A financial services company is designing a multi-site Conjur DAP architecture for disaster recovery. They have a primary data center (DC1) and a secondary data center (DC2). The requirement is that if DC1 fails completely, DC2 must be able to continue serving secrets without manual intervention. The cluster spans both data centers. What is the minimum number of nodes required, and how should they be distributed to ensure automatic failover and maintain quorum if DC1 is lost?
An administrator deployed the Conjur Kubernetes Authenticator. Pods in the `prod-apps` namespace are failing to authenticate, and the authenticator logs show `401 Unauthorized` errors. The policy correctly defines the host identity `host/prod-apps/deployment/my-app`. The pod's ServiceAccount is also correctly defined and assigned. Which of the following is the most likely cause for this authentication failure?
A DevOps team is structuring their Conjur policies for a microservices application. They want to grant a specific service, `billing-api`, read and execute permissions on a database password. They also want to allow members of the `db-admins` group to update the password. Which of the following policy statements are required to achieve this configuration? (Select TWO)
A rapidly growing e-commerce company is migrating its entire platform to Google Kubernetes Engine (GKE). Their security team has mandated the use of CyberArk Conjur for all secrets management. The platform consists of dozens of microservices, each with its own database credentials, API keys, and certificates. The DevOps team uses a GitOps workflow with ArgoCD to manage all Kubernetes manifests. The current challenge is integrating Conjur into this GitOps model. The secrets must be available to the application containers as files mounted to a specific path (e.g., `/etc/secrets`), and the process must be fully automated without storing any Conjur-related credentials in Git. The security team also requires that secret rotation in Conjur is reflected in the running pods within 5 minutes without requiring a pod restart. The DevOps team is evaluating two primary methods for secret injection: the 'Summon-in-Init' pattern and the 'Secrets Provider for K8s' sidecar pattern. Which solution best meets all the company's requirements?
When writing a Conjur policy, you need to define a group of administrators who can manage other users. What policy record type should be used to create this group? `- !______ db-admins`
True or False: When using the Vault Conjur Synchronizer, secrets are synchronized from the Vault to Conjur in near real-time, but updates made directly in Conjur are NOT synchronized back to the Vault.
During the installation of a Conjur Follower, the process fails. Review of the logs shows 'Failed to authenticate to master: SSL certificate validation failed'. The administrator has already imported the Master's certificate into the Follower's trust store using `evoke ca import`. What is the most likely remaining cause of this issue?
A security architect is designing a Conjur policy and needs to prevent a powerful role from being granted to any new members accidentally. The architect wants to ensure that the membership of the `global-admins` group can never be changed after it is initially defined. Which policy record should be used to achieve this?
A developer is using Summon to provide a secret to a shell script. The `secrets.yml` file contains the following entry: `DB_PASSWORD: !var staging/mysql/password` The script is executed with the command `summon ./start-app.sh`. Inside `start-app.sh`, how would the developer access the value of the secret?
A security audit reveals that a Conjur policy loaded in 'append' mode has inadvertently granted excessive permissions over time. The administrator needs to reset the permissions for the `production/database` policy branch to a known, clean state defined in a file named `prod-db-reset.yml`. Which command should be used to achieve this?