Red Hat’s OpenShift provides a powerful container management platform for the enterprise.  When deploying it, you need to consider how will you manage access to managing OpenShift, individual projects and applications running on OpenShift.  This is an extremely complex problem to solve for a few reasons:

  1. While OpenShift provides multiple mechanisms for plugging in authentication, its very limited in how it manages authorization
  2. OpenShift has its own API for managing access, but can’t make decisions based on external authorization sources
  3. The LDAP sync tool which comes with OpenShift is a command line tool that needs to be deployed and run for EVERY group created
  4. Whoever controls your enterprise’s Active Directory will not generally let individual applications store groups inside of the enterprise AD

For a static application it might be acceptable to manually add users to groups via the oc and oadm command line tools but if you’re providing self service to your customers do you want to have to create those groups and users manually?  Do you want to have to write your own system for manipulating the APIs?  How will you track requests?  How will you track approvals?  Escalations?  Re-certification of access?

Tremolo Security’s open source identity management solutions provide both an application that provides user self service and APIs that can be hooked into your existing CI/CD pipeline.

Authentication Options

  1. LDAP Virtual Directory – Quickly integration OpenShift into multiple directories and forests, including databases and web services for authentication and user data
  2. OpenID Connect – Unison and OpenUnison both provide OpenID Connect identity providers that can be used to authenticate developers and operators
  3. Bridge to SAML2/Multi-Factor/Other – In addition to authenticating users directly, Unison and OpenUnison can bridge the gap between what your enterprise provides and what OpenShift supports natively

Authorization Options

  1. Provision Access Directly into OpenShift – Don’t store authorization data in a directory, let Unison and OpenUnison use OpenShift’s APIs to add and remove users from groups
  2. Self Service Access Requests – Developers and Operators can login to a central application to request access to the projects they need without creating a manual email trail
  3. Dynamic Workflows – Available requests are driven dynamically by your OpenShift configuration and annotations on your project so there’s no manual intervention when new projects are created.
  4. RESTful API – Call our API to create access for bulk onboardings, new projects, etc
  5. Reporting – Use our integrating reporting tools or your favorite business intelligence system to determine who has access to what and why without tracking down emails to see why users had access

Unison can also manage applications running on OpenShift, providing a valuable security and compliance resource to your customers.

Providing the best of both centralized identity management with decentralized deployments Unison and OpenUnison can provide compliance and security services for applications that are independent of their development process making it easier to develop secure applications on OpenShift.

Tremolo Security is a member of the OpenShift commons community, is OpenShift Primed and is a Red Hat Technology Partner with certified containers in the Red Hat container catalog.

Marc BoorshteinOpenShift