Security oriented OpenShift within regulated environments

Transcription

1 Security oriented within regulated environments Dawid Szymański - IT Architect, BZWBK Tomasz Cholewa - Lead Cloud Architect (RHCA), Mindbox Jarosław Stakun - Lead Solutions Architect, Red Hat 9th May 2018

2 Why?

3 Road to Photo credit: Sky Noir on VisualHunt / CC BY-NC

4 X86 VM

5 X86 VM IBM LPAR

6 X86 VM IBM LPAR Technology obsolescence

7 X86 VM IBM LPAR Technology obsolescence A lot of manual work

8 X86 VM Almost no control over development components IBM LPAR Technology obsolescence A lot of manual work

9 X86 VM Almost no control over development components IBM LPAR A lot of different versions of platforms Technology obsolescence A lot of manual work

10 X86 VM Almost no control over development components IBM LPAR Technology obsolescence A lot of manual work Compliance and security are pain in the... A lot of different versions of platforms

11 X86 VM Almost no control over development components IBM LPAR Technology obsolescence A lot of manual work Compliance and security are pain in the... A lot of different versions of platforms Changes are required in many places

12 Docker Swarm Architecture PoC

13 Docker Swarm Architecture PoC FE 2.0 Project

14 Docker Swarm Architecture PoC FE 2.0 Project Docker Swarm Infra PoC

15 Docker Swarm Architecture PoC FE 2.0 Project Docker Swarm Infra PoC BZWBK24 Docker in Production

16 Docker Swarm Architecture PoC FE 2.0 Project We all go together! Docker Swarm Infra PoC BZWBK24 Docker in Production

17 Docker Swarm Architecture PoC FE 2.0 Project We all go together! Docker Swarm Infra PoC BZWBK24 Docker in Production Docker Swarm issues

18 Docker Swarm Architecture PoC FE 2.0 Project We all go together! Docker Swarm Infra PoC BZWBK24 Docker in Production Docker Swarm issues RFI RFP

19 Docker Swarm Architecture PoC FE 2.0 Project We all go together! Docker Swarm Infra PoC BZWBK24 Docker in Production Docker Swarm issues RFI RFP!

20 Secure by design! IPSEC under Service Serving! Certificate Secrets! Bank central Artifactory repo for Use internal images instead registry and of internal registry external if needed! 4 Clusters 3 Clusters 2 Clusters 2 Prod / 2 Test 2 Prod / 1 Test 1 Prod / 1 Test

21 Adjusting deployments to new cloud native reality

22

23 Continuous Deployment pipeline Only defined list of people allowed to approve

24 Speeding up deployment with CD pipelines

25 Release pipeline Multiple microservices All that is required to run an app

26 Release pipeline

27 Creating secure and compliant container images

28 Use github.com to fork/clone images sources

29 Use github.com to fork/clone images sources Need all images to be RHEL based

30 Use github.com to fork/clone images sources Need all images to be RHEL based Sources not binaries! No docker hub!

31 Use github.com to fork/clone images sources Need all images to be RHEL based Sources not binaries! No docker hub! Own proxies and repos

32 Use github.com to fork/clone images sources Create own base images for s2i and other products Need all images to be RHEL based Sources not binaries! No docker hub! Own proxies and repos

33 Use github.com to fork/clone images sources Create own base images for s2i and other products Need all images to be RHEL based Sources not binaries! No docker hub! Internal non-public Certificate Authority Own proxies and repos

34 Use github.com to fork/clone images sources Create own base images for s2i and other products Need all images to be RHEL based Sources not binaries! No docker hub! Internal non-public Certificate Authority Own proxies and repos All exposed services protected by TLS

35 Use github.com to fork/clone images sources Need all images to be RHEL based Create own base images for s2i and other products Need to provide boilerplates for developers Sources not binaries! No docker hub! Internal non-public Certificate Authority Own proxies and repos All exposed services protected by TLS

36 Use github.com to fork/clone images sources Need all images to be RHEL based Create own base images for s2i and other products Need to provide boilerplates for developers Sources not binaries! No docker hub! Internal non-public Certificate Authority Own proxies and repos All exposed services protected by TLS When you need adjustment you change it in one place

37 FROM registry.access.redhat.com/rhel7:latest RUN ln -sf /usr/share/zoneinfo/europe/warsaw /etc/localtime RUN cd /etc/pki/ca-trust/source/anchors/ && \ curl -Awget -O " && \ update-ca-trust extract [...]

38 Dealing with security and compliance requirements

39

40 Security controlled with code SSL SSL SSL APP1 APP3 APP3 Old Router (https) APP1 APP1 New APP1

41 Traffic isolation between applications

42 Traffic isolation Project1 Project2

43 Outbound traffic Traditional (static) firewall Project1 Project2

44 Inbound traffic Traditional (static) firewall Project1 Project2

45 You can t always get what you want Impossible in??? < 3.9 Project1 Project2

46 Overcoming shortcomings

47 SECURITY ACROSS ALL LAYERS Self-Service CONTROL Service Catalog (Language Runtimes, Middleware, Databases) Build Automation Deployment Automation Application Lifecycle Management Application Security (CI/CD) Container Orchestration & Cluster Management (Kubernetes) Networking Storage Registry Logs & Metrics Security DEFEND Infrastructure Infrastructure Automation & Management Enterprise Container Host Container Runtime & Packaging Atomic Host Red Hat Enterprise Linux EXTEND

48 AUTOMATED & INTEGRATED SECURITY CONTROL Container Content CI/CD Application Security Container Registry Deployment Policies Container Platform Container Host Multi-tenancy Network Isolation Storage Audit & Logging API Management DEFEND Infrastructure EXTEND Security Ecosystem

49

50 And this is what we call DevOps! nk a b a In

51 Contact us Tomasz Cholewa, Mindbox Dawid Szymański, BZWBK Jarosław Stakun, Red Hat Lead Cloud Architect IT Architect Lead Solution Architect m jarek@redhat.com