book

Operating OpenShift

by Rick Rackow, Manuel Dewald

November 2022

Intermediate to advanced

264 pages

6h 14m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Conventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Traditional Operations TeamsHow Site Reliability Engineering HelpsOpenShift as a Tool for Site Reliability EngineersIndividual Challenges for SRE Teams
OKD, OCP, and Other ConsiderationsOKDOCPOSD, ROSA, and AROLocal Clusters with OpenShift LocalPlanning Cluster SizeInstance Sizing RecommendationsNode Sizing RecommendationsMaster Sizing RecommendationsInfra NodesBasic OpenShift InstallationsInstaller-Provisioned InfrastructureSelf-Provisioned InfrastructureSummary
Deploying CodeDeploying Existing Container ImagesDeploying Applications from Git RepositoriesAccessing Deployed ServicesAccessing Services from Other PodsDistribution of RequestsExposing ServicesRoute by Auto-generated DNS NamesRoute by PathExternal Load BalancersSecuring Services with TLSSpecifying TLS CertificatesRedirecting Traffic to TLS RouteLet’s Encrypt Trusted CertificatesEncrypted Communication to the ServiceSummary
Cluster AccessRole-Based Access ControlRoles and ClusterRolesRoleBindings and ClusterRoleBindingsCLIServiceAccountsThreat ModellingWorkloadsSummary
OpenShift Image BuildsDocker BuildSource to Image (S2I) BuildCustom S2I ImagesRed Hat OpenShift PipelinesOverviewInstall Red Hat OpenShift PipelinesSetting Up the PipelineTurning the Pipeline into Continuous IntegrationSummary
Cluster Monitoring OperatorPrometheus OperatorUser Workload MonitoringVisualizing MetricsConsole DashboardsUsing GrafanaSummary
Service Oriented MonitoringService Level IndicatorsService Level ObjectivesToolsLoggingClusterLoggingLog ForwardingLokiVisualizationInstallationCreating a Grafana InstanceData SourceDashboardsSummary
Recurring Operations TasksApplication UpdatesCertificate RenewalsOpenShift UpdatesBackupsAutomating Recurring Operations TasksPersistenceCreating SnapshotsUsing CronJobs for Task AutomationCluster ConfigurationManage Cluster Configuration with OpenShift GitOpsInstalling OpenShift GitOpsManaging Configuration with OpenShift GitOpsManaging Configuration of Multiple Clusters with OpenShift GitOpsSummary
Operator SDKOperator DesignBootstrapping the OperatorSetting Up a CA Directory for DevelopmentDesigning the Custom Resource DefinitionInstalling the CustomResourceDefinitionLocal Operator DevelopmentThe Reconcile FunctionDeploying the OperatorCreating and Updating OpenShift ResourcesSpecifying RBAC PermissionsRouting Traffic to the OperatorAdding Additional ControllersUpdating Resource StatusSummary

Cluster LifecycleCluster ConfigurationLoggingMonitoringAlertingAutomationOn CallPrimary On CallBackup On CallShift RotationTicket QueueIncident ManagementWhen to Declare an IncidentInform the CustomerDefine RolesIncident TimelineDocument the ProcessPostmortemAccessing OpenShift ClustersThe Stage Is Yours

Content preview from Operating OpenShift

Chapter 4. Security

Rick Rackow

Security is an incredibly wide field and can definitely require multiple books on its own. In fact, there are a lot of great books on Kubernetes security already. However, operating OpenShift clusters cannot be done without security in mind. The cost of mistakes when it comes to security-related tasks is higher than in most other areas of operating a cluster. Recent data breaches and hacks have cost companies hundreds of millions of dollars, and that is even without potentially still uncovered issues.

This chapter covers the fundamental concepts of securing your cluster and your workloads, while staying more abstract than other chapters, focusing on concepts over implementation.

Cluster Access

When you have your cluster set up, you will have access to it using the kubeadmin account, but that is not very secure, and it also doesn’t really scale, because you would need to hand out the password to everyone who wants to use the clusters and have them be admin. Instead, you will want to provision users, for which there are different methods, starting with the easiest: create a user by hand using the CLI. That doesn’t scale very well either, so OpenShift comes with the ability to provision users automatically with the help of identity providers (IdP). Currently, the following identity providers can be used with OpenShift: