Red Hat OpenShift
Picture of Amir Jerbi
Amir Jerbi
 May 08, 2017

Securing Containers on OpenShift

Red Hat OpenShift container platform is one of the popular and mature platforms for developing and managing container deployments. While it has many built-in security features, Aqua provides an additional layer of security both in development as well as for protecting containerized applications in runtime.

Installing Aqua on OpenShift

Aqua can be natively deployed in an openshift environment by deploying pods, services and Daemonsets.

You start by deploying the Aqua Command Center components:

Openshift step 1 - create console environment.png

You can then verify that pods are running:

Openshift step 2 - verify pods.png

And login to the Aqua Command Center:

Openshift step 3 - Aqua Login.png

You then deploy the Aqua Enfrocer container through Daemonset - this will ensure that Aqua Enforcer is running on every node in the Openshift cluster:

 

Openshift step 5 - deploy Aqua Agent Daemonset.pngOpenshift step 6 - verify agent is deployed.png

 

Request a 1-on-1 Demo

Container Image Assurance 

With Aqua, you can control which images will be allowed run in your Openshift environment by defining image assurance policies. These policies can define the security level that containers running in Openshift environment should have.

Openshift step 8 - image assurance.png

The outcome is that all images in the OpenShift environment will be assessed for security quality, which includes scanning them for known vulnerabilities, insecure configurations, and embedded secrets. If an image does not pass the security assessment then it will be marked as “disallowed” for running, and will not be able to run on the cluster.

Openshift step 8 - image scanning results.png

For example, trying to run “jboss/wildfly” image on the OpenShift cluster will fail as the image vulnerability score is too high.

Openshift step 10a - running disallowed image.png

Openshift step 10b - running disallowed image.png

Openshift step 10c - running disallowed image.png

 

Request a 1-on-1 Demo

Runtime Controls

Aqua automatically profiles containers running in an Openshift cluster to limit their abilities to the least needed privileges, based on actual application use. This means that if a container will try elevating privileges through user impersonation, running an unauthorized process or accessing an unauthorized file - the operation that violates the policy would be blocked and reported:

Openshift step 11 - profiling.png

As you can see, if the container tries to run a process that was not allowed under the profile, that actions will be blocked and the event will be logged.

Openshift step 12 - runtime profile.pngOpenshift step 13 - runtime audit.png

To Learn More

Access our resource center, the Aqua page on OpenShift Hub, or ask us for a demo!
Picture of Amir Jerbi

Amir Jerbi
Amir is the Co-Founder and CTO at Aqua. Amir has 20 years of security software experience in technical leadership positions. Amir co-founded Aqua with the vision of creating a security solution that will be simpler and lighter than traditional security products. Prior to Aqua, he was a Chief Architect at CA Technologies, in charge of the host based security product line, building enterprise grade security products for Global 1000 companies. Amir has 14 cloud and virtual security patents under his belt. In his free time, Amir enjoys backpacking in exotic places.

Container Security, Runtime Security, OpenShift

Subscribe to Email Updates

Popular Posts

Filter by Topic

Show more...

    Aqua Security enables enterprises to secure their container-based and cloud-native applications from development to production, accelerating container adoption and bridging the gap between DevOps and IT security.

    Aqua’s Container Security Platform provides full visibility into container activity, allowing organizations to detect and prevent suspicious activity and attacks, providing transparent, automated security while helping to enforce policy and simplify regulatory compliance.

Copyright © 2021 Aqua Security Software Ltd.