Ensuring the security of your OpenShift cluster is crucial to protect your applications and data. Implementing a least privilege access model is essential to limit the damage that can be caused by a compromised user account.
This can be achieved by assigning specific roles to users, such as the Cluster Administrator role, which grants the ability to manage the entire cluster. By limiting access to only the necessary permissions, you can prevent unauthorized changes to your cluster.
Regularly updating and patching your OpenShift cluster is also vital to prevent known vulnerabilities from being exploited. This includes keeping your Docker images and Kubernetes components up to date.
OpenShift provides a robust set of security features, including network policies, which can be used to control traffic between pods. This can be particularly useful in multi-tenant environments where isolation is key.
Security Considerations
Red Hat OpenShift provides default security policies and hardening out-of-the-box, giving enterprises a head start in securing container deployments.
The platform's certified ecosystem products, such as Sysdig and Twistlock, can expand the security capabilities of OpenShift clusters.
Securing etcd, a distributed key-value store used by Kubernetes and OpenShift, is crucial to ensure the integrity and confidentiality of the data stored within it.
Encryption for etcd data is essential, and can be achieved by enabling encryption for both data in transit and data at rest, using TLS for communication between etcd members and other components.
Limiting access to the etcd API through authentication and role-based access control (RBAC) ensures that only authorized components can interact with etcd and perform specific actions based on their assigned roles.
Regular backups of etcd data are necessary to protect against data loss or corruption, and it's essential to test the backup and recovery process to ensure a quick restoration of the etcd cluster in case of a failure or disaster.
Here are some key security considerations for etcd:
- Encryption: Enable encryption for data in transit and at rest, using TLS for communication.
- Access control: Limit access to the etcd API through authentication and RBAC.
- Backup and recovery: Regularly create backups and test the recovery process.
Architecture and Design
In OpenShift, architecture and design are crucial for ensuring security.
OpenShift's built-in security features, such as role-based access control, allow administrators to restrict access to sensitive resources.
This approach helps prevent unauthorized users from accessing critical areas of the platform, reducing the attack surface.
The use of network policies in OpenShift allows administrators to define rules for incoming and outgoing traffic, further enhancing security.
By implementing these measures, organizations can create a secure environment for their applications and data.
Reference Architectures
When designing a container security architecture, it's essential to start with a solid reference architecture. The NIST SP 800-190 container application security guide is a great starting point, published by the National Institute of Standards and Technology (NIST).
This guide provides a framework for building a secure container architecture, which can be used as a foundation for your own design. The 5 pillars of the NIST SP 800-190 reference architecture are a key part of this framework.
The 5 pillars are a crucial component of the NIST SP 800-190 reference architecture, and they provide a comprehensive approach to container security. They are also reflected in the features of Red Hat OpenShift and Quay.
By understanding these pillars and how they relate to Red Hat OpenShift and Quay, you can build a more secure container architecture that meets your organization's needs.
Central Architecture
Central architecture can be a complex beast, often consisting of multiple security appliances that form a significant security stack. This central security architecture can be a kludge of devices, but it provides a centralized point for security enforcement.
Each component within the application doesn't need to worry about carrying out security checks, as they occur centrally for them. This can be a huge relief, especially for developers who don't want to deal with security protocols.
However, having a central security stack doesn't mean individual components are off the hook. They still need to be concerned with security individually, especially when it comes to accepting external connections.
Host OS
When choosing a container host OS, security should be your top priority. Ideally, the container host OS should be secure, minimal, immutable, and easy to manage and keep up to date.
A good example of a container-focused OS is Red Hat Core OS, which is immutable, read-only, and lockdown minimal. This makes it a great base for Red Hat OpenShift 4. Red Hat Core OS is a great choice because it's designed specifically for container deployment.
With Red Hat Core OS, you get an additional layer of security thanks to SELinux, which is turned on by default. This provides an extra layer of protection for your host OS.
To further limit a container's access to the host's Linux kernel, you can use Seccomp, a sandboxing facility in the Linux kernel. Custom Seccomp profiles can be defined to filter out undesirable system calls within containers.
Here are the key features of a secure container host OS:
- Secure: Protects against common security threats
- Minimal: Reduces the attack surface by minimizing the number of components
- Immutable: Ensures that the OS remains unchanged and unmodified
- Easy to manage and keep up to date: Simplifies maintenance and updates
Istio/Service Mesh
Istio/Service Mesh is a platform framework that allows operators to successfully and efficiently run a distributed microservice architecture.
It provides a uniform way to secure, connect and monitor microservices, with core features including traffic management, security, and observability.
Using Istio with Kubernetes increases benefits, including secure pod-to-pod or service-to-service communication at the network and application layers.
Istio's policy enforcement component can be extended and customized to integrate with existing solutions for ACLs, logging, monitoring, quotas, auditing, and more.
Authorization and Access Control
Authorization and Access Control is a crucial aspect of OpenShift security. It involves managing user identities, permissions, and secure communication channels to ensure that only authorized users have access to sensitive resources.
OpenShift has a built-in authorization system called Role-Based Access Control (RBAC), which allows administrators to define and manage user permissions at a granular level. This includes defining roles, assigning permissions, and controlling access to various resources.
To understand cluster access, it's essential to know that it refers to authenticating and authorizing users or entities to interact with an OpenShift cluster. This involves managing user identities, permissions, and secure communication channels.
OpenShift supports integration with various identity management solutions, such as LDAP, GitHub, and GitLab, to provide a centralized identity and access management backend.
Here are some ways to control access via OAuth:
- Authentication to API control access is archived getting a secured token for authentication via OAuth servers, which comes inbuilt in OpenShift master machine.
- As an administrator, you have the capability to modify the configuration of OAuth server configuration.
OpenShift also provides a secure-by-default option, which enhances security by forbidding running containers as root and limiting access to protected functions.
Here are the default security context constraints in OpenShift:
To request access to protected functions, a pod must specify those permissions in the security context field of the pod manifest. The manifest also specifies the service account that should be able to grant this access.
OpenShift also allows administrators to create custom roles with specific rules for users or groups that need more granular access control. This can be done by creating a new role with the necessary rules and then binding it to the user or group.
Resource Protection
Resource Protection is crucial in OpenShift security. It's essential to protect compute, memory, and storage resources during an attack to prevent starving all container pods of their required resources.
Cryptocurrency mining exploits are a prime example of this, where attackers run resource-intensive operations on hijacked hosts. This can have devastating effects on the cluster.
Cluster administrators can use quotas and limit ranges to set constraints and limit the number of objects or computing resources used in each project. This helps manage and allocate resources across all projects and ensures no project uses more than is suitable for the cluster size.
Protecting Resources
Protecting resources is crucial to prevent attacks from starving container pods of their required resources. This can happen during cryptocurrency mining exploits where attackers run resource-intensive operations on hijacked hosts.
Using quotas and limit ranges, cluster administrators can set constraints to limit the number of objects or amounts of computing resources used in each project. This helps manage and allocate resources across all projects.
Resource-intensive operations can have a significant impact on a cluster's performance. To prevent this, cluster administrators can set quotas and limit ranges to ensure that no project uses more than its fair share of resources.
Here are some best practices for setting quotas and limit ranges:
By setting quotas and limit ranges, cluster administrators can ensure that resources are used efficiently and that no project dominates the cluster's resources. This helps maintain a healthy and balanced cluster environment.
Remove
Removing unnecessary resources is crucial for effective resource protection. This includes isolating pods from other projects in OpenShift to prevent communication between them.
To achieve this, network namespaces are used, giving each pod its own IP and port range for network traffic.
This isolation prevents pods from interfering with each other.
In OpenShift, containers run with minimum resources and privileges needed to function effectively, known as Least Privilege.
This prevents containers from unduly interfering with the host or other containers.
Here are the key methods to control access to resources in OpenShift:
- Controlling access via oAuth
- Via self-service web console
- By Certificates of platform
Networking and Firewalls
Cloud native firewalls provide similar functionality to traditional firewalls but run natively in a Kubernetes cluster, offering extra filtering and monitoring over network policies.
These firewalls can be used to secure external connectivity and protect against threats like SQL injection and cross-site scripting (XSS). A web access firewall (WAF) can be used to protect against such threats.
Next-generation cloud-native firewalls are a great option for securing external connectivity, especially in a Kubernetes cluster.
Here are some key features of cloud-native firewalls:
- Extra filtering and monitoring over network policies
- Securing external connectivity
- Protecting against threats like SQL injection and cross-site scripting (XSS)
Pod Connectivity
Pod connectivity is crucial to secure as much as external connectivity to the containers. Inter-pod connectivity can be a vulnerability if not properly secured.
Pods are non-isolated by default on vanilla Kubernetes, accepting traffic from any source. This means that if one pod is compromised, attackers can easily move to adjacent containers.
You can control inter-pod communication with network policies, having fine-grained control over the ports and pods they communicate with. Network policies can select specific pods and restrict their connections.
OpenShift 4 multitenant mode provides project-level isolation for pods and services. This means that pods from different projects can't send or receive packets from pods and services of a different project.
Isolation can be disabled for a project, allowing it to send network traffic to all pods and services in the entire cluster and receive network traffic from those pods and services.
Cloud Native Firewalls
Cloud native firewalls are a game-changer for Kubernetes clusters. They provide similar functionality to traditional firewalls, but run natively within the cluster.
These firewalls offer extra filtering and monitoring capabilities beyond the network policies discussed earlier. This is especially useful for securing access to your Kubernetes cluster.
In a typical enterprise setup, cloud native firewalls can be used to protect against threats such as SQL injection and cross-site scripting (XSS). They can also limit access rates for application endpoints hosted in the Kubernetes cluster.
Here are some key benefits of cloud native firewalls:
- Extra filtering and monitoring capabilities
- Protection against threats such as SQL injection and cross-site scripting (XSS)
- Limit access rates for application endpoints
Overall, cloud native firewalls are an essential component of a comprehensive security strategy for Kubernetes clusters.
Authentication and Authorization
OpenShift supports integration with various identity management solutions, such as FreeIPA/Identity Management, Active Directory, GitHub, Gitlab, OpenStack Keystone, and OpenID.
Authentication in OpenShift refers to the process of validating one's identity, whereas authorization determines roles and permissions for a user. Users aren't created in OpenShift but are provided by an external entity, like an LDAP server or GitHub.
OpenShift has built-in OAuth server and supports integration with multiple identity providers, including Keystone, LDAP, GitHub, GitLab, Google, and OpenID Connect.
OAuth is used to control access to the API, and a secured token is obtained for authentication via OAuth servers, which comes inbuilt in the OpenShift master machine.
To authenticate users, OpenShift recommends integrating with OAuth or LDAP provider for an enterprise identity and access management backend.
Here are some of the identity providers supported by OpenShift:
- Keystone
- LDAP
- GitHub
- GitLab
- GitHub Enterprise (new with 3.11)
- OpenID Connect
- Security Support Provider
- Interface (SSPI) to support SSO
- Flows on Windows (Kerberos)
RBAC (Role-Based Access Control) in OpenShift is built around the concepts of rules, roles, and role bindings. Rules define actions allowed on specific resources, roles are collections of rules, and role bindings associate users or groups with roles.
OpenShift allows administrators to define and manage user permissions at a granular level using RBAC, which is a crucial component of OpenShift security.
Frequently Asked Questions
What is TLS in OpenShift?
TLS in OpenShift refers to Transport Layer Security, a protocol used to secure data transmission between components. It's based on Mozilla's recommended configurations to ensure secure communication.
Sources
- https://www.stigviewer.com/stig/red_hat_openshift_container_platform_4.12/
- https://www.wwt.com/article/securing-container-infrastructure-red-hat-openshift
- https://www.tigera.io/learn/guides/kubernetes-security/openshift-security/
- https://www.tutorialspoint.com/openshift/openshift_security.htm
- https://network-insight.net/2022/05/11/openshift-security-best-practices/
Featured Images: pexels.com