홈
제품
Red Hat OpenShift Pipelines
1.21
Securing OpenShift Pipelines
Chapter 4. Securing webhooks with event listeners

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 4. Securing webhooks with event listeners

As an administrator, you can secure webhooks with event listeners. After creating a namespace, you enable HTTPS for the Eventlistener resource by adding the operator.tekton.dev/enable-annotation=enabled label to the namespace. Then, you create a Trigger resource and a secured route using the re-encrypted TLS termination.

Triggers in Red Hat OpenShift Pipelines support insecure HTTP and secure HTTPS connections to the Eventlistener resource. HTTPS secures connections within and outside the cluster.

Red Hat OpenShift Pipelines runs a tekton-operator-proxy-webhook pod that watches for the labels in the namespace. When you add the label to the namespace, the webhook sets the service.beta.openshift.io/serving-cert-secret-name=<secret_name> annotation on the EventListener object. This, in turn, creates secrets and the required certificates.

service.beta.openshift.io/serving-cert-secret-name=<secret_name>

service.beta.openshift.io/serving-cert-secret-name=<secret_name>

Copy to Clipboard

Toggle word wrap

In addition, you can mount the created secret into the Eventlistener pod to secure the request.

4.1. Providing secure connection with OpenShift routes
링크 복사

To create a route with the re-encrypted TLS termination, run:

oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>

$ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>

Copy to Clipboard

Toggle word wrap

Alternatively, you can create a re-encrypted TLS termination YAML file to create a secure route.

Example re-encrypt TLS termination YAML to create a secure route

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: route-passthrough-secured  
spec:
  host: <hostname>
  to:
    kind: Service
    name: frontend 
  tls:
    termination: reencrypt 
    key: [as in edge termination]
    certificate: [as in edge termination]
    caCertificate: [as in edge termination]
    destinationCACertificate: |- 
      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----

apiVersion: route.openshift.io/v1
kind: Route
metadata:
  name: route-passthrough-secured


spec:
  host: <hostname>
  to:
    kind: Service
    name: frontend


  tls:
    termination: reencrypt


    key: [as in edge termination]
    certificate: [as in edge termination]
    caCertificate: [as in edge termination]
    destinationCACertificate: |-


      -----BEGIN CERTIFICATE-----
      [...]
      -----END CERTIFICATE-----

Copy to Clipboard

Toggle word wrap

1 2

The name of the object, which is limited to only 63 characters.

3

The termination field is set to reencrypt. This is the only required TLS field.

4

This is required for re-encryption. The destinationCACertificate field specifies a CA certificate to validate the endpoint certificate, thus securing the connection from the router to the destination pods. You can omit this field in either of the following scenarios:

The service uses a service signing certificate.
The administrator specifies a default CA certificate for the router, and the service has a certificate signed by that CA.

You can run the oc create route reencrypt --help command to display more options.

4.2. Configuring security context for event listeners
링크 복사

You can configure a custom security context directly in your EventListener custom resource (CR) to meet your security requirements. A custom security context can help ensure that containers run with restricted privileges and comply with OpenShift Container Platform security context constraints (SCCs).

Procedure

Create a YAML file that defines your EventListener CR:

Example EventListener custom resource with configured security context

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
#...
spec:
  serviceAccountName: tekton-triggers-sa
  resources:
    kubernetesResource:
      spec:
        template:
          spec:
            securityContext:
              runAsNonRoot: true 
            containers:
              - resources:
                  requests:
                    memory: "64Mi"
                    cpu: "250m"
                  limits:
                    memory: "128Mi"
                    cpu: "500m"
                securityContext:
                  readOnlyRootFilesystem: true 
#...

apiVersion: triggers.tekton.dev/v1beta1
kind: EventListener
metadata:
#...
spec:
  serviceAccountName: tekton-triggers-sa
  resources:
    kubernetesResource:
      spec:
        template:
          spec:
            securityContext:
              runAsNonRoot: true


            containers:
              - resources:
                  requests:
                    memory: "64Mi"
                    cpu: "250m"
                  limits:
                    memory: "128Mi"
                    cpu: "500m"
                securityContext:
                  readOnlyRootFilesystem: true


#...

Copy to Clipboard

Toggle word wrap

1: Specify the pod-level security context settings. The example setting sets the pod-level security context to prevent the containers from running as the root user.
2: Specify the container-level security context settings. The example setting restricts the container root filesystem to read-only to limit potential file system modifications at runtime.

4.3. Creating a sample EventListener resource using a secure HTTPS connection
링크 복사

This section uses the pipelines-tutorial example to demonstrate creation of a sample EventListener resource using a secure HTTPS connection.

Procedure

Create the TriggerBinding resource from the YAML file available in the pipelines-tutorial repository:

oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/01_binding.yaml

$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/01_binding.yaml

Copy to Clipboard

Toggle word wrap

Create the TriggerTemplate resource from the YAML file available in the pipelines-tutorial repository:

oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/02_template.yaml

$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/02_template.yaml

Copy to Clipboard

Toggle word wrap

Create the Trigger resource directly from the pipelines-tutorial repository:

oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/03_trigger.yaml

$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/03_trigger.yaml

Copy to Clipboard

Toggle word wrap

Create an EventListener resource using a secure HTTPS connection:

Add a label to enable the secure HTTPS connection to the Eventlistener resource:

oc label namespace <ns-name> operator.tekton.dev/enable-annotation=enabled

$ oc label namespace <ns-name> operator.tekton.dev/enable-annotation=enabled

Copy to Clipboard

Toggle word wrap

Create the EventListener resource from the YAML file available in the pipelines-tutorial repository:

oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/04_event_listener.yaml

$ oc create -f https://raw.githubusercontent.com/openshift/pipelines-tutorial/master/03_triggers/04_event_listener.yaml

Copy to Clipboard

Toggle word wrap

Create a route with the re-encrypted TLS termination:

oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>

$ oc create route reencrypt --service=<svc-name> --cert=tls.crt --key=tls.key --ca-cert=ca.crt --hostname=<hostname>

Copy to Clipboard

Toggle word wrap

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 4. Securing webhooks with event listeners

4.1. Providing secure connection with OpenShift routes
링크 복사

4.2. Configuring security context for event listeners
링크 복사

4.3. Creating a sample EventListener resource using a secure HTTPS connection
링크 복사

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 4. Securing webhooks with event listeners

4.1. Providing secure connection with OpenShift routes링크 복사링크가 클립보드에 복사되었습니다!

4.2. Configuring security context for event listeners링크 복사링크가 클립보드에 복사되었습니다!

4.3. Creating a sample EventListener resource using a secure HTTPS connection링크 복사링크가 클립보드에 복사되었습니다!

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

4.1. Providing secure connection with OpenShift routes
링크 복사

4.2. Configuring security context for event listeners
링크 복사

4.3. Creating a sample EventListener resource using a secure HTTPS connection
링크 복사