Taking OpenShift’s Security for Containerized Applications to the next level with Aqua

This is a guest post by Amir Gabrieli of Aqua Security.

The Red Hat OpenShift Container Platform has a number of built-in security capabilities. Aqua provides an additional layer of security in development and protects containerized applications in runtime. Aqua recently developed a Kubernetes Operator that was successfully tested and validated by Red Hat OpenShift standards for integration and supportability. Aqua completed technical validations to become a Red Hat OpenShift Certified Operator, allowing our joint customers to deploy Aqua seamlessly on the OpenShift platform. 

One key differentiator of OpenShift Container Platform is that it allows users to leverage image streams when building environments using different registries.

Install, Deploy, and Check

You can use OperatorHub embedded for Red Hat OpenShift to download Aqua’s Operator. After installing the Aqua Operator and logging on to the Aqua Command Center, you can deploy the Aqua Enforcer container through a Daemonset. This helps to confirm that Aqua Enforcer runs on worker nodes in the OpenShift cluster.

What are Image Streams?

In an earlier Aqua blog, we spoke at length about image streams. Image Streams are an abstraction layer that provides mapping between image stream tags and actual images stored either in the internal OpenShift registry or in any external registry. Image streams can also be seen as pointers to actual images. A single image stream may consist of multiple tags, each of them pointing to an image from a different registry. 

Red Hat’s OpenShift Container Platform allows users to build environments that work more efficiently for large and diversified setups, by using Image Streams instead of regular images when building and deploying applications. From a security perspective, this requires a different approach for tracking security issues that should work natively with OpenShift. 

Once created, image streams can be referenced by all deployments and builds within the same project and used just like a regular image without making any special configurations to support it.  

The Aqua platform automatically discovers and connects to the image stream engine, providing the same experience and feature set as when scanning regular images from regular registries. 

Automating the Mundane

Aqua recently built a RHEL-based Operator to automate the maintenance of mundane operational duties. This makes the use of Aqua’s Cloud Native Security Platform (CSP), particularly the deployment and scanning pieces, more seamless.

When deploying Aqua CSP, you can leverage the Operator as an alternative to a deployment that uses a Helm chart or large, complicated YAML files. The Operator only requires one YAML file to deploy the Aqua infrastructure components, and another YAML file to deploy Aqua Enforcers in your production environment.

The Aqua Operator can also be configured to manage the Aqua Scanner container and scale it automatically when more resources are needed.  You can configure the minimum and maximum number of scanners you would like the Operator to deploy. You can even decide how many images you would like to allocate per scanner.  For example, if you have one scanner deployed, 500 images in your scan queue, and your maximum number of scanners is configured to 5, you’ll have 5 Aqua Scanners scaled automatically to scan all 500 images.

Aqua’s OpenShift certified operator is also available to deploy through the OpenShift console and OperatorHub.io.

OpenShift Hardening Made Easy

Kubernetes CIS benchmarks were designed to check security configurations before running Kubernetes. Red Hat took this opportunity to create a hardening guide of its own to determine if various parts of the CI pipeline were configured correctly. Aqua took this hardening guide and put it directly into their product. With this guide, you can automatically check and run tests to see if the clusters are configured correctly according to Red Hat’s guidelines.

In the image below, you can see a list of failures, warnings, pauses, and info. You can drill down for more information.

Collaboration and Innovation

Becoming a Red Hat Certified Technology Partner was a significant step in our continued work with OpenShift. Among other developments, the Aqua Operator allows OpenShift customers to scale Aqua runtime protection components more easily and handle a large number of Aqua Enforcers automatically. This capability, coupled with image streams and OpenShift hardening, extends OpenShift’s security capabilities and contributes to upgrading enterprises’ security posture.

 

Categories
Operators, Security
Tags
, ,