Does the CyberArk offers a robust solution for applications in a Kubernetes environment that requires updating secrets in the Kubernetes secrets resource? With CyberArk Conjur, organizations can seamlessly manage secrets within their Kubernetes clusters, eliminating the need to retrieve secrets from the DAP token in the mount point (Kubernetes authenticator using sidecar).
have you tried this ?
Hi Piyush - Yes, I tried, but I noticed that after password rotation, it is not retrieving the latest secrets. It appears that the cyberark-secrets-provider-for-k8s is functioning as an init container and is not dynamically fetching the secrets.
In the Kubernetes authenticator client, the sidecar offers dynamic fetching of secrets; but, it operates based on token-based retrieval of secrets.
Yes you are right. Did you tried with a Cron Job to fetch secret periodically?
Job with name: secrets-provider
use service account
load the container image - …/secrets-provider-for-k8s…
mapping with config map
The only way to get the secrets updated through secrets-for-k8s is to schedule to fetch the secrets through a cron-job. Dont forget in case of batch retrievals, everytime all the secret values will be wiped and recreated in the namespace.
Hi @phanimngr -
Secrets Provider needs to run as a sidecar in order to continually monitor and update secrets. Rotating K8s secrets is fully supported as of v1.4.1. Check out this documentation in the Secrets Provider GitHub repo that details secret rotation. Important takeaways:
- Convert Secrets Provider from an
initContainerto a standard
conjur.org/container-modeannotation to value
- Enable secret rotation by setting
conjur.org/secrets-refresh-enabledannotation to value
By default, Secrets Provider will check for updated secret values every 5 minutes, but this can be customized with the
Here is an example of a K8s manifest that deploys Secrets Provider as a sidecar that can rotate secrets stored as K8s secrets.
hey there, we just added some features to the secrets provider, you can find it on:
The CyberArk one would fail, if a secret cannot be fetched, also our version supports a full sync and regex expression. We also built a docker image for an easy start.