Securing the container platform
OKD and Kubernetes APIs are key to automating container management at scale. APIs are used to:
Validate and configure the data for pods, services, and replication controllers.
Perform project validation on incoming requests and invoke triggers on other major system components.
Security-related features in OKD that are based on Kubernetes include:
Multitenancy, which combines Role-Based Access Controls and network policies to isolate containers at multiple levels.
Admission plug-ins, which form boundaries between an API and those making requests to the API.
OKD uses Operators to automate and simplify the management of Kubernetes-level security features.
Isolating containers with multitenancy
Multitenancy allows applications on an OKD cluster that are owned by multiple users, and run across multiple hosts and namespaces, to remain isolated from each other and from outside attacks. You obtain multitenancy by applying role-based access control (RBAC) to Kubernetes namespaces.
In Kubernetes, namespaces are areas where applications can run in ways that are separate from other applications. OKD uses and extends namespaces by adding extra annotations, including MCS labeling in SELinux, and identifying these extended namespaces as projects. Within the scope of a project, users can maintain their own cluster resources, including service accounts, policies, constraints, and various other objects.
RBAC objects are assigned to projects to authorize selected users to have access to those projects. That authorization takes the form of rules, roles, and bindings:
Rules define what a user can create or access in a project.
Roles are collections of rules that you can bind to selected users or groups.
Bindings define the association between users or groups and roles.
Local RBAC roles and bindings attach a user or group to a particular project. Cluster RBAC can attach cluster-wide roles and bindings to all projects in a cluster. There are default cluster roles that can be assigned to provide admin
, basic-user
, cluster-admin
, and cluster-status
access.
Protecting control plane with admission plug-ins
While RBAC controls access rules between users and groups and available projects, admission plug-ins define access to the OKD master API. Admission plug-ins form a chain of rules that consist of:
Default admissions plug-ins: These implement a default set of policies and resources limits that are applied to components of the OKD control plane.
Mutating admission plug-ins: These plug-ins dynamically extend the admission chain. They call out to a webhook server and can both authenticate a request and modify the selected resource.
Validating admission plug-ins: These validate requests for a selected resource and can both validate the request and ensure that the resource does not change again.
API requests go through admissions plug-ins in a chain, with any failure along the way causing the request to be rejected. Each admission plug-in is associated with particular resources and only responds to requests for those resources.
Security context constraints (SCCs)
You can use security context constraints (SCCs) to define a set of conditions that a pod must run with in order to be accepted into the system.
Some aspects that can be managed by SCCs include:
Running of privileged containers
Capabilities a container can request to be added
Use of host directories as volumes
SELinux context of the container
Container user ID
If you have the required permissions, you can adjust the default SCC policies to be more permissive, if required.
Granting roles to service accounts
You can assign roles to service accounts, in the same way that users are assigned role-based access. There are three default service accounts created for each project. A service account:
is limited in scope to a particular project
derives its name from its project
is automatically assigned an API token and credentials to access the OpenShift Container Registry
Service accounts associated with platform components automatically have their keys rotated.
Authentication and authorization
Controlling access using OAuth
You can use API access control via authentication and authorization for securing your container platform. The OKD master includes a built-in OAuth server. Users can obtain OAuth access tokens to authenticate themselves to the API.
As an administrator, you can configure OAuth to authenticate using an identity provider, such as LDAP, GitHub, or Google. The identity provider is used by default for new OKD deployments, but you can configure this at initial installation time or post-installation.
API access control and management
Applications can have multiple, independent API services which have different endpoints that require management. OKD includes a containerized version of the 3scale API gateway so that you can manage your APIs and control access.
3scale gives you a variety of standard options for API authentication and security, which can be used alone or in combination to issue credentials and control access: standard API keys, application ID and key pair, and OAuth 2.0.
You can restrict access to specific endpoints, methods, and services and apply access policy for groups of users. Application plans allow you to set rate limits for API usage and control traffic flow for groups of developers.
For a tutorial on using APIcast v2, the containerized 3scale API Gateway, see Running APIcast on Red Hat OpenShift in the 3scale documentation.
Red Hat Single Sign-On
The Red Hat Single Sign-On server enables you to secure your applications by providing web single sign-on capabilities based on standards, including SAML 2.0, OpenID Connect, and OAuth 2.0. The server can act as a SAML or OpenID Connect–based identity provider (IdP), mediating with your enterprise user directory or third-party identity provider for identity information and your applications using standards-based tokens. You can integrate Red Hat Single Sign-On with LDAP-based directory services including Microsoft Active Directory and Red Hat Enterprise Linux Identity Management.
Secure self-service web console
OKD provides a self-service web console to ensure that teams do not access other environments without authorization. OKD ensures a secure multitenant master by providing the following:
Access to the master uses Transport Layer Security (TLS)
Access to the API Server uses X.509 certificates or OAuth access tokens
Project quota limits the damage that a rogue token could do
The etcd service is not exposed directly to the cluster
Managing certificates for the platform
OKD has multiple components within its framework that use REST-based HTTPS communication leveraging encryption via TLS certificates. OKD’s installer configures these certificates during installation. There are some primary components that generate this traffic:
masters (API server and controllers)
etcd
nodes
registry
router
Configuring custom certificates
You can configure custom serving certificates for the public hostnames of the API server and web console during initial installation or when redeploying certificates. You can also use a custom CA.
Additional resources