This is a guest post by Amir Gabrieli of Aqua Security.
The Red Hat OpenShift Container Platform has a number of built-in security capabilities. Aqua provides an additional layer of security in development and protects containerized applications in runtime. Aqua recently developed a Kubernetes Operator that was successfully tested and validated by Red Hat OpenShift standards for integration and supportability. Aqua completed technical validations to become a Red Hat OpenShift Certified Operator, allowing our joint customers to deploy Aqua seamlessly on the OpenShift platform.
One key differentiator of OpenShift Container Platform is that it allows users to leverage image streams when building environments using different registries.
Install, Deploy, and Check
You can use OperatorHub embedded for Red Hat OpenShift to download Aqua’s Operator. After installing the Aqua Operator and logging on to the Aqua Command Center, you can deploy the Aqua Enforcer container through a Daemonset. This helps to confirm that Aqua Enforcer runs on worker nodes in the OpenShift cluster.
What are Image Streams?
In an earlier Aqua blog, we spoke at length about image streams. Image Streams are an abstraction layer that provides mapping between image stream tags and actual images stored either in the internal OpenShift registry or in any external registry. Image streams can also be seen as pointers to actual images. A single image stream may consist of multiple tags, each of them pointing to an image from a different registry.
Red Hat’s OpenShift Container Platform allows users to build environments that work more efficiently for large and diversified setups, by using Image Streams instead of regular images when building and deploying applications. From a security perspective, this requires a different approach for tracking security issues that should work natively with OpenShift.
Once created, image streams can be referenced by all deployments and builds within the same project and used just like a regular image without making any special configurations to support it.
The Aqua platform automatically discovers and connects to the image stream engine, providing the same experience and feature set as when scanning regular images from regular registries.
Automating the Mundane
Aqua recently built a RHEL-based Operator to automate the maintenance of mundane operational duties. This makes the use of Aqua’s Cloud Native Security Platform (CSP), particularly the deployment and scanning pieces, more seamless.
When deploying Aqua CSP, you can leverage the Operator as an alternative to a deployment that uses a Helm chart or large, complicated YAML files. The Operator only requires one YAML file to deploy the Aqua infrastructure components, and another YAML file to deploy Aqua Enforcers in your production environment.
The Aqua Operator can also be configured to manage the Aqua Scanner container and scale it automatically when more resources are needed. You can configure the minimum and maximum number of scanners you would like the Operator to deploy. You can even decide how many images you would like to allocate per scanner. For example, if you have one scanner deployed, 500 images in your scan queue, and your maximum number of scanners is configured to 5, you’ll have 5 Aqua Scanners scaled automatically to scan all 500 images.
Aqua's OpenShift certified operator is also available to deploy through the OpenShift console and OperatorHub.io.
OpenShift Hardening Made Easy
Kubernetes CIS benchmarks were designed to check security configurations before running Kubernetes. Red Hat took this opportunity to create a hardening guide of its own to determine if various parts of the CI pipeline were configured correctly. Aqua took this hardening guide and put it directly into their product. With this guide, you can automatically check and run tests to see if the clusters are configured correctly according to Red Hat’s guidelines.
In the image below, you can see a list of failures, warnings, pauses, and info. You can drill down for more information.
Collaboration and Innovation
Becoming a Red Hat Certified Technology Partner was a significant step in our continued work with OpenShift. Among other developments, the Aqua Operator allows OpenShift customers to scale Aqua runtime protection components more easily and handle a large number of Aqua Enforcers automatically. This capability, coupled with image streams and OpenShift hardening, extends OpenShift’s security capabilities and contributes to upgrading enterprises’ security posture.
About the author
Browse by channel
Automation
The latest on IT automation that spans tech, teams, and environments
Artificial intelligence
Explore the platforms and partners building a faster path for AI
Open hybrid cloud
Explore how we build a more flexible future with hybrid cloud
Security
Explore how we reduce risks across environments and technologies
Edge computing
Updates on the solutions that simplify infrastructure at the edge
Infrastructure
Stay up to date on the world’s leading enterprise Linux platform
Applications
The latest on our solutions to the toughest application challenges
Original shows
Entertaining stories from the makers and leaders in enterprise tech
Products
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud services
- See all products
Tools
- Training and certification
- My account
- Developer resources
- Customer support
- Red Hat value calculator
- Red Hat Ecosystem Catalog
- Find a partner
Try, buy, & sell
Communicate
About Red Hat
We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.
Select a language
Red Hat legal and privacy links
- About Red Hat
- Jobs
- Events
- Locations
- Contact Red Hat
- Red Hat Blog
- Diversity, equity, and inclusion
- Cool Stuff Store
- Red Hat Summit