Containers and tools like Red Hat OpenShift enable enterprises to automate many aspects of application deployment, with many significant business benefits. But it’s easy to forget to automate the security aspects of containers. There are many built-in features for OpenShift security automation in the platform, but don’t stop there. Automating run-time security for OpenShift deployments is just as critical for preventing damaging exploits and attacks.
By now you may realize that container deployments are just as vulnerable to attacks and exploits from hackers and insiders as traditional environments, making OpenShift security automation a critical component for all deployments. For an excellent overview of Kubernetes security, see this post. It’s important to build in security into all phases of the CI/CD container deployment life cycle.
Here is an overview of the Red Hat OpenShift platform, products, and advice for locking down systems before containers are deployed to production. In this video, Andrew Toth from Red Hat outlines typical threats and security measures to protect container deployments and will share information on built-in security features of OpenShift and Kubernetes. Glen Kosaka from NeuVector then presents OpenShift security automation by using advanced Kubernetes container security features to improve visibility and protection in production.
In addition to the core container firewall features discussed in the video, NeuVector provides integration with the Red Hat OpenShift platform to make it easier for security and devops teams to automate OpenShift security. Here are some of the integration points between NeuVector and OpenShift.
Image Vulnerability Scanning – Enforcement by OpenShift
NeuVector, through the Jenkins plug-in, is able to scan images during the build process and tag them based on vulnerabilities discovered. OpenShift is able to control the deployment of containers based on tags, so containers with certain vulnerability profile or status are allowed or prevented from being deployed.
NeuVector is able to scan the images in local OpenShift registries for vulnerabilities. Any images pushed to the registry(s) will be automatically scanned. Scanning can be configured to filter only selected directories if desired.
Role-Based Access Controls
NeuVector automatically reads the RBACs configured in OpenShift and allows these users and roles to be mapped to the NeuVector product. Access to the NeuVector console and API can be controlled in this seamless way. For example, developers who can access the Guest project in OpenShift can be granted read only access to see Guest network connections and security events in NeuVector. Cluster admins can be granted access to all projects in NeuVector in order to review and set security policy for them.
Run-Time Security Policy
NeuVector supports automated creation of policy rules to isolate application network traffic and allowed container processes. These rules can be programmatically created using the NeuVector REST API and integrated into the OpenShift deployment pipeline. NeuVector supports using OpenShift project names (namespaces), labels, and other identifiers as part of the policy rule set.
OpenShift Security Automation In Practice
There are many built-in security features in the Red Hat OpenShift platform, and many of these can be automated as part of the CI/CD process. NeuVector extends these security features and integrates with OpenShift to automate run-time security in as seamless a way as possible.