Today NeuVector demonstrated its ‘tech-preview’ implementation of important draft security benchmarks for the Red Hat OpenShift Platform. These benchmarks, drafted by the Red Hat OpenShift team and inspired by the CIS Benchmarks for Kubernetes, provide an important and much needed set of security auditing checks for the deployment of OpenShift.
The benchmarks, similar to the ones for Kubernetes, evaluate the configuration of the master node components such as the critical api-server or etcd control plane containers, worker node components such as the kubelet, and other orchestrator, host, and container configurations to provide a Pass or Warning status for each check, as well as an overall benchmark score. If appropriate, remediation advice is provided for each check.
NeuVector automatically runs the appropriate master or worker node benchmarks on every OpenShift node in the cluster, displaying the results as shown below.
The results of the OpenShift benchmarks include Profile and Scored entries, which help admins to assess how critical each benchmark is. For example, a Level 1 profile is used for basic security hygiene, while Level 2 profiles are considered more advanced, for defense in depth. The Scored column indicates whether that benchmark’s results will be used in the calculation of the overall security score.
These OpenShift benchmarks are also summarized in the NeuVector Vulnerability and Compliance Explorer tool to help security admins evaluate, track, and report of compliance benchmarks and vulnerabilities.
Admins can also create automated responses for the OpenShift benchmarks by creating Response Rules.
These can trigger automated webhook alerts or even container quarantines. For example, if a new master node enters the cluster and the apiserver 1.1.1 benchmark fails, an automated webhook alert can be triggered to a Slack channel or an IT security case created.
Watch the on-demand webinar with an overview of Red Hat OpenShift security by Dave Meurer, Global Solutions Architect at Red Hat, and see a short demo of the new OpenShift benchmarks running in NeuVector below.
NeuVector is pleased to partner with the Red Hat OpenShift team to implement the automated running of these draft ‘CIS inspired’ benchmarks, and we will continue to work with Red Hat and the Center for Internet Security community as these benchmarks move to an officially approved status.
Please contact us if you’d like to schedule a private demo today.