Security and compliance
Configuring security context constraints on AWS clusters
Abstract
Chapter 1. Audit logs
Red Hat OpenShift Service on AWS auditing provides a security-relevant chronological set of records documenting the sequence of activities that have affected the system by individual users, administrators, or other components of the system.
1.1. About the API audit log
Audit works at the API server level, logging all requests coming to the server. Each audit log contains the following information:
Table 1.1. Audit log fields
Field | Description |
---|---|
| The audit level at which the event was generated. |
| A unique audit ID, generated for each request. |
| The stage of the request handling when this event instance was generated. |
| The request URI as sent by the client to a server. |
| The Kubernetes verb associated with the request. For non-resource requests, this is the lowercase HTTP method. |
| The authenticated user information. |
| Optional. The impersonated user information, if the request is impersonating another user. |
| Optional. The source IPs, from where the request originated and any intermediate proxies. |
| Optional. The user agent string reported by the client. Note that the user agent is provided by the client, and must not be trusted. |
|
Optional. The object reference this request is targeted at. This does not apply for |
|
Optional. The response status, populated even when the |
|
Optional. The API object from the request, in JSON format. The |
|
Optional. The API object returned in the response, in JSON format. The |
| The time that the request reached the API server. |
| The time that the request reached the current audit stage. |
|
Optional. An unstructured key value map stored with an audit event that may be set by plugins invoked in the request serving chain, including authentication, authorization and admission plugins. Note that these annotations are for the audit event, and do not correspond to the |
Example output for the Kubernetes API server:
{"kind":"Event","apiVersion":"audit.k8s.io/v1","level":"Metadata","auditID":"ad209ce1-fec7-4130-8192-c4cc63f1d8cd","stage":"ResponseComplete","requestURI":"/api/v1/namespaces/openshift-kube-controller-manager/configmaps/cert-recovery-controller-lock?timeout=35s","verb":"update","user":{"username":"system:serviceaccount:openshift-kube-controller-manager:localhost-recovery-client","uid":"dd4997e3-d565-4e37-80f8-7fc122ccd785","groups":["system:serviceaccounts","system:serviceaccounts:openshift-kube-controller-manager","system:authenticated"]},"sourceIPs":["::1"],"userAgent":"cluster-kube-controller-manager-operator/v0.0.0 (linux/amd64) kubernetes/$Format","objectRef":{"resource":"configmaps","namespace":"openshift-kube-controller-manager","name":"cert-recovery-controller-lock","uid":"5c57190b-6993-425d-8101-8337e48c7548","apiVersion":"v1","resourceVersion":"574307"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2020-04-02T08:27:20.200962Z","stageTimestamp":"2020-04-02T08:27:20.206710Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by ClusterRoleBinding \"system:openshift:operator:kube-controller-manager-recovery\" of ClusterRole \"cluster-admin\" to ServiceAccount \"localhost-recovery-client/openshift-kube-controller-manager\""}}
1.2. Gathering audit logs
You can use the must-gather tool to collect the audit logs for debugging your cluster, which you can review or send to Red Hat Support.
Procedure
Run the
oc adm must-gather
command with-- /usr/bin/gather_audit_logs
:$ oc adm must-gather -- /usr/bin/gather_audit_logs
Create a compressed file from the
must-gather
directory that was just created in your working directory. For example, on a computer that uses a Linux operating system, run the following command:$ tar cvaf must-gather.tar.gz must-gather.local.472290403699006248 1
- 1
- Replace
must-gather-local.472290403699006248
with the actual directory name.
- Attach the compressed file to your support case on the the Customer Support page of the Red Hat Customer Portal.
Chapter 2. Adding additional constraints for IP-based AWS role assumption
You can implement an additional layer of security in your AWS account to prevent role assumption from non-allowlisted IP addresses.
2.1. Create an identity-based IAM policy
You can create an identity-based Identity and Access Management (IAM) policy that denies access to all AWS actions when the request originates from an IP address other than Red Hat provided IPs.
Prerequisites
- You have access to the see AWS Management Console with the permissions required to create and modify IAM policies.
Procedure
- Sign in to the AWS Management Console using your AWS account credentials.
- Navigate to the IAM service.
- In the IAM console, select Policies from the left navigation menu.
- Click Create policy.
- Select the JSON tab to define the policy using JSON format.
To get the IP addresses that you need to enter into the JSON policy document, run the following command:
$ ocm get /api/clusters_mgmt/v1/trusted_ip_addresses
NoteThese IP addresses are not permanent and are subject to change. You must continuously review the API output and make the necessary updates in the JSON policy document.
Copy and paste the following
policy_document.json
file into the editor:{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "*", "Resource": "*", "Condition": { "NotIpAddress": { "aws:SourceIp": [] }, "Bool": { "aws:ViaAWSService": "false" } } } ] }
-
Copy and paste all of the IP addresses, which you got in Step 6, into the
"aws:SourceIp": []
array in yourpolicy_document.json
file. - Click Review and create.
- Provide a name and description for the policy, and review the details for accuracy.
- Click Create policy to save the policy.
The condition key aws:ViaAWSService
must be set to false to enable subsequent calls to succeed based on the initial call. For example, if you make an initial call to aws ec2 describe-instances
, all subsequent calls made within the AWS API server to retrieve information about the EBS volumes attached to the ec2 instance will fail if the condition key aws:ViaAWSService
is not set to false. The subsequent calls would fail because they would originate from AWS IP addresses, which are not included in the AllowList.
2.2. Attaching the identity-based IAM policy
Once you have created an identity-based IAM policy, attach it to the relevant IAM users, groups, or roles in your AWS account to prevent IP-based role assumption for those entities.
Procedure
- Navigate to the IAM console in the AWS Management Console.
Select the default IAM
ManagedOpenShift-Support-Role
role to which you want to attach the policy.NoteYou can change the default IAM
ManagedOpenShift-Support-Role
role. For more information about roles, see Red Hat support access.- In the Permissions tab, select Add Permissions or Create inline policy from the Add Permissions drop-down list.
Search for the policy you created earlier by:
- Entering the policy name.
- Filtering by the appropriate category.
- Select the policy and click Attach policy.
To ensure effective IP-based role assumption prevention, you must keep the allowlisted IPs up to date. Failure to do so may result in Red Hat site reliability engineering (SRE) being unable to access your account and affect your SLA. If you have further questions or require assistance, please reach out to our support team.
2.3. Additional resources
- For more information about denying access based on the source IP, see AWS: Denies access to AWS based on the source IP in the AWS documentation.