Closed izgeri closed 3 years ago
I created some applications on a GKE cluster using a modified version of the conjurdemos/kubernetes-conjur-demo scripts, and reviewed the Conjur documentation re. authn-k8s.
Conjur OSS Helm Chart Documentation: Chart Value account
MUST match Conjur Account That you Expect to Create
This needs to be documented!!! Let's say you deploy a Conjur OSS server, using either an explicit setting
for chart value account
or using the default value of "default"). If you later create a Conjur account
on this server, then you will need to either:
account
, or...account
to
match the Conjur account value.Failing to do this will cause Kubernetes authn-k8s authentication to fail.
Perhaps a better alternative would be to add an option to have the Conjur OSS Helm chart to create an account as a post-install hook.
Conjur Documentation Should Use "identity" Instead of "host" in Some Places
This line: The following are the Kubernetes resources that you can define as hosts: should be: The following are the Kubernetes resources that you can define as authentication identities:
This line: We recommend using this option as a transition, and move towards using the Kubernetes Deployment and StatefulSet resources as hosts. Should be: We recommend using this option as a transition, and move towards using the Kubernetes Deployment and StatefulSet resources as authentication identities.
This line: Define Kubernetes Resources as Conjur hosts Should be: Define Kubernetes Resources as Conjur Identities
Inconsistent use of ClusterRole vs Role I believe Role (which is namespace scoped) is preferred?
Secretless Getting Started Doc uses Old Style
Should be change to be consistent with other examples that use the application name as host?
A service account host is defined here: https://docs.secretless.io/Latest/en/Content/Get%20Started/using-dap.htm#EnabletheKubernetesauthenticatorforyourapplication
- !host
id: APP_NAMESPACE/service_account/APP_SERVICE_ACCOUNT
annotations:
kubernetes/authentication-container-name: secretless
kubernetes: "true"
# grant membership to the conjur/authn-k8s/AUTHENTICATOR_NAME/apps layer
- !grant
role: !layer
member: !host APP_NAMESPACE/service_account/APP_SERVICE_ACCOUNT
The corresponding CONJUR_AUTHN_LOGIN is defined here: https://docs.secretless.io/Latest/en/Content/Get%20Started/using-dap.htm#AddSecretlesstoyourappdeploymentmanifest
- name: CONJUR_AUTHN_LOGIN
value: "host/conjur/authn-k8s/AUTHENTICATOR_NAME/apps/APP_NAMESPACE/service_account/APP_SERVICE_ACCOUNT"
Conjur OSS Helm Chart Documentation Should Provide Examples Showing authn-k8s Authentication
Conjur OSS Helm Chart Documentation Needs to Show How to Enable Debug Mode
Trouble Shooting Wiki Needs to Include a Step-by-Step Guide to Debugging authn-k8s There is an issue filed already: https://app.zenhub.com/workspaces/community-and-integrations-team-5e28ab8f700a191286d5abe0/issues/cyberark/conjur-docs/958
@diverdane were follow-up issues filed for all of these items and put in the epic #74? If that's the case, then I think this issue can be closed now
More details TBA
We would like to perform XA using the draft updated documentation (link TBA) for Kubernetes authentication to run through the end-to-end experience of using Conjur OSS with Kubernetes-deployed applications.