CyberArk Kubernetes components that connect to other services¶
CyberArk Kubernetes components may need to connect to your internal services such as Certificate Manager - Self-Hosted or HashiCorp Vault. To establish a secure HTTPS connection, it is critical that the certificates used by any service integrated with CyberArk Kubernetes components are trusted by those components. In many cases, these internal services use certificates issued by private CAs. In such instances, you will need to configure a custom CA bundle to ensure that the CyberArk Kubernetes components can trust your private CAs.
CyberArk Kubernetes components may also need to connect to HTTPS services on the Internet, such as the Venafi Control Plane or public CAs for certificate issuance. These connections are usually automatically trusted by the CyberArk Kubernetes components unless your Kubernetes clusters are configured to use some form of egress traffic control that terminates TLS connections using a private CA. Egress traffic control can be an HTTP proxy or a transparent proxy. In such cases, you will need to configure a custom CA bundle to connect to your internal HTTP or transparent proxy.
The following table lists those CyberArk Kubernetes components that currently require access to an external internet service, or an internal service:
Component | Uses external internet service | Uses Internal service |
---|---|---|
Enterprise Approver Policy | Yes (Venafi Control Plane) | No |
cert-manager | Yes (external CAs such as Let's Encrypt) | Yes (Certificate Manager - Self-Hosted, HashiCorp Vault) |
Enterprise Issuer for CyberArk Certificate Manager | Yes (Venafi Control Plane) | No |
Discovery Agent | Yes (Venafi Control Plane) | No |
For deployments that use transparent proxies or HTTP proxies used to control egress traffic, the configuration of a CA bundle for services connecting to CyberArk services is required.
Follow the links below for instructions on configuring CyberArk Kubernetes components to use custom CA bundles:
- Installing Enterprise Approver Policy using Helm
- Installing Enterprise Approver Policy using the CLI tool for CyberArk Certificate Manager
- Installing cert-manager using Helm
- Installing cert-manager using the CLI tool for CyberArk Certificate Manager
- Installing Enterprise Issuer for CyberArk Certificate Manager using Helm
- Installing Enterprise Issuer for CyberArk Certificate Manager using the CLI tool for CyberArk Certificate Manager
- Installing Discovery Agent using Helm
- Installing Discovery Agent using the CLI tool for CyberArk Certificate Manager