Using AAPM Agent on Kubernetes and OpenShift Platforms
Kron PAM eliminates hardcoded credentials in Kubernetes and OpenShift environments using two different methods: Password Service and Sidecar Container Method.
- Password Service Method
- Kron PAM's Password Service provides dynamic and on-demand credential retrieval.
- Applications request credentials directly from the Password Service via secure API calls.
- This method ensures that secrets are securely retrieved at runtime and are never statically stored within the application.
- Sidecar Container Method
- The AAPM Agent and Sidecar Container are deployed as separate containers within the same pod.
- The AAPM Agent retrieves passwords, keys, and certificates from Kron PAM.
- The AAPM Agent and Sidecar Container communicate over a secure channel to transfer secrets securely.
- The Sidecar Container injects the retrieved secrets into the application environment.
- Applications access the credentials via environment variables or volume-mounted files.
The Descriptions of the Fields on the Kubernetes
Field | Description |
---|---|
Pods | Pods are the smallest deployable units of computing that can be created and managed in Kubernetes |
AAPM Agent Pod | The AAPM Agent pod is responsible for communicating with Kron PAM and receiving the secrets that are updated in certain periods. |
AAPM Agent Password Service | The Password Service is used to retrieve the password from the agent cache through the service URL, based on the RESTful API request sent by the application.  |
AAPM Agent Sidecar | The AAPM Agent sidecar runs alongside the K8s application continuously. It requests the secret from the AAPM Agent and writes it to the keystore, enabling the application to retrieve it. |
Namespace | A namespace helps to separate a cluster into logical units. It can help to granularly organize, allocate, manage, and secure cluster resources. |
Shared Volume | A shared volume is used to provide the secret to the application. |
The AAPM Agent application is a Java process-based application. It requires the installation of the necessary JDK files to run on operating systems, with usage methods dependent on the operating system. The AAPM Agent operates on the core AAPM module.
For Container Orchestration Platforms, the AAPM Agent service is run by creating an Agent Pod linked to the AAPM module, tailored to the platform. The AAPM Agent Pod is deployed under the AAPM Agent Namespace without requiring installation in the namespaces where the applications are running.