Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
1 like328 views
The document outlines a webinar discussing Red Hat's enterprise solutions and their integration with CyberArk for DevOps security, emphasizing the need for secure management of secrets in development workflows. It highlights Red Hat's extensive product portfolio, hybrid cloud capabilities, and the growing market adoption of OpenShift, along with the challenges developers face in incorporating security. The presentation also covers various labs and workshops that showcase secrets management techniques and CyberArk's resources for enhancing security within development environments.
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
- 1. Red Hat/CyberArk webinar Jody Hunt Director, DevOps Security CyberArk Vijay Arungurikai Senior Solutions Architect Embedded & ISV Partners, Red Hat
- 2. F16625-200131 The world’s leading provider of open source enterprise IT solutions 2 *Red Hat client data and Fortune 500 list, October 2019. Note: Currency in U.S. dollars. MORE THAN 90%of the FORTUNE 500 RED HAT use PRODUCTS & SOLUTIONS* ~13,815 EMPLOYEES 105+ OFFICES 40+ COUNTRIES THE FIRST $3 OPEN SOURCE COMPANY IN THE WORLD BILLION
- 3. From communities to enterprise 3
- 4. 44 Red Hat Enterprise Linux Red Hat Virtualization Red Hat OpenStack Platform Red Hat Ceph Storage Infrastructure Software Container Platform Red Hat OpenShift Container Platform Developer Tools Automation & Management Red Hat Ansible Automation Platform Red Hat Satellite Red Hat Insights Red Hat CloudForms Middleware & Integration Red Hat Fuse Red Hat Decision Manager Red Hat Process Automation Manager Application & Business processes Red Hat JBoss EAP Red Hat AMQ Red Hat 3Scale API Mgmt Red Hat OpenShift Application Runtimes Red Hat CodeReady Workspace Services Red Hat Learning Subscription Red Hat Certification Red Hat Consulting Red Hat OPEN Innovation Labs Product Portfolio
- 5. NEW INSTALLER PLATFORMS STORAGE AUTOMATION CLOUD-NATIVE DEV TOOLS RHV IPI Azure & OpenStack UPI DNS forwarding Kubernetes 1.17 OpenShift Serverless is GA Helm 3 support is GA OpenShift Pipelines is TP Developer Console gains monitoring & Helm features CSI topology support CSI Volume snapshot, restore, clone (Tech Preview) iSCSI PVs for internal registry Auto image pruning in registry OpenShift 4.4 5
- 6. 6 Developer Productivity Cluster Services Automated Ops ⠇Over-The-Air Updates ⠇Monitoring ⠇Registry ⠇Networking ⠇Router ⠇KubeVirt ⠇OLM ⠇Helm Kubernetes Developer CLI ⠇VS Code extensions ⠇IDE Plugins Code Ready Workspaces CodeReady Containers Service Mesh ⠇Serverless Builds ⠇CI/CD Pipelines Full Stack Logging Chargeback Databases ⠇Languages Runtimes ⠇Integration Business Automation 100+ ISV Services Platform Services Application Services Developer Services Physical Virtual Private cloud Public cloud OpenShift Kubernetes Engine Build Cloud-Native AppsManage Workloads Multi-cluster Management Discovery ⠇Policy ⠇Compliance ⠇Configuration ⠇Workloads Advanced Cluster Management OpenShift Container Platform Managed cloud (Azure, AWS, IBM, Red Hat) Red Hat Enterprise Linux & RHEL CoreOS OpenShift Container Platform
- 7. Automated operations A consistent container application platform Multi-tenant Network traffic control Over-the-air updates Bare metal, VMware vSphere, Red Hat Virtualization, Red Hat OpenStack Platform, Amazon Web Services, Microsoft Azure, Google, IBM Cloud Pluggable architecture Monitoring & chargeback Secure by default FROM YOUR DATACENTER TO THE CLOUD 7
- 8. OpenShift enables developer productivity SPRING & JAVA™ EE MICROSERVICES FUNCTIONS LANGUAGES DATABASES APPLICATION SERVICES LINUX WINDOWS* * coming soon CODE BUILD TEST DEPLOY MONITORREVIEW Self-service provisioning Automated build & deploy CI/CD pipelines Consistent environments Configuration management App logs & metrics 8
- 9. Full Stack Automation (IPI) Pre-existing Infrastructure (UPI) Bare Metal 4.4 Supported Providers IBM Power Systems * * Note: Planned for an upcoming 4.3.z release on April 30th * Denotes new addition in OCP 4.4 9
- 10. OpenShift offers the broadest set of hybrid cloud services Red Hat OpenShift Dedicated Managed By Red Hat or Customer Managed or Customer Managed Red Hat OpenShift Dedicated Managed By Red Hat or Customer Managed Red Hat OpenShift on IBM Cloud or Customer Managed (UPI) Customer Managed On-premises Azure Red Hat OpenShift Jointly Managed & Supported Jointly Engineered 10
- 11. 11 Red Hat OpenShift has seen 70%+ market expansion Red Hat OpenShift customers ● Supported on every major cloud: AWS, Azure, GCP, IBM, AliCloud ● Broadest hybrid cloud market adoption ● 100s of ISVs supporting operators ● Expanded AI/ML focus ● 1st to market with service mesh ● 1st to market with serverless ● New CodeReady developer experience ● New security, encryption enhancements ● Integrated IBM Portfolio via CloudPaks ● ...and much more 1700+ FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 500 0 1000 1500 2000
- 12. 12 A broad ecosystem of workloads Operator-backed services allow for a SaaS experience on your own infrastructure Relational DBs NoSQL DBs Storage Messaging Security Monitoring AI/ML Big Data DevOps
- 13. Operator SDK 13 Enabling everybody to write Operators Support for Helm 3 Build Operators from Helm v2 and v3 charts Ansible collections Ansible Operator supports k8s module collection Custom metrics Every Operator supports custom metric endpoints Generate Packaging Operator Metadata (CSV) for OLM gets generated Kubernetes Compatibility Keep in sync with new Kubernetes releases Scorecard v2 Enable testing your Operator in a pipeline
- 14. Do your applications use privileged credentials? Secrets management for Red Hat OCP Jody Hunt, DevOps SME 14
- 15. EVERYBODY WANTS A SECURE DEVOPS FLOW, BUT…
- 16. SHIFTING SECURITY LEFT INTO DEVELOPMENT WORKFLOWS 16 Developers DevOps Security Empower Security Team • Highlight the app & tool risk • Leverage single platform – human/non-human solution serves all • Security focus • Manage security budget Enable Developer/DevOps • Easy to use (consume secrets) • Prebuilt integrations • Open source and Secretless Free developers from security burden • Compliance, audit requests, human creds • Security budget Plan Code Create Test Release Deploy Operate
- 17. THE PROBLEM WE’RE SOLVING There are lots of places to store secrets. But: • Platform solutions only work for those platforms • Tool solutions lack security • Most not enterprise ready • Hard to share best-practices • SoD not enforced • GRC reporting is impossible Islands of Security Hiera DatabagsVault IAM / KMS IAM / KMS Home Grown Solutions SecretsSecrets IAM / KMS
- 18. THE VISION WE’RE DELIVERING ON Enterprise-Spanning Service delivered by IT Security IaaSOn-Prem Infrastructure and Apps (*NIX, Windows, zOS) DevOps ToolsPaaS Security Solutions IT Mgt Software App Servers and Custom Apps RPA PAS Consistently enforce privilege security policies for both human users and non-human identities
- 19. CENTRAL AUDIT, SECURITY POLICY, SECRETS ROTATION Application Access Manager Consistent, Unified Enterprise-Wide Privileged Access Security Program CyberArk Vault Multi-Persona UI Security Admin Developer /DevOps Admin Threat Detection and Analytics Credential Providers – Static Apps Agent-based Credential Rotation /Policy Driven Monitoring and Audit Secrets Management – Dynamic Agentless
- 20. Dynamic Access Provider (Conjur Open Source) OCP4 Lab Architecture Linux Host (Azure) Windows Hosts (my Mac) CyberArk Enterprise Password Vault Synchronizer OCP4 Cluster (AWS) User Namespaces Lab App Authen -ticator cybrlab Namespace ServiceService
- 21. SECRETS ACCESS WORKFLOW Authenticate Access Token Requestor Application Access Manager Dynamic Access Provider Targe t Access per Policy Retrieve secrets Use secrets Access Token expires after 8 mins Audited activity
- 22. • Lab 1: • Authenticator runs as a Sidecar • App pulls DB creds with REST API • App connects to DB • Lab 2: Secrets Injection • Leverages Summon component • Authenticator runs as an Init container • Summon pulls DB creds & calls app w/ creds in env vars • App connects to DB • Lab 3: K8s Secrets • Authenticator runs as an Init Container • K8s secret manifest names DB cred names • Authenticator retrieves DB creds & dynamically patches K8s secret w/ DB cred values • App connects to DB • Lab 4: Secretless Broker • Authenticator runs as a Sidecar Container listening on DB port • App attempts to connect to DB on local port • Authenticator retrieves DB creds, connects to DB, proxies connection for app • App connects to DB CYBERARK OCP4 LABS
- 23. THE SECRETS LIFECYCLE TODAY Secrets Storage Secrets Delivery Application s
- 24. • Monthly DevOps Workshops (Virtual) • “CyberArk DevOps Workshop” • July 16th , 1pm Eastern • https://www.cyberark.com/devops-workshops • CyberArk Red Hat Integrations • www.cyberark.com/redhat • RedHat Ecosystem for CyberArk • access.redhat.com/containers/#/vendor/cyberark • CyberArk AAM documentation • docs.cyberark.com • lower right is Dynamic Access Provider • Conjur Open Source Resources • Open Source Secrets Management conjur.org • Blog conjur.org/blog • Developer Community cyberarkcommons.org • Secretless Broker: conjur.org/Secretless • Enterprise Resources • Application Access Manager • DevOps Security EXPLORE SECRETS MANAGEMENT AND DEVOPS SECURITY : 24
- 25. linkedin.com/company/red-hat youtube.com/user/RedHatVideos facebook.com/redhatinc twitter.com/RedHat Red Hat is the world’s leading provider of enterprise open source software solutions. Award-winning support, training, and consulting services make Red Hat a trusted adviser to the Fortune 500. Thank you