Red Hat OpenShift — how to improve security and stability

Configure journald service to limit the disk space used for logging.

Solution:

journald_vars_to_replace: 
— {var: Storage, value: persistent}
— {var: SystemMaxFileSize, value: 100M}
— {var: SystemMaxUse, value: 2G}
— {var: SystemKeepFree, value: 4G}

Configure docker logging to limit the max size of log files

Solution

openshift_docker_options: “ — log-driver=json-file — signature-verification=false — log-opt max-size=2M — log-opt max-file=5”

Remove self provisioning

oc patch clusterrolebinding.rbac self-provisioners -p ‘{“subjects”: null}’
oc patch clusterrolebinding.rbac self-provisioners -p ‘{“subjects”: null}’

Auto approve certificate signing request

Solution

openshift_master_bootstrap_auto_approve=true

Check Certs expiry

Solution

$ cd /usr/share/ansible/openshift-ansible
$ ansible-playbook -v -i /etc/ansible/openshift/aws-poc/playbook/hosts.aws-poc playbooks/openshift-checks/certificate_expiry/easy-mode.yaml

Update default session timeout

Assigning static IPs for external project traffic

Solution

oc patch netnamespace <project_name> -p ‘{“egressIPs”: [“<IP_address>”]}’oc patch hostsubnet
<node_name> -p '{"egressIPs": ["<IP_address_1>", "<IP_address_2>"]}'

Create ingress and egress network policy

  • Networking policy to allow connections between pods in the same project only
  • Egress policy to deny traffic from namespace to other namespace

Configure monitoring stack — Prometheus

openshift_cluster_monitoring_operator_install=true

Create custom roles as needed

Integrate with LDAP

Enable ETCD encryption

Regular operational maintenance tasks

Defragment ETCD to decrease DB size

Addressing ETCD startup failures

Pruning objects to reduce DB size

Install logging and monitoring agents

Install host and container scanning tools

Disable unsupported and not secured TLS cypher suites

--

--

--

I am a Solution Architect working at IBM and help customers in their digital transformation journey. My key skill are Kubernetes, Redhat Openshift & AWS Cloud

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

No half measures — how Faire uses metrics as a critical tool to scale our engineering teams

Transitioning from Beginner Programmer to Intermediate

CS371p Fall 2021: Sean Yu

Dynamic Programming in Python: Explained for Beginners

How To Inject CSS Code Into an HTML Page?

An image of an injection.

<<Clean Code>> Quotes: 10. Classes

Geek Week: Local

Angular css skeleton

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shan Vernekar

Shan Vernekar

I am a Solution Architect working at IBM and help customers in their digital transformation journey. My key skill are Kubernetes, Redhat Openshift & AWS Cloud

More from Medium

A Containerized RESTCONF-NETCONF App ☁

To Split or Not to Split: What Are your Property Options in Rexdale?

CS371P Spring 2022: Week 3

NWC Developmen