New Open Source Offerings Simplify Securing Kubernetes

November 12, 2019 Chris Smith


Kubernetes Open Source

In advance of the upcoming KubeCon 2019 (CyberArk booth S55), the flagship event for all things Kubernetes and Cloud Native Computing Foundation, CyberArk is adding several new Kubernetes offerings to its open source portfolio to improve the security of application containers within Kubernetes clusters running enterprise workloads.

Secrets Can Be Pushed to Native Kubernetes Secrets Store

CyberArk’s out-of-the-box integration with Kubernetes Secrets strengthens the security of the native Kubernetes secrets mechanism by enabling CyberArk to centrally manage secrets without requiring any changes to code or further involvement of developers. The integration is available for Conjur Open Source and CyberArk Application Access Manager.

A challenge with the native secret stores of  various tools and platforms used in development and production environments is that not only are credential management, rotation, audit and other similar processes limited and inconsistent, the ability to securely share secrets across tools is also limited.

Too often this results in islands of security with poorly and inconsistently secured secrets, sometimes with the same secret stored in multiple tools. The CyberArk integration with Kubernetes enables organizations to use CyberArk to centrally manage Kubernetes secrets alongside secrets used by other leading tools and platforms, including Jenkins, Ansible, OpenShift and more.

For organizations using Conjur Open Source to manage application secrets and other credentials, secrets are pushed to the native Kubernetes secrets store based on Conjur policies. Conjur’s management of Kubernetes is completely transparent to developers since no changes are required. The application code simply accesses the secrets in the Kubernetes secrets store exactly as it did before.

Similarly, for CyberArk enterprise customers, secrets are also pushed to the native Kubernetes secrets store – this time using Application Access Manager and based on policy.  Additionally, organizations can consistently and centrally manage secrets and credentials used by both non-human identities as well as human users, including securing interactive access to Kubernetes and other tool management consoles.

For additional information read up on CyberArk Secrets Provider for Kubernetes Secrets.

SDK Simplifies Development of Secure Kubernetes Applications

Secretless Broker, launched earlier this year, simplifies how containerized applications running in Kubernetes securely access databases, HTTPS based web applications and servers. The new SDK enables developers to write new service connectors to extend the range of databases and other external resources accessed by applications using CyberArk’s Secretless Broker capability.

With Secretless Broker, when an application needs to securely access a resource, the app simply makes a local connection request to Secretless Broker. Secretless Broker then automatically authenticates the app, fetches the required credentials from the CyberArk vault and establishes a connection to the database or other resource. With Secretless Broker, the application no longer has access to credentials, preventing them from being accidentally leaked or exposed by the application and reducing the attack surface.

This approach offers two major simplifications for developers. First, it eliminates the need for the developer to write API calls to fetch the access credential or secret from Kubernetes secrets (or any other secrets store), and second it removes the need for the application to directly handle secrets.

Secretless Broker provides development teams deploying applications in Red Hat OpenShift and Kubernetes environments with a simplified option for applications to securely access MySQL and PostgresSQL databases. The SDK enables developers to add support for additional databases and resources.

Secretless Broker is an open source project that is integrated with Conjur Open Source and offered as a fully supported feature of the Application Access Manager Dynamic Access Provider. The open source version is available from Conjur.

For additional information join the discussion on SDK.

 Improved Capabilities for Native Vaults

The integration with the Kubernetes native secrets capability, together with the previously announced integration with Ansible Tower, is part of CyberArk’s push to give developers transparent access to powerful capabilities that improve the security and ease-of-use of native secret stores with leading developer tools and platforms, including improving security capabilities such as secrets rotation based on policy and providing centralized secrets management, which removes  the burden of securing and managing secrets scattered across multiple tools and platforms from the shoulders of developers.

Additionally, enterprise versions of these integrations add improved secrets management capabilities, including enterprise class policy-based rotation, audit and other management capabilities as well as enterprise class scalability and availability.

Join the Conversation on the CyberArk Commons

If you’re interested in Kubernetes and open source, you can also join the conversation on the CyberArk Commons CommunitySecretless Broker, Conjur and other open source projects are a part of the CyberArk Commons Community, an open community dedicated to developers, engineers, cybersecurity researchers and other technically minded people. To discuss Kubernetes, Secretless Broker, Conjur, CyberArk Threat Research, join me on the CyberArk Commons discussion forum.



Previous Article
Three Cybersecurity Lessons Learned in the 2010s
Three Cybersecurity Lessons Learned in the 2010s

Big cybersecurity lessons from the past decade include eliminating security silos, using AI more effectivel...

Next Article
Simple Rules for Smart IAM Solutions. – Part 3: Making Sense of Data, Risk Detection and Intelligently Leveraging It
Simple Rules for Smart IAM Solutions. – Part 3: Making Sense of Data, Risk Detection and Intelligently Leveraging It

In part 3 of this series on Simple Rules for Smart IAM Solutions, we will examine the most efficient ways i...