The containerized environment poses a relatively unique security challenge, including tracking all pods and containers as they move up and down within (and across) nodes. These pods produce a large amount of things network traffic-and its traffic is especially difficult to see (so it's a challenge to ensure that connections don't play a positive role in use or * * *). At the same time, many businesses are using open-source software, and loopholes are constantly being discovered. Due to the dynamic nature of containerized environment, the artificial safety method cannot meet the requirement, and the automatic safety rules must be established.
Traditional security tools, such as Host Security and Web application Firewalls (WAFS), also turn a blind eye to container transport, and there is no benefit to container * * *. OpenShift and Kubernetes are at risk of many types of vulnerabilities at run time, which need to be detected on layer 7th (viewing packets and protocols to provide authentication) or in pod and host processes. To meet these needs, Neuvector built a container firewall, which is a container itself, so it can be automatically deployed and updated as an application container, and is suitable for CI/CD processes. When deployed to each OpenShift worker node, the Neuvector tool can check container traffic, find a running container, and build a whitelist of audited traffic to protect those containers. This includes automatic threat detection for common * * * * * * *, and application isolation based on layer 7th networks. Image Title
The integration of the Neuvector with the Redhatopenshift platform simplifies the implementation of these advanced automation security features OpenShift. This also contains several specific and useful features, including:
Image vulnerability scanning, enabling enforcement via OpenShift
Using the Jenkins plug-in, the Neuvector tool scans the image during the build process and then assigns tags where the vulnerability is detected. OpenShift has the ability to control container deployment based on these tags. As a result, OpenShift is able to intelligently identify and prevent the deployment of vulnerable containers while allowing safe containers to be deployed through neuvector scanning and tagging.
Automatic Local registry image scanning
When an image is pushed to the local OpenShift registry, Neuvector performs an automatic scan to determine if the images contain any vulnerabilities. These scans can be customized to meet certain preferences, such as checking only a specific selection of directories.
Role-based access control (RBAC)
RBAC configured in OpenShift will be automatically read and mapped to Neuvector. Access to Neuvector consoles and APIs can be easily controlled with existing users and their roles and permissions. In this way, you can set and restrict access so that specific users can understand network connectivity and security events as needed so that they have the required range. For example, a developer with project Access can gain read-only access to this visibility, while a Cluster administrator can access each project in Neuvector so that they can properly manage and check security policies.
Run-time security policy rules
With Neuvector, you can automatically create policy rules that effectively isolate application network traffic and container processes. With NEUVECTORRESTAPI, rules can be set programmatically and integrated with the OpenShift deployment pipeline. The neuvector policy rule set can also use OpenShift identifiers, such as project names (namespaces), labels, and so on.
By integrating Neuvectorandopenshift, the built-in security features offered by the OpenShift platform can also be extended to seamlessly automate runtime security, enabling effective protection throughout the lifecycle of container-based deployments.
Implement container safety automation with Red Hat OpenShift