Integrate Kubernetes secrets-agent with Password Safe

Overview

The Kubernetes (K8S) secrets-agent integration for Password Safe enables the injection of secrets from Password Safe into K8S pods.

Pods can be configured to retrieve secrets from Password Safe before being applied to their primary application. The application consuming the secrets does not need to have any knowledge of Password Safe to use the secret at run time.

Permissions for access to secrets in Password Safe can be granted to specific accounts within BeyondInsight.

This secrets-agent version only works with Password Safe version 23.1.0 and later releases.

Applications can opt in to Password Safe secret retrieval by adding the secrets-agent to their Kubernetes manifests as an initContainer, or a sidecar container. The secrets-agent retrieves secrets and makes them available to the target consumer without requiring that the consumer be aware of Password Safe.

To support this feature, your BeyondInsight instance must be configured with an API registration.

At run time, secrets are retrieved from Password Safe by Kubernetes pods, pictured in the figure below:

Workflow diagram showing how secrets are retrieved from Password Safe by Kubernetes pods.

  1. On startup, the initContainer authenticates to Password Safe.
  2. Secrets-agent retrieves secrets from Password Safe and writes them to a shared volume.
  3. The end-user application reads the secrets from the shared volume.

 

Requirements

For an application to opt in to Password Safe secret retrieval, each of the following must be in place:

  1. A Password Safe API registration must be configured.
  2. The pod's secrets-agent must have access to its target secrets in Password Safe using an API key and a user account.
  3. The application's manifest must add the secrets-agent container and a Shared Volume.

Workflow for the integration

Configure steps 1 through 11 in BeyondInsight, and then modify the target application's manifest (step 12).

Once the configuration is complete, see secrets-agent usage for adding environment variables to your K8s yaml file.

You can use existing group, user, access policy, managed system, and managed account, and then modify as required for the configuration in BeyondInsight, if desired.

  1. Configure API Registration.
    • A user password is not required for the API registration.
  2. Create a Secrets Safe group.
  3. Add the API registration to the Secrets Safe group.
  4. Add the Secrets Safe feature to the Secrets Safe group.
  5. Add the All Managed Accounts Smart Group to the Secrets Safe group.
  6. Create a user in BeyondInsight and add it to the Secrets Safe group.
  7. Create an access policy that has the View Password Auto Approve option set.
  8. Add the access policy to the All Managed Accounts Smart Group role, and ensure that both requestor and approver are set.
  9. Create a managed system.
  10. Create a managed account associated with the managed system.
  11. Configure the managed account with the API Enabled and Max Concurrent Requests Unlimited options selected.
  12. Modify the target application's manifest to include the resources that retrieve secrets and write them to the pod filesystem.