Improve and simplify securing Red Hat OpenShift containerized environments by leveraging CyberArk’s secrets management solutions and out-of-the-box certified integrations. This demo heavy technical session expands on the prior webinar and uses demos and examples to give practical guidance on how to improve securing your organization’s containerized applications. All while avoiding impacting developer velocity.
This session will provide:
A clear understanding of the challenges and requirements for securing Kubernetes and Red Hat OpenShift containerized environments at enterprise scale
The benefits of enhancing the native secrets management and security capabilities of OpenShift with CyberArk’s certified integrations
Guidance to address common security challenges, including achieving enterprise scale and availability, minimizing the time spent on audit and compliance requests, avoiding problems with developer adoption
Practical steps to get started using Conjur Open Source and next steps
CyberArk, the global leader in privileged access management, offers the industry’s most complete solution for securing both the credentials and secrets used by applications, Playbooks, scripts and other non-human identities, as well as human users. CyberArk solutions are deployed at many of the world’s largest enterprises including over half the Fortune 500.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Securing Red Hat OpenShift Containerized Applications At Enterprise Scale
1. Red Hat/CyberArk webinar
Jody Hunt
Director, DevOps Security
CyberArk
Vijay Arungurikai
Senior Solutions Architect
Embedded & ISV Partners, Red Hat
2. F16625-200131
The world’s leading provider
of open source enterprise IT solutions
2
*Red Hat client data and Fortune 500 list, October 2019.
Note: Currency in U.S. dollars.
MORE THAN
90%of the
FORTUNE
500
RED HAT
use
PRODUCTS &
SOLUTIONS*
~13,815
EMPLOYEES
105+
OFFICES
40+
COUNTRIES
THE FIRST
$3
OPEN
SOURCE
COMPANY
IN THE WORLD
BILLION
4. 44
Red Hat
Enterprise Linux
Red Hat
Virtualization
Red Hat
OpenStack Platform
Red Hat
Ceph Storage
Infrastructure Software
Container Platform
Red Hat
OpenShift Container Platform
Developer Tools
Automation &
Management
Red Hat
Ansible Automation
Platform
Red Hat
Satellite
Red Hat
Insights
Red Hat
CloudForms
Middleware & Integration
Red Hat
Fuse
Red Hat
Decision Manager
Red Hat
Process Automation Manager
Application & Business processes
Red Hat
JBoss EAP
Red Hat
AMQ
Red Hat
3Scale API Mgmt
Red Hat
OpenShift Application
Runtimes
Red Hat
CodeReady
Workspace
Services
Red Hat
Learning Subscription
Red Hat
Certification
Red Hat
Consulting
Red Hat
OPEN Innovation Labs
Product Portfolio
5. NEW INSTALLER
PLATFORMS
STORAGE
AUTOMATION
CLOUD-NATIVE
DEV TOOLS
RHV IPI
Azure & OpenStack UPI
DNS forwarding
Kubernetes 1.17
OpenShift Serverless is GA
Helm 3 support is GA
OpenShift Pipelines is TP
Developer Console gains
monitoring & Helm features
CSI topology support
CSI Volume snapshot,
restore, clone (Tech Preview)
iSCSI PVs for internal registry
Auto image pruning in registry
OpenShift 4.4
5
7. Automated
operations
A consistent container application platform
Multi-tenant
Network
traffic control
Over-the-air
updates
Bare metal, VMware vSphere, Red Hat Virtualization, Red Hat OpenStack Platform, Amazon
Web Services, Microsoft Azure, Google, IBM Cloud
Pluggable
architecture
Monitoring
& chargeback
Secure by default
FROM YOUR DATACENTER TO THE CLOUD
7
8. OpenShift enables developer productivity
SPRING & JAVA™ EE MICROSERVICES FUNCTIONS
LANGUAGES DATABASES APPLICATION SERVICES
LINUX WINDOWS*
* coming soon
CODE
BUILD TEST DEPLOY
MONITORREVIEW
Self-service
provisioning
Automated
build & deploy
CI/CD
pipelines
Consistent
environments
Configuration
management
App logs &
metrics
8
9. Full Stack Automation (IPI) Pre-existing Infrastructure (UPI)
Bare Metal
4.4 Supported Providers
IBM Power Systems
*
* Note: Planned for an upcoming 4.3.z release on April 30th
*
Denotes new addition in OCP 4.4
9
10. OpenShift offers the broadest set of hybrid cloud
services
Red Hat
OpenShift
Dedicated
Managed By Red Hat
or
Customer
Managed
or
Customer
Managed
Red Hat
OpenShift
Dedicated
Managed By Red Hat
or
Customer
Managed
Red Hat
OpenShift on
IBM Cloud
or
Customer
Managed (UPI)
Customer
Managed
On-premises
Azure Red Hat
OpenShift
Jointly Managed &
Supported Jointly Engineered
10
11. 11
Red Hat OpenShift has seen 70%+ market expansion
Red Hat OpenShift customers
● Supported on every major cloud: AWS, Azure, GCP, IBM,
AliCloud
● Broadest hybrid cloud market adoption
● 100s of ISVs supporting operators
● Expanded AI/ML focus
● 1st to market with service mesh
● 1st to market with serverless
● New CodeReady developer experience
● New security, encryption enhancements
● Integrated IBM Portfolio via CloudPaks
● ...and much more
1700+
FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020
500
0
1000
1500
2000
12. 12
A broad ecosystem of workloads
Operator-backed services allow for a
SaaS experience on your own infrastructure
Relational DBs
NoSQL DBs
Storage
Messaging
Security
Monitoring
AI/ML
Big Data
DevOps
13. Operator SDK
13
Enabling everybody to write Operators
Support for Helm 3
Build Operators from Helm
v2 and v3 charts
Ansible collections
Ansible Operator supports
k8s module collection
Custom metrics
Every Operator supports
custom metric endpoints
Generate Packaging
Operator Metadata (CSV) for
OLM gets generated
Kubernetes Compatibility
Keep in sync with new
Kubernetes releases
Scorecard v2
Enable testing your
Operator in a pipeline
14. Do your applications use
privileged credentials?
Secrets management for Red Hat OCP
Jody Hunt, DevOps SME
14
16. SHIFTING SECURITY LEFT INTO DEVELOPMENT WORKFLOWS
16
Developers
DevOps
Security
Empower Security Team
• Highlight the app & tool risk
• Leverage single platform –
human/non-human solution serves all
• Security focus
• Manage security budget
Enable Developer/DevOps
• Easy to use (consume secrets)
• Prebuilt integrations
• Open source and Secretless
Free developers from security burden
• Compliance, audit requests, human creds
• Security budget
Plan Code Create Test Release Deploy Operate
17. THE PROBLEM WE’RE SOLVING
There are lots of places to store secrets.
But:
• Platform solutions only work for
those platforms
• Tool solutions lack security
• Most not enterprise ready
• Hard to share best-practices
• SoD not enforced
• GRC reporting is impossible
Islands of Security
Hiera DatabagsVault
IAM / KMS IAM / KMS
Home Grown
Solutions
SecretsSecrets
IAM / KMS
18. THE VISION WE’RE DELIVERING ON
Enterprise-Spanning Service delivered by IT Security
IaaSOn-Prem Infrastructure and Apps
(*NIX, Windows, zOS)
DevOps ToolsPaaS
Security
Solutions
IT Mgt
Software
App Servers and
Custom Apps
RPA
PAS
Consistently enforce privilege security policies for both human users and non-human identities
20. Dynamic Access Provider (Conjur Open Source)
OCP4 Lab Architecture
Linux Host
(Azure)
Windows Hosts
(my Mac)
CyberArk Enterprise
Password Vault
Synchronizer
OCP4 Cluster
(AWS)
User
Namespaces
Lab
App
Authen
-ticator
cybrlab
Namespace
ServiceService
21. SECRETS ACCESS WORKFLOW
Authenticate
Access Token
Requestor
Application Access Manager
Dynamic Access Provider
Targe
t
Access per Policy
Retrieve secrets
Use secrets
Access Token
expires after 8 mins
Audited
activity
22. • Lab 1:
• Authenticator runs as a Sidecar
• App pulls DB creds with REST API
• App connects to DB
• Lab 2: Secrets Injection
• Leverages Summon component
• Authenticator runs as an Init container
• Summon pulls DB creds & calls app w/ creds in env vars
• App connects to DB
• Lab 3: K8s Secrets
• Authenticator runs as an Init Container
• K8s secret manifest names DB cred names
• Authenticator retrieves DB creds & dynamically patches
K8s secret w/ DB cred values
• App connects to DB
• Lab 4: Secretless Broker
• Authenticator runs as a Sidecar Container listening on
DB port
• App attempts to connect to DB on local port
• Authenticator retrieves DB creds, connects to DB,
proxies connection for app
• App connects to DB
CYBERARK OCP4 LABS