In this article, we will explore Red Hat OpenShift Dev Spaces key security best practices. Whether you are a seasoned Red Hat OpenShift user or just beginning your journey with container orchestration, understanding these security measures is crucial for fostering a more resilient and better protected development environment.
OpenShift
Red Hat OpenShift Dev Spaces runs on top of OpenShift, which provides the platform and the foundation for the products functioning atop. OpenShift documentation is the entry point for security hardening.
Info alert: Note
Some specific details can be also found in the blog post OpenShift Runtime Security Best Practices.
Project isolation
In OpenShift, project isolation is similar to namespace isolation in Kubernetes but is achieved through the concept of projects. A project in OpenShift is a top-level organizational unit that provides isolation and collaboration between different applications, teams, or workloads within a cluster.
By default, OpenShift Dev Spaces will provision a unique <username>-devspaces
project for each user. Alternatively, the cluster administrator can disable project self-provisioning on the OpenShift level, and turn off automatic namespace provisioning in the CheCluster custom resource:
devEnvironments:
defaultNamespace:
autoProvision: false
This setup allows achieving curated access to the Dev Spaces, where cluster administrators control provisioning for each user and can explicitly configure various settings including resource limits and quotas. More details about the project provisioning can be found in the product documentation.
Role-based access control (RBAC)
By default, the OpenShift Dev Spaces operator will create the following ClusterRoles:
- <namespace>-cheworkspaces-clusterrole
- <namespace>-cheworkspaces-devworkspace-clusterrole
Info alert: Note
The <namespace>
prefix corresponds to the project name where the OpenShift Dev Spaces CheCluster CR is located.
The first time a user accesses OpenShift Dev Spaces, the corresponding RoleBinding will be created in the <username>-devspaces project, which would allow to perform certain actions with the following resources listed in Table 1 in the user’s namespace.
Resources | Actions |
pods | “get", "list", "watch", "create", "delete", "update", "patch" |
pods/exec | "get", "create" |
pods/log | “get", "list", "watch" |
pods/portforward | "get", "list", "create" |
configmaps | “get", "list", "create", "update", "patch", "delete" |
events | “watch” |
secrets | "get", "list", "create", "update", "patch", "delete" |
services | "get", "list", "create", "delete", "update", "patch" |
routes | ”get", "list", "create", "delete" |
persistentvolumeclaims | “get", "list", "watch", "create", "delete", "update", "patch" |
apps/deployments | "get", "list", "watch", "create", "patch", "delete" |
apps/replicasets | "get", "list", "patch", "delete" |
namespaces | "get", "list" |
projects | “get” |
devworkspace | "get", "create", "delete", "list", "update", "patch", "watch" |
devworkspacetemplates | "get", "create", "delete", "list", "update", "patch", "watch" |
Important: Each user is granted permissions only to their namespace, and will not be able to access other user’s resources (see Figure 1). Cluster administrators can add extra permissions to users if needed, but should not remove permissions granted by default. Refer to the product documentation for configuring cluster roles for OpenShift Dev Spaces users. More details about the role-based access control can be found in the OpenShift documentation.
Dev environment isolation
The isolation of the development environments is implemented using OpenShift projects. Every developer has a project in which the following objects will be created and managed, as illustrated in Figure 2:
- Cloud Development Environment (CDE) Pods, including the IDE server
- Secrets containing developer credentials such as Git token, SSH keys, and Kubernetes token
- ConfigMaps with developer-specific config as the Git name and email
- Volumes that persist data such as the source code even when the CDE Pod is stopped
NoteNote
Important: Access to the resources in a namespace must be limited to the developer owning it. Granting read access to another developer is equivalent to sharing the developer credentials and should be avoided.
Enhanced authorization
Even though the current trend is to split an infrastructure into a number of "fit for purpose" clusters instead of having a gigantic monolith OpenShift cluster, administrators may still want to provide granular access and restrict certain functionality for particular users.
Info alert: Note
A "fit for purpose" OpenShift cluster refers to a cluster that is specifically designed and configured to meet the requirements and goals of a particular use case or workload, tailored to optimize performance, resource utilization, and other factors based on the characteristics of the workloads it will be managing. For Red Hat OpenShift Dev Spaces, it is recommended to have this type of cluster provisioned.
Considering this, optional properties that allow setting up granular access for different groups and users have been added to the Dev Spaces Custom Resource: ‘allowUsers’
, ‘allowGroups’
,‘denyUsers’
, and ‘denyGroups’
. Below you can find an illustration exemplifying the configuration:
networking:
auth:
advancedAuthorization:
allowUsers:
- user-a
- user-b
denyUsers:
- user-c
allowGroups:
- openshift-group-a
- openshift-group-b
denyGroups:
- openshift-group-c
Users who are not allowed will not be able to use Red Hat OpenShift Dev Spaces and will see the warning shown in Figure 3 when trying to access the User Dashboard.
This configuration allows the cluster administrator to manage the onboarding and curate the access explicitly. More details about the enhanced authorization can be found in the ”How to configure granular access in OpenShift Dev Spaces” blog post.
Authentication
Only authenticated OpenShift users can access Red Hat OpenShift Dev Spaces. The Gateway Pod rejects unauthenticated users, as illustrated in Figure 4.
Red Hat OpenShift Dev Spaces uses a role-based access control (RBAC) sub-system to determine whether a developer is authorized to access a CDE or not. The Cloud Development Environment (CDE) Gateway container is responsible for checking developers Kubernetes roles. If their roles allow access to the CDE Pod then the connection to the development environment is allowed. By default, only the owner of the namespace (Bob in Figure 5) has access to the CDE Pod.
Warning alert: Note
Important: Anyone that has read access to DevWorkspace Access to the resources in a namespace must be limited to the developer owning it. Granting read access to another developer is equivalent to sharing the developer credentials and should be avoided.
Security context and security context constraint
Red Hat OpenShift Dev Spaces adds SETGID
and SETUID
capabilities to the specification of the Cloud Development Environment (CDE) Pod container security context:
"spec": {
"containers": [
"securityContext": {
"allowPrivilegeEscalation": true,
"capabilities": {
"add": ["SETGID", "SETUID"],
"drop": ["ALL","KILL","MKNOD"]
},
"readOnlyRootFilesystem": false,
"runAsNonRoot": true,
"runAsUser": 1001110000
}
]
}
This provides the ability for users to build container images from within a CDE.
Red Hat OpenShift Dev Spaces, by default, assigns to its users a specific SecurityContextConstraint that allows them to start a Pod with such capabilities. This SCC grants more capabilities to the users compared to the default “restricted” SCC but less capability compared to the “anyuid” SCC. This default SCC is pre-created in the Dev Spaces namespace and named container-build
.
Extra capabilities and the assignment of the SCC to the Dev Spaces users can be prevented by setting the following property in the CheCluster Custom Resource:
spec:
devEnvironments:
disableContainerBuildCapabilities: true
Resource Quotas and Limit Ranges
Resource Quotas and Limit Ranges are Kubernetes features that can be used to help prevent bad actors or resource abuse within a cluster. They help in controlling and managing resource consumption by pods and containers. By combining Resource Quotas and Limit Ranges, you can enforce project-specific policies to prevent bad actors from consuming excessive resources. These mechanisms contribute to better resource management, stability, and fairness within an OpenShift cluster. More details about Resource Quotas and Limit Ranges can be found in the OpenShift documentation.
Disconnected environment
An air-gapped OpenShift disconnected cluster refers to an OpenShift cluster that is isolated from the internet or any external network. This isolation is often done for security reasons, to protect sensitive or critical systems from potential cyber threats. In an air-gapped environment, the cluster cannot access external repositories or registries to download container images, updates, or dependencies. Red Hat OpenShift Dev Spaces is supported and can be installed in a restricted environment. Installation instructions can be found in the official documentation.
Managing extensions
By default, Red Hat OpenShift Dev Spaces is shipped with the embedded Open VSX registry which contains a limited set of extensions used by Microsoft Visual Studio Code - Open Source editor. Alternatively, cluster administrators can specify a different plugin registry in the Custom Resource e.g., https://open-vsx.org that contains thousands of extensions, or build a custom Open VSX registry. More details about managing IDE extensions can be found in the official documentation.
Warning alert: Note
Important: Installing extra extensions may increase the potential for risks. To minimize these risks, make sure to only install extensions from reliable sources and regularly update them.
Secrets
The data that is stored as Kubernetes secrets in the users’ namespaces like Personal Access Tokens, SSH keys is sensitive information and should be kept confidential.
Git repositories
It is crucial to operate within Git repositories that you are familiar with and trust. Before incorporating new dependencies into the repository, verify that they are well-maintained and regularly release updates to address any identified security vulnerabilities in their code.
Last updated: August 5, 2024