Security and identities

When accessing RHOCP, you need to authenticate with the cluster. During the installation process, an initial user identity is created (kubeadmin) to get started quickly. One of the first tasks after the installation is to connect RHOCP to a user directory listed the actual users.

For this purpose, RHOCP needs to be connected to an identity provider that contains the actual users.

Supported identity providers are

Htpasswd

A flat list of names and passwords.

Keystone

OpenStack Keystone v3 server with an internal database.

LDAP

LDAPv3 server that uses simple bind authentication.

Basic authentication

Remote identity provider that uses basic authentication as a generic backend integration mechanism.

Request header

Identify users from request header values, such as X-Remote-User.

GitHub or GitHub Enterprise

Validate user names and passwords against GitHub or GitHub Enterprise’s OAuth authentication server.

GitLab

Use GitLab.com or any other GitLab instance as an identity provider.

Google

Use the Google identity provider that uses Google’s OpenID Connect integration.

OpenID Connect

oidc identity provider to integrate with an OpenID Connect identity provider that uses an Authorization Code Flow.

More details are described in Understanding identity provider configuration (Red Hat documentation).

When an identity provider is successfully configured, the default kubeadmin identity is no longer needed and should be removed in productions environments. But keep in mind: It’s not possible to re-create the kubeadmin later again without a full reinstall. Before removing the kubeadmin account ensure that a user account has assigned the cluster-admin role.

RHOCP provides its own internal custom certificate authority (CA).

• Certificates are used to provide secure connections to:
  • Control plane(APIs) and compute nodes
  • Ingress controller and registry
  • etcd
• Certificate rotation is automated
• Optionally external endpoints to use custom certificates can be configured

Users can be granted specific permissions as regular users, _system users, or as service account. Users can also be assigned to groups, which makes assigning of permissions easier, as each permission is mapped to all users within a specific group.

This role-based access control of RHOCP allows to precisely define, which permissions are granted to which set of users:

• Project scope and cluster scope available
• Matches request attributes (verb, object, and so on)
• If no roles match, the request is denied by default
• Operator- and user-level roles are defined by default
• Custom roles are supported

More details are described in Understanding authentication (Red Hat documentation).

• In RHOCP, security can also be managed in a z/VM and z/OS manner by using the LDAP extension for RACF (Resource Access Control Facility).

  • For details, see the z/VM documentation.

  • For details on integrating z/OS RACF with LDAP, see RACF and the z/OS LDAP server.

For highest encryption, the IBM Z platform provides IBM® Crypto Express cards for IBM Z and IBM® LinuxONE. Crypto Express cards can accelerate asymmetric cryptographic operations. They also enable encryption of data with secure and protected keys where the effective or clear key is protected by a master key in the card and is never exposed to the memory of the operating system. Therefore, it enables the highest security in an environment. With Red Hat OpenShift Container Platform, you can take advantage of these cryptographic capabilities, and access those directly from a container. To enable the capability and for further details, see the Kubernetes device plug-in for IBM Crypto Express (CEX) cards.

RHOCP provides a stateless Ingress Node Firewall Operator (Red Hat documentation). Administrators can configure the firewall rules at the node level to control the flow of network traffic to/from the node by controlling which interface and remote hosts the Kubernetes API server can be accessed from.

The Red Hat OpenShift Security Guide provides a comprehensive and detailed look into the many challenges that are related to security in the cloud. This guide helps in the triaging of security tradeoffs and risk, policy enforcement, reporting, and the validation of system configuration. The guide is available to download from the Red Hat Customer Portal.