CyberArk Kubernetes components that connect to other services¶

CyberArk Kubernetes components may need to connect to your internal services such as Certificate Manager - Self-Hosted or HashiCorp Vault. To establish a secure HTTPS connection, it is critical that the certificates used by any service integrated with CyberArk Kubernetes components are trusted by those components. In many cases, these internal services use certificates issued by private CAs. In such instances, you will need to configure a custom CA bundle to ensure that the CyberArk Kubernetes components can trust your private CAs.

CyberArk Kubernetes components may also need to connect to HTTPS services on the Internet, such as the Venafi Control Plane or public CAs for certificate issuance. These connections are usually automatically trusted by the CyberArk Kubernetes components unless your Kubernetes clusters are configured to use some form of egress traffic control that terminates TLS connections using a private CA. Egress traffic control can be an HTTP proxy or a transparent proxy. In such cases, you will need to configure a custom CA bundle to connect to your internal HTTP or transparent proxy.

The following table lists those CyberArk Kubernetes components that currently require access to an external internet service, or an internal service:

Component	Uses external internet service	Uses Internal service
Enterprise Approver Policy	Yes (Venafi Control Plane)	No
cert-manager	Yes (external CAs such as Let's Encrypt)	Yes (Certificate Manager - Self-Hosted, HashiCorp Vault)
Enterprise Issuer for CyberArk Certificate Manager	Yes (Venafi Control Plane)	No
Discovery Agent	Yes (Venafi Control Plane)	No

For deployments that use transparent proxies or HTTP proxies used to control egress traffic, the configuration of a CA bundle for services connecting to CyberArk services is required.

Follow the links below for instructions on configuring CyberArk Kubernetes components to use custom CA bundles: