NEW! Mirantis Academy -   Learn confidently with expert guidance and On-demand content.   Learn More

< BLOG HOME

Mirantis OpenStack for Kubernetes 22.2 delivers enhanced visibility into cloud security

Artem Andreev - April 26, 2022
image

We recently released Mirantis OpenStack for Kubernetes 22.2, adding new enhancements that provide better visibility into your infrastructure, and that provide expanded documentation for Tungsten Fabric. We have also used this release to reaffirm Mirantis OpenStack for Kubernetes' commitment to aligning with the community list of recommendations for security hardening of all major OpenStack services. And in order to provide our customers with the best visibility into known security vulnerabilities, we have launched the Mirantis Security Portal.

The sections that follow provide a deeper look at these enhancements and expansions to our offering.

Cloud user IPs visible in the Mirantis OpenStack for Kubernetes logs

A few months after we upgraded our internal cloud to Mirantis OpenStack for Kubernetes (we use it to develop and test our products), we noticed that from time to time its API endpoints were getting overloaded with numerous similar requests. While trying to track down the source of the traffic, we realized that the way the API load balancing was implemented in Mirantis OpenStack for Kubernetes did not allow OpenStack or other user-facing services to know who was calling. Basically, the services would know only the internal IP address of a cloud node where the API load balancing happened but not the address of the user who made the request initially. This was making the task of API request tracing inconvenient, to say the least. Also, although the service logs which were stored for later security auditing contained information about “what” and “when” activities were done by the cloud users, the logs told you nothing about “who” performed them.

To solve this, we reworked the architecture of the Mirantis OpenStack for Kubernetes API load balancing to ensure all the incoming requests get tagged with an HTTP “forwarded” header containing all the information necessary to track it down, without having to dig into the K8s internals.

192.168.63.128 - - [19/Apr/2022:22:34:12 +0000] "POST /v3/auth/tokens HTTP/1.1" 201 9593 "-" "-" 364 0.326 [openstack-keystone-api-ks-pub] [] 192.168.219.138:5000 9593 0.328 201 224d7ca65ef907fc63c962cf1656b1b7
192.168.200.192 - - [20/Apr/2022:08:31:31 +0000] "POST /v3/auth/tokens HTTP/1.1" 201 9530 "-" "openstacksdk/0.50.1 keystoneauth1/4.2.2 python-requests/2.23.0 CPython/3.6.9" 614 0.262 [openstack-keystone-api-ks-pub] [] 192.168.133.181:5000 9530 0.264 201 122f08f5b4faccedaf81fd74f72d9d72

As for the mysterious client who was overloading our internal cloud, it appeared to be an engineer who forgot to disable one of the old services after completing the upgrade.

Rework of documentation for Tungsten Fabric

Tungsten Fabric is the SDN solution of preference for Mirantis OpenStack for Kubernetes-based telco clouds. It offers many advanced networking capabilities for tech-savvy operators. The natural disadvantage is the complexity of the solution, especially when it comes to fine-tuning and troubleshooting. One needs to deeply understand the architecture of the software, the path of the traffic flows, and which components control which aspects of the virtual networking. While the upstream documentation of Tungsten Fabric is already pretty detailed, there are still a few specifics that Mirantis OpenStack for Kubernetes brings into play.

In this release, we tried to reconsider our explanations for the Tungsten Fabric concepts that are the most important for Mirantis OpenStack for Kubernetes. Our goal was to create a documentation structure that would be easy to navigate and to extend with new chapters going forward. We would be happy to hear your feedback on the new content of the Tungsten Fabric chapters of the Mirantis OpenStack for Kubernetes reference architecture guide.

Mirantis Security Portal launch!

Have you heard about this new vulnerability? Is our cloud affected? When do you think we’re going to have a fix? We hear these questions from our customers a lot. One of the measures that we take to harden our products is regular security scanning of all the artifacts against public vulnerability databases. To make it easy to look up a specific vulnerability and keep track of its resolution, we decided to make our scanning reports available to all of our customers via the brand-new Mirantis Security Portal. Knowing the version of the software your cloud is running and its major components, finding the required information is now a matter of just a few clicks.

Although the portal currently focuses only on Mirantis OpenStack for Kubernetes, we plan to extend it to other products and also create additional sections, such as the actual status of compliance with various standards for software (for example, CIS Benchmarks) and recommendations for CVE mitigation.

OpenStack security checklist validated

Did you know that the community has a list of recommendations for security hardening of the major OpenStack services? To be fair, many of the suggested practices apply to classic package-based deployments, however there are still a few good ideas a modern Kubernetes-based OpenStack distribution could pick up. We validated the reference configuration that Mirantis OpenStack for Kubernetes offers out of the box and can confirm that our product is aligned with the security checklist. We are going to publish the report of the validation to our new security portal.

An important point to note - while the checklist suggests that TLS encryption should be used for internal communication between the services, we decided to instead take an alternative path and take advantage of Mirantis OpenStack for Kubernetes’ architecture, which relies on K8s overlay networking to connect containers to each other. In one of the upcoming releases we plan to introduce the ability to enable IPSec encryption for K8s overlays. This will allow you to secure not only the internal API but also the database and message queue traffic all at once.

We trust that this quick look into the newly available 22.2 release has been helpful. As always we welcome our customers’ feedback on our products and services so that we can continue to empower you to deliver extraordinary products and services for your users and customers. To learn more details about these and other enhancements in the Mirantis OpenStack for Kubernetes 22.2 release, please see the release notes here.

If you are new to Mirantis and would like to explore what Mirantis OpenStack for Kubernetes can do for you, we encourage you to give it a try with our free evaluation program.

Choose your cloud native journey.

Whatever your role, we’re here to help with open source tools and world-class support.

GET STARTED
NEWSLETTER

Subscribe to our bi-weekly newsletter for exclusive interviews, expert commentary, and thought leadership on topics shaping the cloud native world.

JOIN NOW