Not able to load policy in my conjur server

Secrets Management - Conjur, Secrets Hub & CP
, ,
1

Hello,

I am trying to setup conjur with kubernetes authenticator. I have my conjur cluster running on conjur-demo.myorg.com which is accessible externally which I set up using the following command:

helm install conjur-cluster cyberark/conjur-oss \
    --set ssl.hostname=conjur-demo.myorg.com \
    --set dataKey="$(docker run --rm cyberark/conjur data-key generate)" \
    --set authenticators="authn\,authn-k8s/dev" \
    --set account.create=true \
    --set service.external.enabled=true \
    --namespace conjur

I have a created a default account and an admin user and I am able to login to my cluster using conjur cli. As a next step I want to load the policies into the cluster. The policies are taken from the tutorial here: Secure Kubernetes Secrets | Conjur
When I try to upload the policies I am getting an error:

conjur policy load root policy_for_human_users.yml                                                
error: No such file or directory @ rb_sysopen - policy_for_human_users.yml

Even when given the absolute file path I am getting the same error.
File permissions on the yaml file are:

ls -l | grep human                                                                                 
-rw-r--r--  1 agawali  staff    631 Mar 31 14:41 policy_for_human_users.yml

How can I load policies in the server?
After I set up Kubernetes authenticator, how can create a secret and access it in the application pod without using the secretless ?

2

Hi @agawali,

Thanks (again) for trying out Conjur OSS! Let’s see if we can get your policy loaded into Conjur.

From your description, it sounds like you’re following along with the Secretless Broker on Kubernetes quick-start guide?

If so, then I think what you might want to try is to add a /root/ file path prefix in front of your YAML policy file:

conjur policy load root /root/policy_for_human_users.yml

(That uses the absolute path for where your YAML file should appear inside the Conjur CLI container.)

Some background: In Step 8, where you defined a conjur alias:

alias conjur='docker run --rm -it --add-host conjur.demo.com:$SERVICE_IP -v $(pwd):/root cyberark/conjur-cli:5 '

That alias uses a volume mount (-v) to mount your current directory to /root. So whatever you have in your current directory on your local host (including YAML policy file) should show up in the /root directory. I’m not sure off the top of my head which directory is the working directory for that container, so using an absolute path might do the trick.

Regarding using the Kubernetes authenticator without using secretless, you’ll have to set up an application Pod that uses a Conjur authenticator client sidecar or init container (along with your application container) inside the application Pod. The clients that you can use include:

There are some examples here: GitHub - conjurdemos/kubernetes-conjur-demo: Demo application for Conjur Kubernetes integration

However, I think the quickest way to set something up locally with “a push of a button” would be to run the the Conjur OSS application demo script that uses a local Kubernetes-in-Docker (KinD) cluster: conjur-oss-helm-chart/examples/kubernetes-in-docker at master · cyberark/conjur-oss-helm-chart · GitHub

There’s a walk-through tutorial in this blog: Securing Secrets in Kubernetes | Conjur

This would require you to install KinD, kubectl, and Helm, but that’s pretty simple. After that, it would be:

git clone https://github.com/cyberark/conjur-oss-helm-chart
cd conjur-oss-helm-chart/examples/kubernetes-in-docker
./start

That should set up a bunch of instances of applications with different authenticator clients.

Please let me know how this works out for you.

Cheers,
-Dane

3

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.