This document provides an overview of a webinar on integrating OpenShift and Conjur for DevOps. It discusses containers and Kubernetes, and how they are not enough on their own for DevOps without additional components like networking, image registries, metrics/logging, deployment automation, application lifecycles, services, and self-service portals. It then outlines how OpenShift addresses these needs and how Conjur can integrate to provide secrets management and access control when using OpenShift for DevOps. The integration goals, components, deployment within OpenShift, and detailed flow are described to securely provide secrets to applications in a scalable and robust manner.

1. OPENSHIFT-CONJUR
WEBINAR
JUNE 27, 2018
• May 2018

2. TODAY’S PRESENTERS:
JASON DOBIES
Partner Technical Marketing Engineer
OpenShift Ecosystem
Red Hat
NAAMA SCHWARTZBLAT
Application Identity Manager
Senior Product Manager
CyberArk
JOE GARCIA
Global Corporate Solutions Engineer
CyberArk

3. WHAT ARE CONTAINERS?
● Sandboxed application processes
on a shared Linux OS kernel
● Simpler, lighter, and denser than
virtual machines
● Portable across different
environments
● Package my application and all of
its dependencies
● Deploy to any environment in
seconds and enable CI/CD
● Easily access and share
containerized components
INFRASTRUCTURE APPLICATIONS
It Depends Who You Ask

4. DEVOPS WITH CONTAINERS
Source
Repository
CI/CD
Engine
Dev Container
Images
Physical
Virtual
Private cloud
Public cloud
Libraries
Repositories
Container
Images
Repository

5. DEVOPS WITH CONTAINERS
?

6. DEVOPS WITH CONTAINERS
?

7. CONTAINERS AREN’T ENOUGH
Scheduling
Decide where to deploy containers
Lifecycle and Health
Keep containers running despite failures
Discovery
Find other containers on the network
Monitoring
Visibility into running containers
Security
Control who can do what
Scaling
Scale containers up and down
Persistence
Survive data beyond container lifecycle
Aggregation
Compose apps from multiple containers

8. KUBERNETES
Kubernetes is an open-
source system for
automating deployment,
operations, and scaling of
containerized applications
across multiple hosts kubernetes

9. DEVOPS WITH CONTAINERS
kubernetes

10. DEVOPS WITH CONTAINERS AND KUBERNETES

11. DEVOPS WITH CONTAINERS AND KUBERNETES
Not enough… need networking
NETWORK

12. DEVOPS WITH CONTAINERS AND KUBERNETES
Not enough… need an image registry
NETWORK
IMAGE
REGISTRY

13. DEVOPS WITH CONTAINERS AND KUBERNETES
Not enough… need metrics and logging
METRICS AND LOGGING
IMAGE
REGISTRY
NETWORK

14. DEVOPS WITH CONTAINERS AND KUBERNETES
Not enough… need complex deployments and upgrades
METRICS AND LOGGING
IMAGE
REGISTRY
NETWORK
DEPLOYMENT AUTOMATION

15. DEVOPS WITH CONTAINERS AND KUBERNETES
Not enough… need application lifecycle and management
METRICS AND LOGGING
IMAGE
REGISTRY
NETWORK
DEPLOYMENT AUTOMATION
APP LIFECYCLE MGMT

16. DEVOPS WITH CONTAINERS AND KUBERNETES
Not enough… need application services (databases, messaging, etc)
METRICS AND LOGGING
IMAGE
REGISTRY
NETWORK
DEPLOYMENT AUTOMATION
APP LIFECYCLE MGMT
APPLICATION SERVICES

17. DEVOPS WITH CONTAINERS AND KUBERNETES
Not enough… need a self-service portal
METRICS AND LOGGING
IMAGE
REGISTRY
NETWORK
DEPLOYMENT AUTOMATION
APP LIFECYCLE MGMT
APPLICATION SERVICES
SELF-SERVICE

18. DEVOPS WITH OPENSHIFT
OPENSHIFT

19. Confidential and Proprietary. ©CyberArk Software Ltd. All rights reserved.
#1 Leader in Privileged Account Security
Securing Privilege at more than 50% of the Fortune 100
More than 3,800 customer globally

20. CYBERARK SOLUTION PORTFOLIO

21. CyberArk Conjur is a DevOps and cloud security
solution
• Addresses the unique secrets management and
privileged access security challenges of the DevOps
pipeline
• Native integration with cloud management,
PaaS/Containerized platforms and DevOps
orchestration solutions
• Focused on security – supports Separation of Duties
• Designed for developers – Open Source accessible,
well documented, fully supported
CYBERARK
CONJUR

22. Confidential and Proprietary. ©CyberArk Software Ltd. All rights reserved.
Business
Owner
Security
Owner
Developers
Operations/
DevOps
Auditor
Dashboards for
reporting full audit.
"Everything as code”
Community Edition and
APIs designed to be easy
for developers to use
CLI and Multiple
native integrations
with the "New IT
Department“ tools
Dashboards for central
security management
Conjur Offers Multiple Interfaces To Address Wide Enterprise Needs

23. CENTRAL MANAGEMENT - NO “SECURITY ISLANDS”
• Central view and control of Privileged Account Security
• Enterprise wide solution for on premise, hybrid, cloud only
organizations
• Leverage the CyberArk Vault and existing investments
• Highest levels of Security, Recoverability, and Auditability
• Central Policy Manager – to manage and rotate secrets
• Bring other CyberArk solutions like Privileged Session
Manager, Application Identity Manager, and On-Demand
Privilege Manager to the DevOps environment
Islands of Security
Extend the #1 solution in Privileged Account Security to the DevOps, cloud and container world

24. INTEGRATION GOALS
• Securely provide secrets to application running in PaaS
• Ease of use - Seamlessly integrate into the PaaS environment
• Strong Authentication of the calling container/ pod based on its
properties
• Leverage the Kubernetes API’s to verify the application container
identity
• Segregation of duties, between application developers and
operations, as well as between different project
• Central audit
• Secret rotation
Server
Host Operating System
PaaS Engine
Bins/Libs
APP1
Bins/Libs
APP2
Bins/Libs
Containers
Conjur

25. INTEGRATION COMPONENTS
• Conjur Master – Secret managed repository. Supports
full read/write operations such as permission checks, as
well as management of policies, secrets and all Conjur
services.
• Conjur Follower – Read only replica of the Master.
Distributed across data centers and geographies to locally
support application read requests and to distribute load
from the Master. Can scale horizontally, and each
additional follower adds read capacity.
Includes the K8S/OpenShift authenticator.
• Summon – Open Source component, used to control the
process as well as push the secrets into pod environment
variables.
• Conjur-authn-client– CyberArk container, run as a
sidecar or init-container, responsible for the login process
of the pod against the authenticator.
Init Container
Pod
PodApp Container
Pod
App Container
Conjur-authn-
client
Shared
Storage
Summon
Conjur Follower
(and authenticator)
Pod
Conjur Master
Pod
Master Standby
Pod
Master Standby

26. ROBUST AND SCALABLE DEPLOYMENT WITHIN OPENSHIFT
Standby
Init
Container
Pod
App Container
Conjur-
authn-client
Shared
Volume
Summon
Application Project
Pod
App Container
Conjur-
authn-client
Shared
Volume
Summon
Conjur Project
Pod
Conjur
Follower
Pod
Conjur
Follower
Load
Balancer
Conjur
Master
Conjur Project
Init
Container
Pod
App Container
Conjur-
authn-client
Shared
Volume
Summon
Application Project
Pod
App Container
Conjur-
authn-client
Shared
Volume
Summon
Conjur Project
Pod
Conjur
Follower
Pod
Conjur
Follower
Load
Balancer
Standby

27. OPENSHIFT – CONJUR DETAILED FLOW
1. Create a policy for each pod/ application
2. Load the policy into Conjur Master
3. When pod starts, Conjur-authn-client goes up
and creates a CSR
4. Conjur-authn-client calls the Follower with pod
details and CSR
5. Follower verifies pod exist against Kubernetes
API
6. If exist, signs the request and writes it out of
band to the Conjur-authn-client
7. Conjur-authn-client calls Follower - follower
authenticates against Conjur policies and returns
a encrypted token
8. The Conjur-authn-client decrypts the token and
writes it in the pod shared memory
9. Summon uses the token to fetch the secrets
from Conjur and writes the retrieved secrets to
the environment variables.
Init Container
Pod
Summon
App Container
Conjur-authn-
client
Shared
Volume
Pod
Conjur Master
Application Project Conjur Project
Pod
Conjur Follower
(and authenticator)
Init Container
Pod
Conjur-authn-
client
Pod
Conjur Follower
(and authenticator)
Load
Balancer
App policy:
- !policy
id: allowed_apps
annotations:
description: Apps and services in cluster.
body:
- !layer
- &apps
- !host [namespace]/service_account/[sa-name]
- !grant
role: !layer
members: *apps
ü
Summon
App Container
Shared
Volume

28. ✓ Simple, context free, secure method for retrieving credentials in containers
✓ End-to-end encryption of secrets through mutual TLS (Transport Layer Security) using SPIFFE-compliant
resource identifiers.
✓ Robust authentication and authorization incorporating Conjur policy, signed certificates, and an internal
Kubernetes APIs.
✓ Conjur Follower running inside OpenShift
✓ Elastic, can scale out
✓ High availability is provided with the multiple followers running inside OpenShift, making secrets local
cache available also if network suffers
✓ Segregation of Duty between applications
✓ SoD also between the OpenShift security operator and the development teams using Conjur policy
✓ Credentials are not exposed to any 3rd party, reside only in memory
✓ Full central audit trail
✓ UI for auditors
BENEFITS

29. Confidential and Proprietary. ©CyberArk Software Ltd. All rights reserved.
IT’S EASY
TO GET
STARTED
• Try CyberArk Conjur Open Source at www.conjur.org
• Request a DevOps Workshop
• Ask for a DevOps Security Assessment
• Read our DevOps Security Blog www.conjur.org/blog

30. THANK YOU
• May 2018