DevSecOps and Automation on Power

 View Only

Red Hat Advanced Cluster Security for Kubernetes for securing IBM Power nodes

By Janani Janakiraman posted Tue February 28, 2023 10:43 AM

  

Updated: November 15, 2023

Power Blog Tile Image

The latest version of Red Hat Advanced Cluster Security for Kubernetes (RHACS), 4.3 became generally available on November 15, 2023.  Besides the support for RHACS Secure Cluster Services for securing IBM Power nodes, RHACS 4.3 includes support for RHACS Central Services. This release focuses on supporting even more Kubernetes platforms, and delivers better vulnerability reports, while onboarding users quickly and more. The Red Hat Advanced Cluster Security 4.3 release notes contain the many updates, deprecations and removal of features in the product. 

This is a significant step for IBM Power as we strive to help our customers reduce the cost of their security program, bridge the skills gap for Kubernetes security, and enable them to break cross-functional barriers in their organizations.

What is Red Hat Advanced Cluster Security (ACS)?

 ACS provides capabilities across the full container lifecycle - building secure images, verifying image signatures, deploying them with hardened configurations, and monitoring the running environment to detect malicious activity at runtime.

See ACS in two minutes to understand more about ACS.

Why ACS?

DevOps with ACS

Source: https://www.youtube.com/watch?v=lFBFW3HmgsA

Containers and Kubernetes are driving rapid innovation in application development and management with teams adopting DevOps principles and practices. Protecting containerized applications is becoming critical as organizations deploy more containerized workloads. Cloud security is a shared responsibility and enterprises are responsible for protecting the application layer, and their sensitive data beyond the security provided by the on-premises infrastructure.

ACS , with its Kubernetes-native approach, integrates with DevOps and security tools, enabling teams to operationalize and secure their supply chain, infrastructure, and workloads. It fulfills the need to have a container security platform where security is a visible piece of the overall hybrid-cloud strategy. ACS provides customers with increased developer productivity and innovation by providing security guardrails that support developer velocity while still maintaining the desired security and compliance posture.

Benefits of ACS

  • Increase developer velocity by automating DevSecOps

  • Harden Kubernetes for more resilient & compliant cluster

  • Secure workloads at scale with “zero-trust execution”

Value of ACS

  • Lower operational cost: Common language & single, trusted source of truth

  • Decreased operational risk: Align security & infrastructure to reduce downtime using built-in Kubernetes capabilities; mitigate threats using Kubernetes-native controls to enforce security policies, reducing risk of outage

  • Innovate with confidence: Integrate security guardrails supporting developer velocity while maintaining security posture; standardize on Kubernetes across DevOps

Common use cases

Vulnerability Management

  • Scan images for known vulnerabilities

  • Find vulnerabilities in running

    deployments and learn how to fix them

  • Enforce policies based on vulnerability

    information in CI/CD workflows

Compliance

  • Assess compliance with CIS Benchmarks, and PCI-DSS, HIPAA, and NIST SP 800-190 reference architectures

  • Get actionable insights to improve compliance posture

  • Show proof of compliance with instant reports and dashboards

Risk Profiling

  • Rank your deployments according to their security risk for prioritization

  • Go beyond CVE scores, and understand the true risk of vulnerabilities based on information derived from Kubernetes

  • Track improvements in your security posture to validate impact of your actions

Configuration management

  • Identify configuration risks such as network exposures, privileged containers, processes running as root, and noncompliance to align with industry best practices

  • Check for misconfigurations of your application deployments in CI/CD workflows.

  • Analyze Kubernetes RBAC settings

Network segmentation

  • Visualize active vs allowed network traffic to identify risky traffic

  • Enable security teams to audit network policies and recommend better policies

  • Simulate new, secure network policies and their impact

  • Baseline network traffic to alert when it deviates from known-good network activity

Runtime detection & response

  • Identify anomalous runtime activity using process allowlists and baselining

  • Use pre-built policies to detect common threats such as crypto mining, privilege escalation, and various exploits

  • Respond to threats with real time alerts or use Kubernetes-native controls to kill and restart suspicious pods

What makes ACS different from its competitors?

Red Hat ACS

Source: https://www.youtube.com/watch?v=lFBFW3HmgsA

ACS is architected from the ground up to secure Kubernetes environments. It uses the declarative definitions and immutable infrastructure inherent to Kubernetes to enable security as code. For example, whereas competitors rely on proprietary security components to enforce network segmentation, ACS leverages the built-in Network Policy capabilities in Kubernetes to automatically enforce network segmentation at scale. This approach ensures that security works with, not against, how developers and operators build and operate clusters.

Why is ACS exciting for IBM Power customers?

RHACS Central Services comprise three main components—Central, Central DB, and Scanner—installed on a single cluster, where Central manages the RHACS application interface, Central DB handles data persistence using PostgreSQL 13, and Scanner is a certified vulnerability scanner for container images and system components.

Together with RHACS Secured Cluster Services, now the full stack of RHASC are supported on IBM Linux on Power.

You install ACS as a set of containers in your OpenShift Container Platform or Kubernetes cluster. This includes:

Central services you install on one cluster.

  • Support for Central on IBM Power is included in ACS 4.3 and later. For prior versions, Central needs to be set up on x86_64.

  • Secured cluster services you install on each cluster that you want to secure with ACS.

  • IBM Power and IBM Z nodes can now be secured by installing the secured cluster services on the nodes. 

See the  RHACS 4.3 Documentation for details on how to set up ACS.

Below is an architecture diagram that shows the components of ACS. For details on the different components and what they do, see Red Hat Advanced Cluster Security for Kubernetes architecture.

ACS architecture diagram

Source: https://docs.openshift.com/acs/3.74/architecture/acs-architecture.html (fig 1)

To probe further

If you want to see ACS in action, check out the Red Hat Advanced Cluster Security - Deep dive demo made by Red Hat’s Chris Porter. Chris talks about how ACS takes a Kubernetes-native approach to security and how this is a better approach than building a firewall, or building something at the pod level or at the Linux kernel level to apply and enforce rules at the network layer. 


#Featured-area-3
#Featured-area-3-home
#Featured-area-1
#Featured-area-1-home
#Highlights-home

Permalink

Comments

Rachel Goyette
Wed March 01, 2023 03:21 PM

OCP 4.12 is what was tested and is officially supported for Power in this initial release on Power.

Fred Robinson
Wed March 01, 2023 10:20 AM

What releases of OpenShift are supported on Power?  4.10, 4.12? or does it matter?   Thanks