Security guidance for IBM RPA on Red Hat® OpenShift® Container Platform

After you deploy your application, you must ensure that you comply with the best security practices to maintain a secure OpenShift cluster. Follow the recommended actions outlined in this section to safeguard your OpenShift cluster against potential threats and to strengthen the security posture of your cluster.

Updating OpenShift

Keeping your Red Hat OpenShift Container Platform up to date is essential for maintaining a secure and stable platform. These updates address security vulnerabilities, reducing the risk of cyberattacks and unauthorized access. With all of that in mind, follow the instructions in Updating your cluster using the CLI 🡥 from the OpenShift documentation to keep your cluster up to date.

Remember:Keep your IBM RPA operator version up to date and ensure that it complies with the supported Red Hat OpenShift Container Platform versions described at: Versioning reference.

Rate limiting OpenShift routes

Rate limiting is an important tool for Red Hat OpenShift Container Platform routes to protect applications from excessive traffic and abuse. By controlling request rates, you can protect against overloading the server and DDoS attacks.

You can apply OpenShift's built-in haproxy to the IBM RPA route as follows:

oc patch route cpd -p '{"metadata":{"annotations":{"haproxy.router.openshift.io/rate-limit-rps":"10","haproxy.router.openshift.io/rate-limit-burst":"20"}}}'

This limits a single IP address to 10 requests per second with a 20 second burst. For more information, see Route configuration 🡥 on the Openshift documentation.

More sophisticated external services for applying rate limiting can also be applied to this route.

Resource quotas on routes

In a scenario where multiple users or groups utilize a cluster with a predetermined number of nodes, resource allocation imbalances become a potential concern. Specifically, there is a risk that one user or team might consume a disproportionate amount of resources. To address this issue when utilizing IBM RPA on a shared cluster, you can enforce resource quotas on the IBM RPA namespace using the following approach:

cat <<EOF | oc apply -f -
apiVersion: v1
kind: ResourceQuota
metadata:
name: rpa-quota
spec:
    hard:
    pods: "100"
    limits.cpu: "30"
    limits.memory: "60Gi"
    requests.cpu: "30"
    requests.memory: "60Gi"
EOF

See more options at Resource quotas per project 🡥 on the OpenShift documentation.