Professional Documents
Culture Documents
OpenShift
as experienced @ Amadeus
2
Why security
And not the one like in picture
_Protecting assets
computing capacity, data
_Personal information
General Data Protection Regulation
(GDPR)
3
How?
To be better than the one like in picture
EVERYONE ON BOARD
_Pre-constructed VM images
Use OpenStack on our hardware
mirrored repositories & registries
Or public cloud providers scanned using OpenSCAP
_Network design
Where are DMZ and layered
protection?
OpenStack security groups
Bastion
App Nodes DevOps
SSH
HTTPS
SDN
@
Repository Repository
9
OpenShift
11
oc login -u system:admin
12
13
14
15
Using Secrets
Security as code
Masters
apiVersion: v1 apiVersion: v1
kind: Pod kind: Secret
metadata: metadata:
name: use-secret-pod name: top-secret
spec: data:
containers: username: bmVuYWQ=
- name: secret-test-container password: aWtuZXd5b3V3b3VsZHRyeXRoaXM=
image: myapp
env:
- name: SECRET_USERNAME
valueFrom:
16
OpenShift Secrets Less Great Things
Handbrake for certification
_Encrypt disks
_Compensating controls
18
OpenShift Audit Log
19
auditd introduction
audit.log
Alerting system
auditd rules
-a always,exit -S <syscall>
-w <filename>
20
auditd rules for masters
Monitoring etcd
22
More use of auditd
With the help of openscap
23
24
Containers
Lets be agile!
Run as root
Privileged containers hostpath
port < 1000
Running old containers
26
Containers & Developers
Lets be agile!
Run as root
Privileged containers hostpath
port < 1000
Running old containers
27
Root Access
Not allowed
28
Image control
Secured source
30
Guiding thoughts
31
What we miss
This might be roadmap
Encryption of Secrets!
Generic/pluggable image-inspector?
32
Thank you!