Kubernetes Cluster Securing A Multitenant - Red Hat

Securing A MultitenantKubernetes ClusterVictoria, BCKirsten NewcomerSenior Principal Product Manager

CONTAINERS ARE THE NEW WAY TODELIVER APPLICATIONSVirtual MachineAppAppAppAppOS inerAppAppAppAppOS depsOS depsOS depsOS depsContainer Host (Kernel)HypervisorHardwareHardwareVMs virtualize the hardwareContainers virtualize the processCONTAINER DEPLOYMENTS ARE INCREASING2

KUBERNETES IS THE NEW WAY OF AUTOMATINGAPPLICATION RESILIENCY 3Auto scaleHealth checksNetworking (CNI) &RoutingPlatform HAApplication HA

OPENSHIFT IS KUBERNETESFOR THE ENTERPRISEKubernetesRelease1-3 monthshardeningOpenShiftReleaseSecurity fixes100s of defect and performance fixes200 validated integrationsMiddleware integrations(container images, storage, networking, cloud services, etc)9 year enterprise lifecycle managementCertified Kubernetes4

OPENSHIFT HELPS YOUDELIVER APPLICATIONS FASTERCloud-nativeApplicationsAI & MachineLearningBlockchainInternet ofThingsInnovationCultureCONTAINERS, KUBERNETES, MICROSERVICES & DEVOPS ARE KEY INGREDIENTS5GENERAL DISTRIBUTION

RED HAT OPENSHIFT BUSINESS VALUE531%5 Year ROI66%36%8 MONTHS 1.29MFaster developmentlifecycleMore applicationsper yearPaybackperiodAverage annualbenefits per 100developersThe Business Value of Red Hat OpenShift, IDC #US41845816, October ss-Value-of-Red-Hat-OpenShift6

OPENSHIFT IS ENTERPRISE KUBERNETESBUSINESS CRITICAL APPLICATIONS RUN ON OPENSHIFT“Red Hat OpenShift allows us to go to market faster. We can movemicroservices and applications on OpenShift in a few seconds. That’sthe impact this has on our business.” -- Luis Uguina, Chief DigitalOfficer, Macquarie Bank Digital-first bank, reshaping the Australian banking marketRethinking their mobile customer experience.Using RHEL, OpenShift and JBoss FuseMore than 60 business critical applications on OpenShiftThis new model is helping us hire and retain top talent.View the Macquarie Bank keynote7

RED HAT PARTNER OROCK ACHIEVESFEDRAMP MODERATE ATORESTON, Va., July23, 2019/PRNewswire/ —ORock Technologies, Inc.today announcedthat it receivedauthorizationfrom the FederalRisk andAuthorizationManagementProgram(FedRAMP) tooffer Red HatOpenShiftContainerPlatform within itsFedRAMPModerate ws/2019-07-23/

SECURING A MULTI-TENANT CLUSTERRequires security throughout the stack and the IT lifecycleIdentify securityrequirements &governance modelsRevise, update,remediate as thelandscape changesDESIGNBUILDADAPTSecurity policy,process &proceduresRUNBuilt-in from thestart; not bolted-onDeploy to trustedplatforms withenhanced securitycapabilitiesMANAGE9Automate systems forsecurity & compliance

DEVSECOPSTHROUGH THE ADOPTION OF CONTAINERSWe created Dev andOps and Securityuser stories andtackled themtogether.I can break builds ifsecurity andcompliance rulesaren’t followed We’re empoweringthe developers andideally empoweringthem straight n Federal 2017 - The Journey to DevSecOps

OPENSHIFT ENABLES MULTI-TENANCYLayers and Lifecycle1. Host OS2. Container platform3. Network4. Containerized applications11

1. HOST OS CONTAINER MULTI-TENANCYContainer Security starts with Linux SecurityProtects not only the host, butcontainers from each other RHEL CoreOS provides minimizedattack surfaceCommon Criteria cert - includingcontainer frameworkLINUX O/SDEPENDENCYIdentityCGROUPS APPCONTAINERSECCOMPSELINUX and Kernel Namespaces arethe one-two punch no one can beatCONTAINERNAMESPACES 12Security in the RHEL host applies to thecontainerSELINUX AUDIT/LOGSAPPLINUX O/SDEPENDENCYSVIRTKUBERNETES KUBELETLINUX CONTAINER HOST (KERNEL)

IMMUTABLE OPERATING SYSTEMRed Hat Enterprise Linux CoreOS is versioned with OpenShiftOnly what’s needed to run containersImmutable image-based deployments & updatesRead-only & locked downManaged by Kubernetes OperatorsOPENSHIFT 4OPENSHIFT PLATFORMRed Hat Enterprise Linux CoreOS is managed by the clusterThe Operating system is operated as part of the cluster, with theconfig for components managed by Machine Config Operator: CRI-O config Kubelet config Authorized registries SSH configControl plane runs on RHEL CoreOS13Worker nodes can run RHEL CoreOS or RHELOPERATING SYSTEM

2. THE CONTAINER PLATFORMOpenShift Security & Multitenancy Features Include Host & Runtime security Identity and AccessManagementRed Hat OpenShift servicesKubernetesservicesProject namespacesInfrastructureservices Integrated & extensiblesecrets managementEtcd14RegistryMonitoring DNS SDN Tuned LoggingMonitoring DNS SDN Tuned LoggingWORKERUser workloadUser workloadMonitoring DNS SDN Tuned LoggingRegistryMonitoring DNS SDN Tuned LoggingWORKERMASTERWORKERService CACOMPUTE User workloadWORKER User workloadLogging, Monitoring, MetricsNETWORKSTORAGE

RUNTIME SECURITY POLICIESSCC (Security Context Constraints)Allow administratorsto controlpermissions for podsRestricted SCC isgranted to all usersBy default, nocontainers can run asrootAdmin can grantaccess to privilegedSCCCustom SCCs can becreated15

IDENTITY AND ACCESS MANAGEMENTOpenShift includes an OAuth server,which does three things: Identifies the person requesting atoken, using a configured identityprovider Determines a mapping from thatidentity to an OpenShift user Issues an OAuth access token whichauthenticates that user to the APIManaging Users and Groups in OpenShiftConfiguring Identity Providers16Supported Identity Providersinclude KeystoneLDAPGitHubGitLabGitHub Enterprise (new with 3.11)GoogleOpenID ConnectSecurity Support ProviderInterface (SSPI) to support SSOflows on Windows (Kerberos)

PROJECTS ISOLATE APPLICATIONSacross teams, groups and departmentsPAYMENT DEVCATALOGPODPODPODCCC PODPODPODCCCPAYMENT PROD17INVENTORYPODPODPODCCC PODPODPODCCC

RESTRICT ACCESS BY NEED TO KNOWRole based authorization (RBAC) Project scope & cluster scopeavailable Matches request attributes(verb,object,etc) If no roles match, request isdenied ( deny by default ) Operator- and user-levelroles are defined by default Custom roles are supported18For more information see: Managing RBAC in OpenShift

SECRETS MANAGEMENT Platform secrets are stored in etcd Application secrets can be stored in etcd orexternal vault Secrets are made available as 19Passwords and credentialsSSH KeysCertificatesEnvironment variablesVolume mountsInteraction with external systems (e.g. vaults) Encrypted in transit and at rest* Never rest on the nodesMASTERDistributed StoreNODEContainerContainer

CLUSTER CERTIFICATE MANAGEMENT Certificates are used to provide secureconnections to 20master and nodesIngress controller and registryetcd MASTER ETCDNODES Certificate rotation is automated Configure external endpoints to use customcertificates CONTROLLER For example: CONSOLERequesting and Installing Let’s Encrypt Certificatesfor OpenShift 4 REGISTRYINGRESS

CLUSTER MONITORINGCluster monitoring is installed by default Exposes resource metrics for Horizontal PodAutoscaling (HPA) by default HPA based on custom metric is tech preview No manual etcd monitoring configuration anymore New screens for managing Alerts & Silences More metrics available for troubleshooting purposes(e.g. HAproxy) 21Configuration via ConfigMaps and Secrets

CLUSTER LOG MANAGEMENTInstall the Elasticsearch and Cluster Logging Operators fromOperatorHub22 EFK stack aggregates logs for hosts and applications Elasticsearch: a search and analytics engine tostore logs Fluentd: gathers logs and sends toElasticsearch. Kibana: A web UI for Elasticsearch. Access control Cluster administrators can view all logs Users can only view logs for their projects Central Audit policy configuration Ability to send logs elsewhere External elasticsearch, Splunk, etc# configure via CRDapiVersion: "logging.openshift.io/v1"kind: "ClusterLogging"metadata:name: "instance"namespace: "openshift-logging"spec:managementState: "Managed"logStore:type: "elasticsearch"elasticsearch:nodeCount: 3resources:limits:cpu: 800mmemory: 1Girequests:cpu: 800mmemory: 1Gistorage:storageClassName: gp2size: 100GredundancyPolicy: "SingleRedundavisualization:type: "kibana"kibana:replicas: 1curation:

3. NETWORK MULTI-TENANCYFine Grained Control with Network PolicyPROJECT BPROJECT A8080POD 5432PODPODPODPODPOD POD23PODEnabled by default in OpenShift 4Example Policies Allow all traffic inside the project Allow traffic from green to gray Allow traffic to purple on 8080apiVersion: extensions/v1beta1kind: NetworkPolicymetadata:name: s:color: purpleingress:- ports:- protocol: tcpport: 8080

MULTI-TENANT INGRESS & EGRESS CONTROLApplication pods run on one OpenShiftCluster. Microsegmented with NetworkSecurity policies.Infra Nodes in each zone run Ingress andEgress pods for specific zones. Egressfirewall to limit external addressesaccessed.If required, physical isolation of pods tospecific nodes is possible withnode-selectors. But that can reduceworker node density.24There may be cases where a singletenant cluster is preferred.

OPENSHIFT MULTUSOptionally Separate Control Plane and Data PlaneMultus Enables MultipleNetworks & New Functionalityto Existing NetworkingThe Multus CNI “meta plugin”for Kubernetes enables one tocreate multiple networkinterfaces per pod, and assign aCNI plugin to each interfacecreated.3.x Capability.4.x Capability.KubernetesKubernetesCRDsCNI “meta plugin” (OpenShiftSDN CNIout a list of intended networkattachments.2. .each pointing to CNI networkconfigurations packed insideCRD objects25default plugin#2CNI plug-inwith newfunctionalityOpenShiftSDN CNIPod1. Create pod annotation(s) to calleth0OpenShiftSDN CNI(default))Podeth0net0OpenShiftSDN CNI(default)newcapabilityNew, optionalsecondaryplug-ins: macvlan host device ipam(dhcp)

4. SECURING CONTAINERIZED APPLICATIONSSecure and Automate the Content LifecycleTrust is temporal; rebuild and redeploy as tPRIVATEREGISTRYCICONTENT METADATAIMAGESTREAM EVENTS26CDTrack updates & simplify management withImageStreamsUse Image Change Triggers to automatically rebuildcustom images with updated (patched) externalimages

RED HAT QUAYENTERPRISE CONTAINER REGISTRY27 Offered asself-managedand as-a-service VulnerabilityScanning (Clair) GeographicReplication Build Image Triggers Image Rollback withTime Machine

CI/CD MUST INCLUDE SECURITY GATES Integrate security testing intoyour build / CI processOPENSHIFTCI/CD PIPELINE(JENKINS)IMAGE BUILD& DEPLOY 28Use automated policies to flagbuilds with issuesSign your custom ODEQUAL PROMOTETO TESTVULNSCAN-Sonarqube -AtomicScan-Fortify-Aqua Security-Black Duck-Clair-Sonatype-TwistlockPROMOTETO UATINTTESTPROMOTETO PRODQAUAT

RED HAT SERVICE MESHKey Features A dedicated network for service to servicecommunications Observability and distributed tracing Policy-driven security Routing rules & chaos engineering Powerful visualization & monitoring Will be available via OperatorHub Working on multi-tenancy for GA (e.g. Kiali touse OpenShift RBAC)29Generally Available in July

COMPREHENSIVE CONTAINER SECURITYCONTROLContainer ContentCI/CD PipelineApplicationSecurityContainer RegistryOperatorsContainer Host Multi-tenancyContainer PlatformNetwork IsolationStorageAudit & LoggingService MeshDEFENDInfrastructureEXTEND30Security Ecosystem

THE BROAD SECURITY ECOSYSTEM31

Next StepsThank you for coming. Speak with a Red Hat expert here at SecuritySymposium Look for the slides in a “Thank You” email from us inthe next few days Stay up to date with Red Hat at redhat.com/security Visit redhat.com/events to find out about workshopsand other events like this one coming to your areaFeedback or questions?infrastructure@redhat.com

Security SymposiumThank you to our partner

REGULATORY COMPLIANCE WITH OPENSHIFT Red Hat contracted with Coalfire to provide a PCI-DSStechnical controls product applicability guide (PCI-DSS 3.2)and reference architecture (PCI-DSS 3.2.1) for OpenShift Guides also available for ISO 27001, FISMA (NIST) & FISMA OpenShift Hardening Guide for 3.10 & 3.11 - OpenShift 4 Guideplanned for Fall 201934

OPERATORS SIMPLIFY MANAGEMENT OFCOMPLEX APPLICATIONS ON KUBERNETESDEVOPSAPMDATA SERVICESDATABASEOPERATORSDKSECURITYSTORAGEAND MANY MORE TO COME.35