Security Implementation with Red Hat OpenShift on IBM Power Systems
…As with any production system, it is important to ensure the security of an OpenShift deployment. This includes secure deployment and configuration of the OpenShift components, as well as ongoing maintenance and monitoring to ensure the continued security of the environment. This Redpaper publication provides a comprehensive overview of the security best practices for deploying Red Hat OpenShift on IBM Power systems…
IBM Redpaper: https://www.redbooks.ibm.com/redpieces/abstracts/redp5690.html
The IBM RedPaper is pretty comprehensive on Securing OpenShift (note it’s a draft).
Power Developer Exchange: Installing single node OpenShift to PowerVM
CHONGSHI ZHANG shows how to install a SNO (single node OpenShift) to a PowerVM instance. It’s very powerful for development and other purposes.
IBM Power Developer Exchange: https://community.ibm.com/community/user/powerdeveloper/blogs/chongshi-zhang/2023/02/09/installing-sno-to-powervm
The Power Developer Exchange has a detailed approach to Single Node OpenShift.
A script to rotate Encryption keys for etcd
Rotating Encryption Keys on OpenShift etcd https://patch-diff.githubusercontent.com/raw/ocp-power-automation/ocp4-playbooks-extras/pull/45.patchoc patch kubeapiserver cluster --type merge -p " spec: unsupportedConfigOverrides: encryption: reason: force KAS rotation `date` "
The above code is super handy for rotating the etcd encryption keys.
Red Hat updated the oc-compliance kubectl plugin.
RHEA-2023:0797 https://access.redhat.com/errata/RHEA-2023:0797
oc-compliance is now updated.
Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted
[2/2] STEP 1/4: FROM registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412 Trying to pull registry.access.redhat.com/ubi8/ubi:8.7-1054.1675788412... Error: creating build container: copying system image from manifest list: Source image rejected: None of the signatures were accepted, reasons: open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory; open /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-beta: no such file or directory
You can then override the trust
https://access.redhat.com/solutions/5525441# podman image trust set -t reject default # podman image trust set -f /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release -t signedBy registry.access.redhat.com # podman image trust show
The latest podman runs into some issues with trusting sources.
Error: error copying image "78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751": Source image rejected: Running image containers-storage:[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.mountopt=nodev,metacopy=on]@78b2869b282bf2f28a5e873d6ade079e83d77765223c7bcd180b77cbc8fe4751 is rejected by policy.
In podman, you might hit the above, and need to switch to insecureAcceptAnything when you do a podman push.
You’ll want to modify /etc/containers/policy.json default from type reject to insecureAcceptAnything
"default": [ { "type": "insecureAcceptAnything" }
Leave a Reply