Red Hat OpenShift / Security | OpenShift

In this 25 minute session, you'll receive a brief overview of Red Hat Advanced Cluster Security, understand the vision for managing Kubernetes and container security, learn about recent RHACS updates, and receive a roadmap update for both near term and long term priorities.

Overview and demo on Secretless which simplifies Kubernetes security at scale by centralizing secrets management across hybrid clouds with Red Hat OpenShift and CyberArk.

Presented by Dave Meurer, Principal Solution Architect for Red Hat.

Learn more at openshift.com

DevSecOps: What Comes first the Tools or the Culture
Guest Speaker: Kirsten Newcomer (Red Hat)
Host: Diane Mueller (Red Hat)
OpenShift Commons Briefing
#TransformationFriday #DevSecOps

KubeLinter Introduction and Road Map
Guest Speakers: Viswajith Venugopal and Michael Foster (StackRox)
Hosts: Diane Mueller and Paul Morie (Red Hat)
OpenShift Commons Briefing
#AMA
2021-02-08

Open Policy Agent (OPA)Gatekeeper: Centralized Policy and Governance

Security and Governace Strategy and Architecture
Advanced Cluster Management for Kubernetes

Guest Speakers:
Jaya Ramanathan (Red Hat)
Yu Cao (Red)
Moderator: Kirsten Newcomer (Red Hat)

OpenShift Commons Briefing
Building Zero Trust based Authentication with SPIRE, SPIFFE, NSM & OPA Frederick Kautz (Doc.ai) and Bobby Samuel (Anthem)
hosted by Diane Mueller (Red Hat)
2020-05-26

OpenShift Commons Briefing 2020-05-19
Host: Diane Mueller (Red Hat)
Guest Speaker: Marc Boorshtein (Tremolo Security)

Securely Provision Your Pipeline on OCP Making Dev, Sec and Ops All Happy

Your CI/CD pipelines are a crucial component to your platform. Production OCP deployments need to take into account how to build out pipelines for applications in an automated way that respects all of the users in your environment. The Devs want systems that stay out of their way, Sec wants to be able to audit the environment and Ops doesn’t want to get paged. Automating the provisioning means integrating source control, multiple OCP clusters across environments, security scanning, and IT process to build an automated platform.

Tremolo Security’s CTO, Marc Boorshtein, will walk through a proof of concept that was built for a customer to automate the creation of a multi-environment secured pipeline using GitLab for source control, multiple OCP environments for different stages of the application’s lifecycle, Sonarqube for scanning, and OpenUnison to tie them all together via SSO and automated workflows. We’ll cover the initial provisioning of the pipeline, environments across multiple clusters, and promoting containers across environments without using the ocp command or ever logging into a terminal.



@mlbiam / @tremolosecurity

OpenShift Commons Briefing
Compliance as Code
Keith Basil (RedHat)
Hosted by Diane Mueller (Red Hat)
2020-05-13

OpenShift Commons Briefing
Why DevSecOps is Critical for Kubernetes
Kirsten Newcomer (RedHat)
Hosted by Diane Mueller (Red Hat)
2020-05-13

StackRox Overview and Demo
Ali Golshan (StackRox) and Kirsten Newcomer (Red Hat)
OpenShift Commons Briefing
hosted by Karena Angell (Red Hat)
Link to Slides: https://github.com/openshift-cs/commons.openshift.org/blob/master/briefings/slides/StackRox%20Overview%20Feb%202021.pdf

https://commons.openshift.org/events.html
02/02/2020

OpenDataHub Fraud Detection
ML SIG
OpenShift Commons
July 12 2019

Open Data Hub project is a reference architecture for an AI and Machine Learning as a service platform for OpenShift built using open source tools.

State of Container Security

Guest Speaker: Hayley Denbraver (SNYK)

There is a lot of emphasis on security in the OpenShift community, but mostly from the side of audit, controls and compliance. But a cloud native reality invites us to shift more ownership of security to the left, in the developer’s hands—given the right approach, process and tools. Snyk is a developer tools company that helps users find and fix vulnerabilities in open source libraries, both in apps and containers. Snyk’s focus is security depth and getting true dev adoption, which has led us to building tight integration into source control platforms, CI/CD tools, registries, PaaS and server less. Snyk features automated fixing of issues and the best vulnerability DB out there (enough to make Facebook, Netflix and others license the data feed itself). Towards Red Hat Summit, we will demo our new integrations into OpenShift, helping developers and operators to use open source while staying secure.

Resources: https://snyk.io/search/cheat+sheet
Create an account: https://app.snyk.io/signup

In this video we will explore configuring OAuth to specify an identity provider with OpenShift 4. We will also walk through creating a Custom Resource (CR) that describes the identity provider. We will continue to show how users authenticate against the API and access their OpenShift Cluster.

OpenShift Commons Gathering 2019
Santa Clara
State of Container Security
Urvashi Mohani and Mrunal Patel

London OpenShift Commons Gathering 2019
Lightning Talk Aqua Security
Securing Containers on Red Hat OpenShift

London OpenShift Commons Gathering 2019 Lightning Talk CrunchyData
PostgreSQL Operator

London OpenShift Commons Gathering 2019 Lightning Talk Sysdig
Using Sysdig Secure to Detect a Runtime Breach

London OpenShift Commons Gathering 2019
State of Container Security
Daniel Walsh Red Hat

Case Study: Securing OKD at Multiple Layers with Marc Boorshtein (Tremolo Security) Edit
Dec 19 @ 9:00 am
Case Study presentation on Securing OKD at multiple layers – OKD, FreeIPA, OPA and OpenUnison. Marc Boorshtein of Tremolo Security will do a deep dive into securing an OKD (Red Hat's OpenShift open source) deployment both at the OKD level and at the host level. We’ll also walk through how we integrated OPA to provide both validating webhooks and mutating webhooks for injecting Kerberos keys into containers for accessing Windows file shares and SQL Server databases.
Slides: https://blog.openshift.com/wp-content/uploads/OpenShift-Commons-Briefing-Securing-OKD-Tremolo-Security.pdf

The briefing reviews and explains the security concerns associated with container technologies and make practical recommendations for addressing those concerns when planning for, implementing, and maintaining containers that are outline in NIST’s Special Publication 800-190 Application Container Security Guide

Speakers: John Morello, CTO Twistlock and Dirk Herrmann, Product Manager, Red Hat

The CYBRIC platform integrates seamlessly into the DevOps process on OpenShift and enables continuous scanning capabilities at every stage. As code gets written and committed to code repositories, as build processes complete, CYBRIC can submit the code or build artifacts to scanning by a variety of open source and commercial SAST and SCA tools. The platform provides a unified integration to all products, which lowers the barriers for adoption and potential switching costs. Similarly, container images can be scanned as soon as they are built or posted to repositories such a Docker Hub, Artifactory or Nexus.

Within an OpenShift environment CYBRIC discovers and automatically scans all applications deployed, as well as the published external routes, with a range of DAST open source or commercial products. As new applications get deployed or new routes created, CYBRIC can detect them, automatically create new targets and scan them immediately for any vulnerabilities or misconfigurations. Scan results from the entire security toolchain are collected, normalized and deduplicated in order to provide the most concise and accurate view of the customer’s Security Posture at an application level. Static and dynamic scan results are correlated to provide valuable information about the most critical vulnerabilities as well as point out the root causes of the exploits observed against the applications.

CYBRIC Dashboards present data relevant to the executive level as well as for application stakeholders and individual contributors. Ultimately, the platform provides a clear view of Application and Enterprise Risk and helps users answer key business questions regarding the security and quality of the applications within the enterprise.

Everyone knows how microservices and containers are revolutionizing the way we deploy applications and maintain our infrastructure. But as many teams are starting to find out, containers have a key problem: monitoring and securing them with traditional tools can be impractical, painful, and sometimes plain impossible.

The Sysdig container intelligence platform provides a unified platform to deliver monitoring, security, and troubleshooting in a microservices-friendly architecture. In this session we will demo how Sysdig helps to:
- Monitor and alerting on Kubernetes infrastructure, services and applications
- Unified interface to troubleshoot issues inside containers with full system visibility
- Implement microservices based security policies looking at run-time behavior
- Enable post-mortem analysis and forensics on containers after they are long gone

In this talk from the OpenShift partner theater at Red Hat Summit 2018, learn how Aqua for Red Hat® OpenShift Container Platform works as a layer of security that provides image assurance, runtime controls, and protection against attacks. Learn how Aqua is natively deployed in an OpenShift environment by deploying pods, services, and Daemonsets and protects container workloads against attacks and insider misuse. You’ll also learn how the solution ensures visibility and compliance for OpenShift containerized applications.

In this OpenShift Commons briefing, Aporeto's Ariful Huq discusses best practices around securing your microservices:

Comprehensive: Zero Trust security for Network and API access control. Run-time visibility
Identity-driven: Identity is central to access control – and why cryptographic methods for assigning an identity to workloads are essential
Heterogenous: Because enterprises have mixed environments, the right security solution has to operate across clouds as well as in non-cloud native and service mesh environments
Following the best practices discussion, we will have a quick overview of Aporeto 2.0 as well as a demonstration of:

Network access control & API access control for apps deployed across multiple clouds and clusters.
A kill chain scenario

Jon Deeming, VP at Experian, presents how automation can ensure that security policy is consistently deployed into production OpenShift container environments. He shares some of the lessons learned in Experian’s move to containers. The dynamic nature of containers requires thinking through all the attack vectors in a new environment and creates the need for behavior-based security technology. This new technology needs to work with the system primitives, labels, resources and other metadata to maintain the desired security posture. At the same time, it’s critical to dive deeply into the Kubernetes architecture to understand how to properly deploy resilient services. Understanding the network and system behavior of pods and containers will enable DevOps and security teams to detect suspicious behaviors. This session provides a framework for evaluating container security and advice for securing business critical services and protecting sensitive data.

As one of the biggest banks in Central Europe, BZ WBK uses hundreds of systems, many of which were developed years ago when virtualization wasn’t a commodity like it is today. In a quest for more flexibility and efficiency, BZ WBK explored various options to improve and modernize its delivery and deployment pipeline, finally choosing Red Hat OpenShift.

In this session, we'll share why we chose OpenShift, how it affects our applications and infrastructure, and how it meets high security expectations and compliance/regulatory standards. We'll present real, technical-level examples of how to build pipelines, release secure containers and isolate them accordingly, and other tools you may need to successfully deploy them in production—all based on our experience building a working solution.

Learn more: https://agenda.summit.redhat.com/

Implementing Enterprise-grade Network Security with OpenShift and Tigera CNX with Amit Gupta (Tigera).


In an earlier Commons webinar, we described Tigera's open source Project Calico, and how it enables simplified networking with secure network policies. Amit Gupta will expand on that topic today with an exploration of the additional features enabled by Tigera's flagship CNX product, and a preview of capabilities in the forthcoming 2.1 release, including even closer integration with OpenShift.

Amit will cover practical workflows demanded by enterprises including meeting compliance requirements for network isolation with auditing, monitoring and alerting. He will also talk about how CNX enables multiple teams (e.g. security, network and development/ops) to easily and collaboratively define hierarchical security policies with role-based access controls and graphical management of policies (at last, yaml is purely optional!), and will draw from examples of real-world users adopting both CNX and OpenShift.

Learn how to simplify and strengthen your security posture by combining deep kernel-level container visibility with metadata from your Openshift deployment to define your security policies. SysDig’s Knox Anderson covers how the security landscape is changing, the architecture of Sysdig Secure, and even covers a live security instrumentation of a containerized environment.

The live demo will walk you through what Sysdig Secure can do:

– Implement application and OpenShift aware policies
– Block incoming attacks and container break-ins
– Audit executed commands
– OpenShift forensics: pre and post-attack investigation
– Unify monitoring & security workflows

No description provided.

In this Tech N’ Talk, Red Hat’s Kirsten Newcomer discusses the 10 most common layers in a typical container deployment and ways to build security into each layer. These layers include: The container host, content, and registries, the CI/CD process, the container platform, networking, storage, and API management.

Organizations are rapidly adopting containers to more easily develop and manage the applications that drive business value. However, as with any newer technology, enterprise use requires strong security at every stage of the lifecycle. Securing containers is a lot like securing any running process. You need to think about security throughout the layers of the software stack. You also need to secure your CI/CD pipeline. You need defense in depth.

This discussion coverseach of these 10 layers, and Kirstin uses Red Hat’s OpenShift container platform to illustrate how to deliver continuous security for containers.

Aporeto’s Cloud Native Security solution works through authentication, authorization, and encryption for all of a distributed application’s components. It generates a cryptographically-signed identity certificate for every application component orchestrated by OpenShift and allows interactions between those components if there is a policy that explicitly allows it. This whitelist security model is simple because it does away with the massive complexities of configuring the different segmentation schemes that would otherwise be required to achieve the same ends. In this briefing, Amir Sharif of Aporeto will give an overview of the solution and demonstrate using with applications deployed on OpenShift, explain the benefits and implications of this security model

In this webcast, Nenad Bogojevic from Amadeus and Diogenes Rettori from Red Hat talk about security mechanisms and protections related to Red Hat OpenShift Container Platform and Amadeus' experiences deploying and using OpenShift, including security mechanisms, such as user and network access control and policies in OpenShift and underlying Openstack, the audit trail of administrative actions, ways to use and protect Kubernetes secrets as well as some best practices for Docker containers. They also present some possibilities to address technical limitations or potentially unknown vectors of attack using compensating controls via auditd, monitoring, and alerting.

Amadeus operates large-scale, secure, Payment Card Industry Data Security Standard (PCI/DSS)-compliant online and e-retail systems. Recently, they started migrating those systems to OpenShift Container Platform. For Amadeus and their customers, security and compliance is paramount.

Guest Speakers:
Nenad Bogojevic – Software Architect, Amadeus
Diogenes Rettori – OpenShift Product Manager, Red Hat

Even in Containers, application security still matters. Running applications in containers means that many processes need to change. And security is no exception. Beyond the security and configuration of the container platform, there are implications to security of the application development, the way it runs, and how it is protected in production.

The very first line in a Docker file: FROM, is where security begins. The choice of the base image, the prerequisite components and the configuration of the image – all impact the security of the eventual container.

Security considerations are necessary when images are pulled and used. Are the images certified to run? Do they pass the risk criteria of the organization? A containerized environment still requires the demonstration of control, for compliance reasons and for the overall security of the application.

And as containers run, there are requirements to monitor their behavior, prevent modifications and protect them from unauthorized actions.

In this session, Aqua’s Tsvi Korren gives an overview of Aqua’s framework for effective application security in a containerized environment. It begins in the development process, progresses as images are built, continues through assurance of image authorization, and protects all running containers.

OpenShift networking works great out of the box, right? So why would you consider anything else? This briefing examines an alternative approach that has benefits for many scenarios – from tightly securing a few high-value AWS instances to scaling a large private cloud deployment.

Come learn how the Calico solution differs from traditional solutions like OpenShift SDN, and how Calico has now been integrated with Kubernetes and OpenShift to provide a smooth deployment experience, and lessons learned across hundreds of enterprise users.

Guest Speaker: Andrew Randall, Tigera

DevSecOps: Security Injection with SecurePaaS on OpenShift with Shadow-Soft's Derrick Sutherland

In this Briefing, Derrick Sutherland of Shadow-Soft will address cyber security concerns in a DevOps world and demonstrate how using SecurePaaS on OpenShift automatically and without developer intervention, introspects, federates, and injects identity, authentication, authorization, & auditing (IAAA) into an application’s source code, uniquely protecting IT assets. Learn more at http://securepaas.com/