Complete exercise 3.
This commit is contained in:
@ -8,24 +8,24 @@ authors: ['default']
|
||||
summary: ""
|
||||
---
|
||||
|
||||
Day one with Angie done, after a refreshing break you're back on site with the ACME team for day two of the consulting engagement.
|
||||
Day one with Angie went great. After a refreshing overnight break spent watching the cinematic masterpiece of Shrek 2 you're back on site with the ACME team for day two of the consulting engagement.
|
||||
|
||||
Your first task is to address complaints from Brent in the ACME Security team who has done some initial cluster checks and is upset that OpenShift internal network traffic is currently un-encrypted and has been ever since their cluster was deployed!
|
||||
|
||||
Brent is pretty annoyed because the Red Hat sales team told him that OpenShift was "secure by default" so he wasn't expecting to see internal cluster traffic viewable in plain text between nodes in the cluster as this is a big no-no for the bank 🤬🙅
|
||||
Brent is pretty annoyed because the Red Hat sales team told him that OpenShift was **"secure by default"** so he wasn't expecting to see internal cluster traffic viewable in plain text between nodes in the cluster as this is a big no-no for the bank 🤬🙅
|
||||
|
||||
You manage to talk him down by explaining how easily encryption can be turned on and how well OpenShift supports the feature. Whew. You note down to give some feedback to the local sales team to be more careful with the assurances they give.
|
||||
|
||||
Turning on IPSec was already in the consulting engagement plan, you decide to make that top of your list to remediate for the morning.
|
||||
You decide to make enabling encryption top of your list for the morning to try and keep Brent happy.
|
||||
|
||||
|
||||
|
||||
|
||||
## 3.1 Encrypting internal cluster traffic
|
||||
|
||||
With IPsec enabled, you can encrypt both internal pod-to-pod cluster traffic between nodes and external traffic between pods and IPsec endpoints external to your cluster. All pod-to-pod network traffic between nodes on the OVN-Kubernetes cluster network is encrypted with IPsec in Transport mode.
|
||||
With IPsec enabled, you can encrypt internal pod-to-pod cluster traffic on the OVN-Kubernetes cluster network between nodes.
|
||||
|
||||
Consulting further with Brent & Angie from the platform team you agree to update the high level design to enable IPSec for pod-to-pod traffic.
|
||||
You confirm the required mode with Angie & Brent as `Full` and then run the `oc patch` command to get the job done after giving Angie a heads up there will be some brief disruption on the cluster while the change is rolled out.
|
||||
|
||||
<Zoom>
|
||||
| |
|
||||
@ -36,3 +36,12 @@ Consulting further with Brent & Angie from the platform team you agree to update
|
||||
Documentation you may find helpful is:
|
||||
|
||||
- https://docs.openshift.com/container-platform/4.16/networking/network_security/configuring-ipsec-ovn.html
|
||||
|
||||
|
||||
## 3.2 - Check your work
|
||||
|
||||
If you've kept Brent happy by enabling encryption for internal cluster traffic please post a message in `#event-anz-ocp-security-hackathon` with the message:
|
||||
|
||||
> Please review [team name] solution for exercise 3, our cluster internal traffic is now encrypted with cipher [cipher].
|
||||
|
||||
This exercise is worth `25` points. The event team will reply in slack to confirm your updated team total score 🎉
|
||||
|
||||
Reference in New Issue
Block a user