Automating Container Security With Red Hat OpenShift
Want to learn more about how you can automate container security with Red Hat's OpenShift? Check out this post to learn more.
Join the DZone community and get the full member experience.Join For Free
As enterprises increasingly benefit from Red Hat OpenShift and containers to achieve automation in their application deployments, it’s important to concurrently introduce automated container security. The OpenShift platform itself includes a number of very capable built-in security automation features that should absolutely be employed. But, given the critical nature of automating run-time security to safeguard against exploits and attacks, many organizations and use cases will also want to make use of advanced Kubernetes container security features that offer deeper visibility and safeguards to production environments. The fact is that container deployments are every bit as prone to hacking attempts and insider threats as traditional environments are. And, security measures must be implemented to protect the entire span of the CI/CD container deployment lifecycle throughout the build, ship, and run-time phases.
Containerized environments come with relatively unique security challenges, including keeping track of all pods and containers as they come up or down within (and across) nodes. These pods generate a tremendous amount of east-west network traffic – and it’s traffic that is particularly difficult to gain visibility into (and therefore, a challenge to ensure that connections aren’t playing an active role in exploits or attacks). At the same time, many enterprises are using open-source software, with vulnerabilities continually being discovered. Due to the dynamic nature of containerized environments, manual security methods cannot hope to keep up, making automated security rules a must.
Traditional security tools, such as host security and web application firewalls (WAFs), are also effectively blind to container traffic and don’t offer much production to container attacks. OpenShift and Kubernetes are at risk from numerous types of vulnerabilities at run-time that requires detection at Layer 7 (looking into the packets and protocols to provide verification) or within the pod and host processes. To meet these needs, NeuVector has built a container firewall that is a container itself and, therefore, can be automatically deployed and updated with OpenShift just like an application container and fits into the CI/CD process. When deployed to each OpenShift worker node, the NeuVector tool can inspect container traffic, find running containers, and build a whitelist of vetted traffic to protect those containers. This includes automated threat detection for common attacks, exploits, and Layer 7 network-based application isolation.
NeuVector integrates with the Red Hat OpenShift platform to simplify the implementation of these advanced and automated security features for OpenShift. This also incorporates several specific and useful features, including:
Image Vulnerability Scanning, Enabling Enforcement Through OpenShift
Using a Jenkins plug-in, the NeuVector tool provides the ability to scan images in the build process and then assign tags where any vulnerabilities are detected. OpenShift has the capability of controlling container deployments based on these tags. Therefore, OpenShift is able to smartly recognize and prevent the deployment of vulnerable containers, while allowing those that are safe to deploy via the assistance of NeuVector’s scanning and tags.
Automated Local Registry Image Scanning
When an image is pushed to local OpenShift registries, NeuVector performs automatic scanning to determine if those images include any vulnerabilities. These scans may be customized to meet certain preferences, such as only checking specifically-selected directories.
Role-Based Access Controls (RBACs)
RBACs that are configured within OpenShift will be automatically read and mapped into NeuVector. Existing users and their roles and permissions can be utilized to easily govern access to NeuVector’s console and API. In this way, access can be set and limited, matching the scope required to equip particular users with NeuVector’s visibility into network connections and security events as needed. For instance, developers with access to a project might be given read-only access to this visibility, while cluster admins are given access to every project within NeuVector so that they can properly manage and review security policies.
Run-Time Security Policy Rules
With NeuVector, policy rules that effectively isolate application network traffic and container processes can be automatically created. Using the NeuVector REST API, rules can be set programmatically and integrated with the OpenShift deployment pipeline. NeuVector policy rule sets can also make use of OpenShift identifiers, such as project names (namespaces), labels, and more.
By integrating NeuVector with OpenShift, the built-in security features offered by the OpenShift platform can be extended to seamlessly automate run-time security as well, thus achieving effective safeguards across the full lifecycle of container-based deployments.
Opinions expressed by DZone contributors are their own.