Red Hat OpenShift is one of the most popular and powerful enterprise container orchestration platforms. All container orchestration solutions let you manage secrets in some way. While Red Hat OpenShift comes more security-minded default settings than other platforms like Kubernetes—on which OpenShift is built, the OpenShift integration with CyberArk Conjur provides a robust enterprise level centralized secrets management solution.
Conjur Secrets Manager Enterprise provides robust secrets management capabilities such as rotation, RBAC, auditing, centralized management, and machine identity. This is essential to securing your applications and containerized workloads. This solution provides security for your most critical assets and company data by controlling access to secrets like passwords, SSH Keys, Certificates, API Keys, credentials, and other secrets.
The good news is that it just got even easier to deploy Conjur followers on OpenShift with our new officially certified Red Hat OpenShift Operator. Wondering what an operator is? An Operator is an easier way to pack, deploy and manage Kubernetes-native applications.
The OpenShift Conjur Enterprise Operator deploys a Conjur Follower, which is a replica of the Conjur Master. The Follower is used to scale out Conjur services within an OpenShift cluster.
The Conjur Follower for OpenShift is deployed using the Conjur Operator for OpenShift, which relies on the Red Hat OLM.
To deploy the operator, visit the secrets management OpenShift Operator page in the Red Hat catalog.
Best Practices for Secret Management
While the default secrets management options for OpenShift are a great start, keep in mind the following best practices while dealing with secrets:
- Use the least-privilege principle: hand out only the exact permissions required. Share secrets only with containers that need them.
- Don’t commit your plaintext secrets to source code.
- Don’t store your secrets in the clear.
- Never transmit a secret on an insecure connection. Use TLS.
- Regularly rotate your secrets. Even if the risk of leaking a secret is minimized, automatic rotation of a secret ensures it will only be usable for a short time.
Conjur secures secrets for applications to use, but with the Secretless Broker feature, Conjur can also completely abstract secrets from the application development process, improving app development speed and security.
When your application wants to reach a password-protected database, it proxies through the sidecar container, which is available on the pod’s local network. The secret is thus known only to the Secretless Broker, removing any risk from leaking the secret through the application. The sidecar container securely communicates with CyberArk Conjur using strong encryption and multi-factor authentication.
All of this eliminates the Secret Zero problem, and makes it much easier to get your applications to interact with your secrets management solution.
To learn more check out our new OpenShift operator page.
John Walsh has served the realm as a lord security developer, product manager and open source community manager for more than 15 years, working on cybersecurity products such as Conjur, LDAP, Firewall, JAVA Cyptography, SSH, and PrivX. He has a wife, two kids, and a small patch of land in the greater Boston area, which makes him ineligible to take the black and join the Knight’s Watch, but he’s still an experienced cybersecurity professional and developer.