineers to ask questions and provide product feedback.

Categories
OpenShift Ecosystem
Tags