Securing Containers

Securing containers is a lot like securing any running process. As an application owner, you must think about security throughout the layers of the solution stack before you deploy and run your container. You also must think about security throughout the application and container lifecycle. The OpenShift Dedicated team provides secure platform management and tools to help and securely deploy and manage containers. This topic discusses key elements of container lifecycle management that you must think about.

Container Host Multi-tenancy

Containers are Linux® processes with isolation and resource confinement that enable you to run sandboxed applications on a shared host kernel. OpenShift Dedicated makes use of the multiple levels of security available in Red Hat Enterprise Linux Host, which is the underlying immutable operating system deployed with OpenShift Dedicated. Linux features such as Security-Enhanced Linux, namespaces, Cgroups, and seccomp are used to secure the container. Container processes run under a UID assigned by the OpenShift platform, and never with root privileges.

Container Content

Some key questions to consider when it comes to content security for containers include:

  • Will the contents of the containers compromise my infrastructure?

  • Are there known vulnerabilities in the application layer?

  • Are the runtime and OS layers up to date?

  • How frequently will the container be updated and how will you know when it is updated?

Red Hat delivers trusted content via the Red Hat Container Catalog. However, there will be times when you need content that Red Hat does not provide. It is recommended that you use container scanning tools that use continuously updated vulnerability databases to be sure that you always have the latest information on known vulnerabilities when using container images from other sources.

Container Registries

OpenShift Dedicated includes a private registry that can be used to manage your container images. The OpenShift registry provides role-based access controls that allow you to manage who can pull and push specific container images. OpenShift Dedicated also supports pushing and pulling from other private registries you might already be using.

Building Containers

In a containerized environment, the software build process is the stage in the life cycle where application code is integrated with needed runtime libraries. Managing this build process is key to securing the software stack. OpenShift Dedicated provides a number of capabilities for build management and security:

  • Source-to-image (S2I) is an open source framework for combining source code and base images. S2I makes it easy for your development and operations teams to collaborate on a reproducible build environment.

  • OpenShift Dedicated includes an integrated instance of Jenkins for CI. OpenShift Dedicated also includes rich RESTful APIs that you can use to integrate your own build or CI tools or private image registry, such as JFrog’s Artifactory.

  • A best practice for application security is to integrate automated security testing into your build or CI process. Static Application Security Testing (SAST) and Dynamic Applications Security Testing (DAST) tools like HP Fortify and IBM AppScan can be used with OpenShift environment along with Scanners for real-time checking against known vulnerabilities like Black Duck Hub and JFrog Xray.

Deploying Containers

In case anything falls through during the build process, or for situations where a vulnerability is discovered after an image has been deployed, you want yet another layer of security: tools for automated, policy-based deployment. Strong security includes automated policies that you can use to manage container deployment from a security point of view.

Additional Resources