Conjur Authn-K8s - Initial Config Manifest

cyberark-conjur-authn-k8s-config.yml

---
apiVersion: v1
kind: Namespace
metadata:
  name: cyberark-conjur
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: authn-k8s-sa
  namespace: cyberark-conjur
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: conjur-authenticator
rules:
- apiGroups: [""]
  resources: ["pods", "serviceaccounts"]
  verbs: ["get", "list"]
- apiGroups: ["extensions"]
  resources: [ "deployments", "replicasets"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: [ "deployments", "statefulsets", "replicasets"]
  verbs: ["get", "list"]
- apiGroups: [""]
  resources: ["pods/exec"]
  verbs: ["create", "get"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: conjur-authenticator
subjects:
- kind: ServiceAccount
  name: authn-k8s-sa
  namespace: cyberark-conjur
roleRef:
  kind: ClusterRole
  name: conjur-authenticator
  apiGroup: rbac.authorization.k8s.io

After applying, the secret variables for authn-k8s need to be populated:

service-account-token: kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep kops-admin | awk '{print $1}')
ca-cert: kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 -D
api-url: kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}'