A Guide to Azure Red Hat OpenShift's Built-in Security Features

As your business modernizes its cloud technology, it’s important to scale your cloud environments securely. Azure Red Hat OpenShift (ARO) supports your security needs at scale. With shared responsibility between Red Hat and Microsoft, ARO can help your organization boost cloud security in several ways.

Through ARO’s built-in security features your organization can simplify software deployment and reduce operational complexity with automated security maintenance and ongoing monitoring. The Red Hat Site Reliability Engineering (SRE) team automates, manages and monitors your platform so your business can focus on value-driven tasks without the burden of manually applying security updates and patches. As our SRE teams would say, “We make infrastructure boring.”

We continuously look for ways to improve security standards for customers, and recently we implemented several new security features.

Cybersecurity vulnerabilities (CVEs) and upgrades

Customers are able to take advantage of the benefits of the work the Red Hat Security team provides. The Red Hat security team looks at CVEs, identifies the severity, and if appropriate, provides errata for them. Red Hat Errata helps users determine what updates are available and how important they are based on analysis by Red Hat engineering. A majority of these Erratas will be provided via a version upgrade which can be applied to the clusters through either automated or manual tooling provided as part of Azure Red Hat OpenShift. The automated method leverages the recently released Managed Upgrade Operator. To configure the operator, all you have to do is apply a YAML file with a scheduled time at which you’d like the upgrade to take place and the operator will do the rest. For more details around how to configure the operator, refer to this document.

Cluster configuration upgrades

We continually work with Microsoft and customer security teams on implementing security best practices.

Two recently released features based on customer and Microsoft feedback include Storage and Egress Lockdown.        

Storage Lockdown adds increased security to the storage accounts. This was done by changing the configuration of the storage account to force the use of a higher TLS version and a newer storage account version. It also checks to make sure the storage account is private and encryption is turned on. This feature is available for all Azure Red Hat OpenShift customers.  Learn more about Storage lockdown.

We also received feedback that while private clusters were private (no ingress allowed), customers wanted to limit the remaining dependency on Egress traffic. This dependency’s primary purpose was for the cluster to communicate with Azure endpoints (for example to the Azure container registry). To enhance the security of these deployments, we created a private endpoint which would provide access to the Azure resources, so clusters can be deployed without a path to the Internet, for minimal deployment scenarios. You will notice in the diagram below [1] a private endpoint which provides the cluster access to the service. This private endpoint provides exclusive access to the specific resources that the cluster depends on.

Figure 1 - Network topology of Azure Red Hat OpenShift

Some customers may elect to connect to additional registries or other external resources; this may be recommended for some use cases, as these can provide access to additional Red Hat Operators but this traffic would flow through the VNet peering and Azure Express route. Learn more about Egress Lockdown.

Compliance and certifications

Microsoft Azure offers a range of compliance solutions, and by using Azure Red Hat Openshift, customers get the benefits of Azure’s compliances coupled with Red Hats, combined to provide a large range of options.. Through the collaboration with Microsoft Azure, we have obtained numerous certifications inside their cloud, including PCI DSS, FedRAMP, HIPAA  and many more. Visit the Azure compliance page for more information on these.

Red Hat also provides a full set of compliance tooling for additional security needs. Red Hat Advanced cluster Management provides management and controls via built-in policies which can be enforced upon Azure Red Hat OpenShift clusters. Red Hat Advanced Cluster Security (ACS) for Kubernetes provides a native Kubernetes security approach, adding an additional native layer of security to applications on the platform..

If you are looking to get started with Azure Red Hat OpenShift, read this blog to learn how to deploy the product through the Azure portal.