CONTAINERS AND SECURITY:A MATCH MADE IN CYBERSPACE

Ted BrunellChief Architect, DoD ProgramsPrincipal Solutions Architecttbrunell@redhat.com@DoDCloudGuy

"The views expressed in this presentation are those of the author(s) and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the U.S.

Government."

2

3

CONTAINERS CHANGE HOW WE DEVELOP, DEPLOY AND MANAGE APPLICATIONS

INFRASTRUCTURE APPLICATIONS

● Application processes on a shared kernel

● Simpler, lighter, and denser than VMs

● Portable across different environments

● Package apps with all dependencies

● Deploy to any environment in seconds

● Easily accessed and shared

4

THEY ALSO CHANGE HOW WE SECURE OUR WORKLOADS

AUTOMATED & INTEGRATED SECURITY

5

Container Content

Container Registry

CI/CD Pipeline

Deployment Policies

Security Ecosystem

Container Host Multi-tenancyContainer Platform

Network Isolation Storage

Audit & Logging API Management

DEFENDInfrastructure

EXTEND

CONTROLApplication Security

CONTROLSecure the Pipeline & the Applications

Container Content

Container Registry

CI/CD Pipeline

Deployment Policies

7

IT STARTS WITH TRUSTED SOURCES

CONTAINER HEALTH CHECKS

https://access.redhat.com/containers/8

SECURE CONTAINER LIFECYCLE

9

TRUSTEDIMAGE

REGISTRY

KUBERNETESCLUSTER

DEVELOPER GIT SERVER ARTIFACT REPOSITORY

CI/CD PIPELINE (JENKINS)

IMAGE BUILD & DEPLOY

TRUSTEDIMAGEREGISTRY

KUBERNETESCLUSTER

GOLIVE?PROMOTE

TO TESTPROMOTE

TO UATPROMOTETO PROD

RELEASE MANAGER

NON-PROD PRODDEV TEST UAT

10

DEPLOYOPERATEMONITORSCALEADAPT

PLAN CREATE BUILD TEST SECURE

AUTOMATING DEVOPS AND

DEPLOYMENT POLICIES

11

DESIGN FOR SEPARATION OF CONCERNS

CORE IMAGE

IT Operations

CORE IMAGE

MIDDLEWARE

Architects

CORE IMAGE

MIDDLEWARE

APPLICATION

Application

Developers

DEFENDSecure the Infrastructure

Container Host Multi-tenancyContainer Platform

Network Isolation Storage

Audit & Logging API Management

RED HAT ENTERPRISE LINUX ATOMIC HOST

Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux.

A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel.

THE OS MATTERS:CONTAINER HOST & MULTI-TENANCY

SELinux kernel namespaces cgroups seccomp

RED HAT ENTERPRISE LINUX

THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS

capabilities

13

14

● Role-based Access Controls with LDAP and OAuth integration

● Secure communication● Platform multi-tenant security● Integrated & extensible secrets

management● Logging, Monitoring, Metrics● Consistency across multiple

infrastructures

RHEL

NODE

c

RHEL

NODE

RHEL

NODE

RHEL

NODE

RHEL

NODE

RHEL

NODE

C

C

C C

C

C

C CC C

RED HATENTERPRISE LINUX

MASTER

API/AUTHENTICATION

DATA STORE

SCHEDULER

HEALTH/SCALING

SECURING THE CONTAINER PLATFORM

PERSISTENTSTORAGE

REGISTRY

PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID

15

NODE

MASTER● Secure mechanism for holding sensitive data e.g.

○ Passwords and credentials

○ SSH Keys

○ Certificates

● Secrets are made available as

○ Environment variables

○ Volume mounts

○ Interaction with external systems

● Encrypted in transit and at rest

● Never rest on the nodes

Container

Distributed Store

Container

SECRETS MANAGEMENT

16

● Aggregate logs for hosts and applications

● Access control

○ Cluster administrators can view all logs

○ Users can view logs for their projects

● Ability to send logs elsewhere

○ External elasticsearch, Splunk, etc

LOGGING and AUDITING

17

CONTAINER METRICS

● Multi-tenant Network Support

○ Project-level network isolation

○ Multicast support

○ Egress network policies

● Network Policy

○ Granular policy-based isolation

18

NETWORK DEFENSE

NODE

POD POD

PODPOD

NODE

POD POD

PODPOD

PROJECT A PROJECT B

DEFAULT NAMESPACE

✓

PROJECT C

19

NETWORK POLICY: FINE GRAINED ISOLATION

PROJECT A

POD

POD

POD

POD

PROJECT B

POD

POD

POD

POD

Example Policies

● Allow all traffic inside the project

● Allow traffic from green to gray

● Allow traffic to purple on 8080

✓

✓

8080

5432

✓

apiVersion: extensions/v1beta1kind: NetworkPolicymetadata:

name: allow-to-purple-on-8080spec:

podSelector:matchLabels:

color: purpleingress:- ports:

- protocol: tcpport: 8080

✓

20

Secure storage by using

● SELinux Mandatory Access Controls

● Secure mounts

● Supplemental group IDs for shared storage

ATTACHED STORAGE

RHEL

NODE

c

RHEL

NODE

RHEL

NODE

RHEL

NODE

RHEL

NODE

RHEL

NODE

C

C

C C

C

C

C CC C

RED HATENTERPRISE LINUX

MASTER

API/AUTHENTICATION

DATA STORE

SCHEDULER

HEALTH/SCALING

PERSISTENTSTORAGE

REGISTRY

PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID

● Authentication and authorization

● LDAP integration

● End-point access controls

● Rate limiting

API MANAGEMENT

21

EXTENDLeverage the Ecosystem

For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as

● Identity and Access Management / Privileged Access Management

● External Certificate Authorities

● External Vaults / Key Management solutions

● External Hardware Security Modules (HSM)

● Filesystem encryption tools

● Container content scanners & vulnerability management tools

● Container runtime analysis tools

● Security Information and Event Monitoring (SIEM)

THE SECURITY ECOSYSTEM

23

24

Sysdig

NGINX

Cisco ContivAporeto

Sonatype

Black Duck

TremoloTigera

Twistlock

LOOKING INTO THE NOT SO DISTANT FUTURE

26

CONTAINER CHALLENGESEnterprise Build, Pipeline and Runtime concerns

● Supply chain needs further security policy services

● Microservices have special networking and governance needs

● Build and runtime tools and services need decoupling

CI/CD Pipeline

27

Build QA

Grafeas

(Metadata Attestation

Findings)

Kritis

Deploy Time

Policy

“Bob can start a

build but Alice

must certify for

production”

“I only want to

run scanned code

that has been QA

certified”

“Do I have any running

jobs that are affected

by this new

vulnerability” “I want to see a full

compliance summary of

all deployed

components”

Production

ATTESTATION OF SECURITY POLICY

Grafeas (Scribe) and Kritis (Judge)

Test Scan Analysis

28

ISTIO AND MICROSERVICESConnect, manage, and secure microservices.

● Collaborative offert between Red Hat, Google Cloud and IBM○ Sidecar container with the features and functions for

creating and managing microservices

○ Monitoring○ Tracing○ circuit breakers○ Routing○ load balancing○ fault injection

○ Retries○ Timeouts○ Mirroring○ Access control○ Rate limiting○ ...And more

v1.0 ANNOUNCED 07/31/2018!

29

● OCI-compliant, daemon-less tool for

building/modifying OCI/Docker images.

● Enables fine-grain control over the commands

and content of each image layer

● Container host utils. can optionally be leveraged

as part of the build

● Can use a Dockerfile

● Shares the underlying image and storage

components with CRI-O

● A lightweight, OCI-compliant container

runtime designed for Kubernetes

● Runs any OCI / Docker container from any

OCI / Docker registry

● Focus on stability and life cycle with the

platform

● Improve container security & performance

at scale

OCI BASED INNOVATION

Self-Service

Red Hat Enterprise Linux

Container Runtime & Packaging

DEFENDInfrastructure

EXTEND

CONTROLApplication Security

30

EXISTING AUTOMATION

TOOLSETS

SCM(GIT)

CI/CD

SERVICE LAYER

ROUTING LAYER

PERSISTENT

STORAGE

REGISTRY

RHEL

NODE

C

C

RHEL

NODE

C C

RHEL

NODE

c

C

C

RHEL

NODE

C C

RHEL

NODE

C

RHEL

NODE

CRED HATENTERPRISE LINUX

MASTER

API/AUTHENTICATION

DATA STORE

SCHEDULER

HEALTH/SCALING

PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID

BRINGING IT ALL TOGETHER

THANK YOU

31