Securing your OpenShift container environment with StackRox

The Red Hat OpenShift platform is enabling enterprise organizations to use container technologies such as Docker and Kubernetes to build, deploy, and run applications with unprecedented agility, scale, and speed. In this blog post, I’ll walk through how we’ve integrated StackRox with OpenShift to help our joint customers ensure comprehensive security across their container lifecycle. You can also visit the OpenShift Commons to view a recording of my briefing on this topic from last week, which goes into more details, and provides a live demo of StackRox running with OpenShift.

OpenShift security features in build and deploy phases

OpenShift capabilities at build and deploy phases

The OpenShift platform itself provides several security capabilities that enable you to securely build images and deploy containers. In the build phase, best practices require ensuring images are scanned for known vulnerabilities, that trust is established over image content, and that the ability to push and pull images to and from the registry and access the cluster is appropriately limited.

OpenShift provides vulnerability scanning via Atomic Scan, and allows you to sign images with GPG keys. It also incorporates robust role-based access controls.

In the deploy phase, you have to think about hardening and isolation of containers throughout the cluster to appropriately limit upfront what they’re supposed to be able to do, and also ensure that sensitive data is not exposed. OpenShift leverages the secrets management that is built into Kubernetes, and support was recently added to encrypt these secrets at rest in etcd. Kernel-level security can be applied using mechanisms like SELinux and seccomp profiles, and Projects and Network Policies provide additional isolation between containers.

StackRox for runtime security

StackRox capabilities at runtime phase

StackRox complements the security provided in OpenShift by focusing on security during the runtime phase. This encompasses capabilities such as monitoring and network visibility, intrusion detection, exploit prevention, data protection, and incident response and forensics.

Our product achieves this with a container-native architecture — deploying and running a set of integrated security containers alongside your containerized applications. This allows StackRox to easily fit in with and effectively become built into your container stack. It is agnostic to and abstracted from the underlying infrastructure and other container tooling.

The data we collect is evaluated for various threat indicators and analyzed using machine-learning-based modeling. This enables comprehensive threat protection – detection, prevention, and response – that fully adapts to your container environment and the specific applications that are running.

StackRox’s OpenShift integration

For OpenShift environments, our platform is distributed as a set of container images that are used to launch the StackRox services into your OpenShift cluster. But rather than just providing OpenShift users with a set of images, we built in native integrations with the platform itself.

This integration means bringing up StackRox is very easy – you can utilize your existing orchestrator toolchain including the OpenShift CLI, familiar oc command syntax, and YAML files to launch and manage StackRox. We also have a built-in bootstrapping process for all our services that is OpenShift-aware. Many of our customers prefer to use private registries, and you can opt to store our images in the OpenShift Container Registry.

Our services run in a separate OpenShift project, which allow you to determine who has the ability to administer StackRox within your cluster. Additionally, you can configure flexible deployment configurations by running different classes of StackRox services on specific nodes by leveraging node selectors for our specific project.

In this model, security can simply be thought of as just another application. It runs alongside your containerized applications, and is managed the same way in terms of deployments and upgrades. StackRox is designed to auto-scale up and down based on the data it analyzes, and it operates within your existing configurations, including projects and security context constraints (SCCs).

Additionally, StackRox is able to auto-discover containerized OpenShift and Kubernetes services, monitor them, and detect threats on them. This is interesting because the orchestrator represents a distinct and separate attack surface that is critical to safeguard. Compromise of the orchestrator can result in an attacker taking a number of privileged actions on the cluster.

A deeper look at StackRox deployed on an OpenShift cluster

StackRox can be deployed using your existing OpenShift toolchain. This will launch the StackRox Portal, which provides a web-based user interface for users, and runs as a separate microservice. The Portal dashboard provides a summary of your container environment, including an overall network view of your containerized applications, and presents the type of visibility that traditional security tools simply can’t.

Once running, StackRox auto-discovers containers in your environment. These include OpenShift services, such as OpenShift Origin, and Cockpit, which provides a dashboard UI for the cluster. The containers that make up these services may include the underlying Kubernetes services that handle DNS, network proxy and load balancing, metrics, and so on.

Machine learning models are automatically built based on signals collected from all containerized applications. These machine learning models can then be applied to detect threats within the environment. Alerts present both a summary and detailed context to security operators.

With StackRox, enterprises can automate the detection of threats in an OpenShift environment, and benefit from the visibility, analysis, and context needed for comprehensive container security.

Are you looking at securing your OpenShift environment at runtime? Check out the recording of my session and demo at OpenShift Commons, and contact us if you’re interested in using StackRox.