Security Considerations
The following sections describe the key considerations to successfully secure your deployments on Red Hat OpenShift.
- Verifying Signatures of Transformation Advisor Artifacts
- User management
- Routes
- Network Policies
- Secrets
Verifying Signatures of Transformation Advisor Artifacts
The public keys, certificates and certificate chains that are required for verifying the Transformation Advisor signatures are available for download here: taPublicKeys.zip
Unzip the archive to access the following files:
PRD0004063key.pem.cer
PRD0004063key.pem.chain
PRD0004063key.pem.pub.key
PRD0004063key.pub.asc
Subsequent sections describe how to use these files to verify the Transformation Advisor artifact signatures.
Verifying Transformation Advisor Image Signatures
The Transformation Advisor AMD64 images are signed using GPG simple signing. The signature can be verified by the skopeo
OR podman
tools as follows:
- Create a
policy.json
file that configures the verification. For example:
{
"default": [{"type": "reject"}],
"transports": {
"docker": {
"cp.icr.io/cp/icpa": [{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
}],
"icr.io/cpopen": [{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
}],
"icr.io/appcafe": [{
"type": "signedBy",
"keyType": "GPGKeys",
"keyPath": "<KEY_LOCATION>/PRD0004063key.pub.asc"
}]
}
}
}
- Method 1: Verify using
skopeo copy...
skopeo copy --policy ~/policy.json docker://cp.icr.io/cp/icpa/transformation-advisor-ui@sha256:1234... dir:./image-dir --src-creds iamapikey:myapikey
- Method 2: Verify using
podman pull...
podman pull --signature-policy ~/policy.json cp.icr.io/cp/icpa/transformation-advisor-ui@sha256:1234..
Please see Red Hat OpenShift Container Platform docs for information configuring your OpenShift cluster to verify the image signatures.
Verifying Transformation Advisor Local Zip Signature
For more information on Transformation Advisor Local, and how to download the zip file, see Installing IBM Cloud Transformation Advisor on RHEL. When downloading the
zip, you should also download the <filename>.zip.cosign.sig
file to allow you to verify the integrity of the zip file.
There are three ways to verify the signature, according to preference. The public keys, certs and chains needed for the following steps can be downloaded from the links at the start of this section.
Method 1: Using the PEM encoded public key
Prerequisites:
- cosign utility. To install see here: https://github.com/sigstore/cosign/releases
- The PEM public key:
PRD0004063key.pem.pub.key
- The signature file:
transformationAdvisor-${VERSION}.zip.cosign.sig
- The zip artifact:
transformationAdvisor-${VERSION}.zip
cosign verify-blob --key PRD0004063key.pem.pub.key --signature transformationAdvisor-${VERSION}.zip.cosign.sig transformationAdvisor-${VERSION}.zip
Method 2: Using the PEM encoded public certificate
Prerequisites:
- cosign utility. (To install see here: https://github.com/sigstore/cosign/releases). It is recommended to use version 1.x of
cosign
. If using version 2+, then you must add the flag--insecure-ignore-tlog=true
when verifying. - The PEM public certificate: PRD0004063key.pem.cer
- The certificate chain: PRD0004063key.pem.chain
- The signature file: transformationAdvisor-${VERSION}.zip.cosign.sig
- The zip artifact: transformationAdvisor-${VERSION}.zip
cosign verify-blob --cert PRD0004063key.pem.cer --cert-chain PRD0004063key.pem.chain --signature transformationAdvisor-${VERSION}.zip.cosign.sig transformationAdvisor-${VERSION}.zip
Method 3: Using the PEM encoded public key with openssl
Prerequisites:
openssl
- The PEM public key:
PRD0004063key.pem.pub.key
- The signature file:
transformationAdvisor-${VERSION}.zip.cosign.sig
- The zip artifact:
transformationAdvisor-${VERSION}.zip
openssl enc -d -A -base64 -in transformationAdvisor-${VERSION}.zip.cosign.sig -out ./transformationAdvisor-${VERSION}.zip.bytes.sig
openssl dgst -verify PRD0004063key.pem.pub.key -keyform PEM -sha256 -signature ./transformationAdvisor-${VERSION}.zip.bytes.sig -binary transformationAdvisor-${VERSION}.zip
User Management
By default, the Transformation Advisor instance is automatically configured to use the OpenShift Container Platform OAuthClient. You can configure Transformation Advisor to use a third-party authentication source.
For more information on how to configure a third-party authentication source, see Configuring IBM Cloud Transformation Advisor.
Transformation Advisor does not differentiate roles. All authenticated users have access to all actions in the product.
Routes
Routes are used to provide external access to cluster resources. Transformation Advisor creates three dynamic routes based on the project that it is installed in and the cluster domain. The routes are as follows:
Route | Description | Example URL |
---|---|---|
<ta instance> -openapi-route |
Access the API via Swagger UI | https://openapi.myproj-ta.apps.kgta.cp.fyre.ibm.com/openapi/ui |
<ta instance> -server-route |
Access the liberty server. Not to be used directly by end users. | https://myproj-ta.apps.kgta.cp.fyre.ibm.com/lands_advisor |
<ta instance> -ui-route |
Access the UI. Main entry point for end users. | https://openshift-operators-ta.apps.kgta.cp.fyre.ibm.com |
Internal TLS Certificates
You can provide custom certificates for internal TLS communications between the Transformation Advisor pods.
For more information, see Enable Bring Your Own Key (BYOK).
Network Policies
Network policies control the ingress and egress traffic to and from the Transformation Advisor pods.
Egress Network Policy
If your cluster uses the OpenShift SDN default Container Network Interface (CNI) network provider, Transformation Advisor automatically configures an EgressNetworkPolicy
to limit egress traffic from the Transformation Advisor
pods. The default configuration is suitable for most cases, but you can customize the allowed egress or disable it altogether.
For more information, see Configuring IBM Cloud Transformation Advisor.
Ingress Network Policy
Transformation Advisor automatically configures ingress network policies to restrict incoming traffic to only essential traffic.
For more information, see Network policy.
Secrets
Transformation Advisor securely stores the necessary credentials for its operation by using a Secret
. Transformation Advisor automatically generates the Secret
during installation with unique and random values. Users
can also provide their own Secret
, partially or fully, for the necessary values. Transformation Advisor automatically generates any values that are not supplied by the user.
For instance, users need to provide the OAuth client ID and secret on setting up third-party authentication. For more information, see Configuring IBM Cloud Transformation Advisor.