►
From YouTube: Security with Red Hat OpenShift for DevSecOps
Description
Red Hat's Jim Garrett demonstrates implementing Multi-Layer Container and Kubernetes Security with Red Hat OpenShift for an Automated DevSecOps environment.
Learn more at https://www.redhat.com/en/topics/devops/why-choose-red-hat-for-devsecops
A
A
A
In
today's
discussion,
I'd
like
to
talk
about
the
topic
of
inc,
including
security
in
the
development
and
operations
process,
something
known
as
devsecops,
something
I'd
like
to
think
of
as
the
marriage
between
development,
security
and
operations
with
the
implementation
of
devsecops.
The
goal
is
to
prevent
security
challenges
early
rather
than
later,
to
facilitate
this
security
tools
are
included
directly
in
the
build
process,
and
the
end
result
is
the
delivery
process
is
able
to
perform
security
auditing
from
the
start
and
not
jeopardize
the
release
schedule
of
the
project.
A
We
have
red
hat,
advanced
cluster
security,
which
is
going
to
be
used
to
scan,
check
and
then
deploy
the
image
and
then
on
the
far
right.
You
see.
We
also
have
open
shift,
get
ops
which
is
going
to
be
based
off
of
argo
cd,
and
this
is
going
to
be
used
to
deploy
an
image
in
preparation
for
penetration
testing
and
then,
finally,
after
we
perform
our
penetration
testing,
we
use
a
tool
called
gatling
which
is
used
to
execute
performance
tests
against
the
deployed
image.
A
If
we
look
at
the
development
pipeline,
you
can
see
the
exact
steps
that
have
been
defined,
which
mimic
the
information
that
I
showed
on
the
previous
slide.
For
example,
the
first
thing
that
we
do
is
we
get
a
copy
of
our
source
code
and
then
simultaneously
we
can
do
our
unit
tests
and
a
dependency
report.
A
A
A
However,
what
we
would
really
like
to
see
is
how
a
development
team
is
going
to
use
the
pipeline
and
and
typically
the
way
a
development
team
works
is
when
a
new
file
is
added
to
the
source
code
repository
or
maybe
you
change
an
existing
file.
It
can
be
set
up
to
automatically
kick
off
a
build
now.
One
thing
I'll
mention:
is
this
build
pipeline
again?
This
is
done
using
tecton
and
when
this
pipeline
is
generated,
the
end
result
is:
it
creates
a
container
inside
of
openshift,
which
physically
runs
this
pipeline.
A
It
says
el
web
hook
and
if
we
actually
go
and
look
inside
of
our
source
code
repository
in
this
case,
which
is
called
gogs,
you
can
see
that
I
have
a
project
set
up
with
some
source
code
and
if
I
click
on
the
settings
of
this
project,
you
can
see.
One
of
the
items
that's
displayed
is
something
called
web
hooks
and
if
I
click
on
clip
on
web
hooks,
this
is
a
url
to
the
actual
web
hook
container.
A
You
can
see
that
it's
going
to
perform
a
checkout
of
this
spring
pet
clinic
source
code
and
eventually
this
exits.
Now
again,
if
we
go
back
to
the
details,
you
can
see
that
it's
completed
and
now
it's
simultaneously
running
these
unit
tests
and
dependency
checks,
and
basically
it's
going
to
run
throughout
this
entire
pipeline.
A
Now
that
the
pipeline
is
finished
running,
we
can
see
that
the
pipeline
has
actually
failed,
and
it's
in
this
step
called
image
check
prior
to
looking
at
that,
let's
take
a
look
at
these
other
steps
that
were
performed.
For
example,
we
can
click
on
each
individual
step
and
look
at
the
log
file
information
that
comes
from
it.
We've
already
seen
the
step
where
it
sources
or
clones
the
source
code.
A
Once
the
unit
test
is
finished,
you
can
see
that
at
the
very
end
of
the
unit
test
that
it's
going
to
build
a
jar
file
from
all
of
the
artifacts
that
make
up
this
particular
application
in
the
release
step
stage,
the
jar
file-
that's
created
actually
gets
uploaded
to
the
lexis
repo,
I'm
sorry
to
the
nexus
repository
and
it's.
This
repository
is
what's
going
to
be
used
to
store
this
image
and
artifacts
that
go
along
with
it.
A
A
However,
you
can
see
that
the
image
check
step
has
failed
and
there
are
several
violations
that
have
occurred
when
it
physically
looks
at
the
image
that's
been
created,
you
can
see
that
the
first
set
of
violations
convey
that
there
are
some
cbes
that
have
a
severity.
That's
high
enough!
That's
going
to
cause
this
to
fail.
For
example,
a
severe
cvs
7.5,
something
found
in
component
jackson,
data
bind
or
something
found
in
the
tomcat,
that's
being
used
tomcat
web
server.
A
A
Again,
when
we
click
on
the
image
scan
log,
we
can
see
a
list
of
all
of
the
vulnerabilities
that
it
has
found
inside
of
this
container,
some
of
which
are
severe,
some
of
which
are
not
and
then
at
the
very
bottom.
It
conveniently
conveys
a
link
to
our
advanced
cluster
security
or
acs
module,
which
we
can
actually
go
into
and
view
using
the
web
browser
all
of
these
different
vulnerabilities.
A
So
when
I
copy
and
paste
that
link
into
the
browser,
this
is
what
it
takes
me
to
again:
the
advanced
cluster
security
and,
specifically,
the
vulnerability
management
tab
for
this
container
and
at
a
high
level.
We
can
see
all
of
the
information
about
this
container.
For
example,
what's
the
risk
priority?
A
What
are
the
number
of
critical
versus
important
versus
moderate
versus
low
cves
that
are
brought
up,
and
it
actually
allows
us
to
drill
down
into
the
components
that
it
has
analyzed
so
take.
For
example,
one
of
the
components
which
it
says
is
fixable
is
the
tomcat
web
server
that's
contained
inside
of
the
container
and
again,
if
we
drill
down
into
the
tomcat
web
server,
we'll
see,
first
of
all,
that
the
version
of
tomcat
is
9.0.31.
A
A
The
first
thing
I'm
going
to
do
is
I'm
going
to
fix
the
the
creation
of
the
container
image
and
I'm
going
to
fix
it
so
that
it
no
longer
installs
these
two
packages
and
the
way
that
I
do.
That
is
the
task.
The
pipeline
task,
which
is
used
to
take
your
code
and
lay
it
on
top
of
an
image,
is
called
source
to
image.
A
A
So
I
recreate
that
task
and
if
I
go
back
into
openshift,
you'll
see
that
the
task
is
now
back
in
there.
So
that's
that's
step
one.
If
we
want
to
take
a
look
at
that
particular
yaml
file
and
exactly
what
it
does
we
can
scroll
down,
and
we
can
see
that
in
this
yaml
file.
It
is
it's
removing
those
packages
that
are
in
question
now.
A
So
in
this
case
I
have
four
cves
and
I'll.
Show
you
how
I
do
the
first
one
and
then
I'll
I'll
show
you
how
to
disable
it,
and
we
can
do
the
second
one,
third,
one,
fourth
one
as
well,
so
to
disable
the
cves.
We
go
back
into
our
advanced
cluster
security
and
I
want
to
look
at
the
the
vulnerability
management
tab
and
specifically,
I
want
to
view
all
of
the
detected
vulnerabilities
and
basically,
I
want
to
search
for,
let's
say,
search
for
the
first
one
cve
2020
25649.
A
So
we
go
back
in
here
and
let's
do
a
search
for
that
cve
and
it's
really
simple
to
disable
it
all.
We
do.
Let's.
Let's
say
we
want
to
disable
it
for
a
day
or
a
week
or
you
can
even
disable
it
indefinitely.
If
you
want
now,
of
course,
eventually
you
would
want
to
fix
it,
but
but
for
now
we're
just
going
to
make
it
simple
and
we're
going
to
disable
it
so
boom
there.
Now
it's
disabled,
let's
go
back
and
get
the
next
one.
A
A
We
can
then
look
at
the
remaining
task
if
we
want
to
just
to
see
what
the
log
presents,
but,
but
in
short
the
the
pipeline
has
finished,
it's
done
every
single
step
and
and
we
can
go
back
and
and
look
at
all
the
different
things
that
we
need
to
look
at.