jmhbnz/workshops
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Begin working on exercise 3.

Browse Source
This commit is contained in:
James Blair
2024-10-17 11:43:43 +13:00
parent 318769929a
commit 4e48cc4f48
5 changed files with 45 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
data/workshop/exercise1.mdx
View File

@ -22,11 +22,7 @@ We're returning to ACME Financial Services, a large bank based in Australia. Tha
Your hackathon team are the post-sales consultants engaging with ACME to complete their OpenShift platform security hardening in support of the platform production certification & accreditation.
<Zoom>
|![cluster](/static/images/security/acme.png) |
|:-----------------------------------------------------------------------------:|
| *Acme Financial Services* |
</Zoom>
![acme](/static/images/security/acme.png)
## 1.2 - Understanding the environment
@ -51,7 +47,7 @@ To get underway open your web browser and navigate to this link to allocate an e
Register for an environment using `[team name]@redhat.com` and the password provided by your hackathon organisers. Registering with a team email will mean all your team members will be able to see the same cluster details for your shared team cluster.
<Zoom>
|![cluster](/static/images/security/workshop.png) |
|![workshop](/static/images/security/workshop.png) |
|:-----------------------------------------------------------------------------:|
| *Hackathon team registration page* |
</Zoom>

18
data/workshop/exercise2.mdx
View File

@ -14,11 +14,7 @@ Time to tackle the first task on our consulting engagement list, installing [Red
Ultimately the ACME team wants to manage everything with GitOps, but for today Angie would prefer a guided walkthrough on how to do things using the OpenShift Web Console so she has an opportunity to learn more about each step of the process.
<Zoom>
|![cluster](/static/images/security/pairing.png) |
|:-----------------------------------------------------------------------------:|
| *Time for a pair session at ACME Financial Services* |
</Zoom>
![cluster](/static/images/security/pairing.png)
## 2.1 Installing the rhacs operator
@ -39,7 +35,7 @@ With the operator installed and healthy we now need to deploy an instance of **C
Angie has shared a high level design with you that states the Central services need to be deployed to the `prd-acme-rhacs` namespace.
<Zoom>
|![cluster](/static/images/security/central.png) |
|![central architecture](/static/images/security/central.png) |
|:-----------------------------------------------------------------------------:|
| *Architecture for Red Hat Advanced Cluster Security* |
</Zoom>
@ -82,7 +78,7 @@ Documentation you may find helpful is:
- https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html-single/installing/index#installing-sc-operator
<Zoom>
|![cluster](/static/images/security/secured-cluster.png) |
|![secured cluster](/static/images/security/secured-cluster.png) |
|:-----------------------------------------------------------------------------:|
| *Secured cluster list in Red Hat Advanced Cluster Security* |
</Zoom>
@ -94,10 +90,6 @@ If your pair session with Angie has finished and the hub cluster is secured plea
> Please review [team name] solution for exercise 2.
This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score.
This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score 🎉
<Zoom>
|![cluster](/static/images/security/completed.png) |
|:-----------------------------------------------------------------------------:|
| *Secured cluster list in Red Hat Advanced Cluster Security* |
</Zoom>
![completed pair session](/static/images/security/completed.png)

38
data/workshop/exercise3.mdx Normal file
View File

@ -0,0 +1,38 @@
---
title: Encrypting cluster internal network traffic
exercise: 3
date: '2024-10-18'
tags: ['openshift','security','ipsec','encryption']
draft: false
authors: ['default']
summary: ""
---
Day one with Angie done, after a refreshing break you're back on site with the ACME team for day two of the consulting engagement.
Your first task is to address complaints from Brent in the ACME Security team who has done some initial cluster checks and is upset that OpenShift internal network traffic is currently un-encrypted and has been ever since their cluster was deployed!
Brent is pretty annoyed because the Red Hat sales team told him that OpenShift was "secure by default" so he wasn't expecting to see internal cluster traffic viewable in plain text between nodes in the cluster as this is a big no-no for the bank 🤬🙅
You manage to talk him down by explaining how easily encryption can be turned on and how well OpenShift supports the feature. Whew. You note down to give some feedback to the local sales team to be more careful with the assurances they give.
Turning on IPSec was already in the consulting engagement plan, you decide to make that top of your list to remediate for the morning.
![brent](/static/images/security/brent.png)
## 3.1 Encrypting internal cluster traffic
With IPsec enabled, you can encrypt both internal pod-to-pod cluster traffic between nodes and external traffic between pods and IPsec endpoints external to your cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in Transport mode.
Consulting further with Brent & Angie from the platform team you agree to update the high level design to enable IPSec for pod-to-pod traffic.
<Zoom>
|![ipsec architecture](/static/images/security/ipsec.png) |
|:-----------------------------------------------------------------------------:|
| *Encryption implications when enabling pod-to-pod IPSec* |
</Zoom>
Documentation you may find helpful is:
- https://docs.openshift.com/container-platform/4.16/networking/network_security/configuring-ipsec-ovn.html