Integrating PAM360 with Kubernetes for Secrets Management

Kubernetes (K8s) - Kubernetes is an open-source platform that automates containerized application deployment, scaling, and management. Containers are a lightweight way to run applications, and Kubernetes manages them at ease by handling tasks like load balancing and rolling updates.

Kubernetes Secrets - Kubernetes secrets provide a secure way to store sensitive information within a Kubernetes cluster. It is a prominent feature of Kubernetes that ensures secured storage of secrets, such as passwords, tokens, SSL certificates, and keys in the Kubernetes cluster.

The infrastructure of Kubernetes enables the secure management of Kubernetes secrets, allowing users to manage the sensitive information required for their applications. As a result of this integration, PAM360 now offers the capability to manage Kubernetes TLS secrets, including their rotation and updating based on expiry and necessity.

Note: The term TLS Secret mentioned in this document represents the SSL certificates stored in the Kubernetes cluster.

Refer to the sections that follow to learn more about Kubernetes integration with PAM360:

  1. Benefits of Kubernetes Integration with PAM360
  2. Configuring Kubernetes in PAM360
  3. Managing TLS Secrets via PAM360
  4. Limitations

1. Benefits of Kubernetes Integration with PAM360 for Secrets Management

  • Collaborate on the management of Kubernetes TLS secrets in your enterprise
  • Fetch TLS secrets from Kubernetes clusters and manage them in PAM360
  • Manage TLS secrets from multiple Kubernetes clusters, including updation/rotation

2. Configuring Kubernetes in PAM360

To begin the configuration process, you must first download the YAML file from the PAM360 interface. The YAML file is a configuration file that contains the necessary commands that must be applied to the Master node of the Kubernetes server. To download the YAML file, do the steps that follow:

  1. Navigate to Certificates >> Certificates >> Kubernetes >> Manage.
  2. On the page that appears, click Download YAML File to proceed.

Once you have downloaded the YAML file, move it to the server where Kubernetes is running. To do so:

  1. Make sure that the Kubernetes server is started and running.
  2. Execute the following command to invoke the YAML configuration file into the Kubernetes server- "kubectl apply -f <filename.yaml>".
  3. This command will create a new token to authenticate the communication between PAM360 and the master node.
  4. Now, execute the following command to fetch the token from the Kubernetes server - "kubectl describe secret pam-api-auth-secret".
  5. A token will be generated post the above process. Copy or save this token value to configure the Kubernetes integration in PAM360.

Now, open the PAM360 console and do the steps that follow to add the Kubernetes clusters available in the Kubernetes server into PAM360:

  1. Navigate to Certificates >> Certificates >> Kubernetes >> Manage.
  2. On this page that appears, click Add.
  3. In the pop-up that opens, enter a Credential Name, Server URL, and Token.
    1. Credential Name - Enter the name of your choice to identify the respective Kubernetes Clusters. E.g., Kub Cluster 1
    2. Server URL - The URL where the Kubernetes server is running. E.g., http://20.XX.XX.XXX:8383
    3. Token - Enter here the token generated from the Kubernetes server.
  4. Now, click Check Server. This operation will validate the establishment of communication between the Kubernetes server and PAM360.
  5. Click Save to complete the integration process. You can save the details only if the Kubernetes server is reachable to PAM360.
  6. Further, you can also delete the added Kubernetes credential using the available Delete option as required.
  7. Note: The term Kubernetes credential mentioned here in this document represents the Kubernetes cluster added into PAM360 from the Kubernetes server.

3. Managing TLS Secrets via PAM360

Once you have added the Kubernetes credential into PAM360, you can perform four main operations with the added Kubernetes credential to manage the TLS secrets.

3.1 Fetch TLS Secrets from Kubernetes Credential

To fetch all the TLS secrets available in the Kubernetes credential into PAM360, follow the below steps:

  1. Navigate to Certificates >> Certificates >> Kubernetes and click Fetch TLS Secrets.
  2. In the pop-up that opens, select the required credential from where the TLS secrets are to be fetched and click Import.
  3. Now, from the selected Kubernetes credential, all the available TLS secrets will be fetched with the relevant information that includes the Credential Name (Kubernetes cluster name), Common Name, Namespace, Created Time, and Expiry Date.

3.2 Update TLS Secrets from PAM360

If you have an expired or about-to-expire TLS secret in a Kubernetes credential, you can update it using the available Update option in the Kubernetes window. To update a TLS secret, do the steps that follow:

  1. Select the TLS secret that has to be updated and click Update.
  2. On the page that opens, select the Kubernetes credential to which the secret has to be updated with the new TLS secret.
  3. Note: The update operation performed in the PAM360 repository will automatically update the TLS secret in the respective Kubernetes credential (cluster).

  4. If you have an SSL certificate available in your PAM360' Kubernetes repository:
    1. Click Existing Certificate from the Update Secret window.
    2. Select the respective SSL certificate from the available list.
    3. Click Update to update the TLS secret.
  5. Using the New Certificate option, you can also create new certificates using the Self Signed or Certificate Request method.
  6. If you want to create a new self-signed certificate as your TLS secret:
    1. Click Self Signed from the Update Secret window.
    2. Enter the required fields such as Common Name, Key Algorithm, Key Size, Keystore Type, Validity Type, Validity, and Store Password, and click Update.
    3. You can also select advanced options and enable the necessary field from the Key usage and the Extended Key Usage as per your TLS secret requirements.
  7. If you want to create a new certificate as your TLS secret signed by the Kubernetes cluster Certificate Authority (CA), follow the below steps:
    1. Click Certificate Request from the Update Secret window.
    2. Enter the required fields such as Common Name, Key Algorithm, Key Size, Keystore Type, Validity Type, Validity, and Store Password.
    3. In the issuer field, select the respective Kubernetes cluster CA who signs the certificate based on your Key usage requirement.
    4. Now, click Update to get the new certificate through the created request.

3.3 Delete TLS Secrets from PAM360

Select the respective TLS secrets and click Delete to remove them from the stored Kubernetes credential in PAM360. To add the TLS secrets back, you must follow the above steps. Please note that the Delete operation will remove the secret only from the PAM360 repository and not from the Kubernetes cluster. We recommend you delete the TLS secret manually in the Kubernetes cluster if required.

3.4 Sync TLS Secrets

In the event that a new set of secrets is introduced to the Kubernetes cluster, it is necessary to perform a manual fetch operation to maintain synchronization between Kubernetes cluster and PAM360. This operation will retrieve all additional secrets that were added subsequent to the initial fetch operation in PAM360.

4. Limitations

  1. PAM360 can only retrieve TLS secrets added to the Kubernetes cluster upon fetch. But it cannot delete/add TLS secrets that have been removed/added from/to the Kubernetes server post fetch. To keep the Kubernetes and the PAM360 repository in sync, a manual fetch is to be performed as and when required.
  2. PAM360 does not have a built-in feature to sync with the Kubernetes server automatically at scheduled intervals.
Top