Securing vulnerable workloads

IPSec was a quick job and the cluster is looking good after enabling it. Your afternoon job is to pair up with Angie again and review the vulnerability status of the ACME Financial Services workloads that are deployed on the cluster so far.

Angie is really keen to tap into your knowledge on what she can do to make to the most of the Red Hat Advanced Cluster Security Platform. This new security insight is something ACME have not really had access to historically for their container workloads.

You're in a meeting room going over things together, so far so good.

4.1 - Ruh roh...

You're looking over the RHACS Dashboard together in the RHACS console.

You and Angie both spot it at the same time...

The core banking payments processor namespace prd-acme-payments is vulnerable to the critical log4shell vulnerability 😱

4.2 - What the %$^& do we do????

In the minutes following the alarming discovery you observe a series of rushed conversations and Microsoft Skype for Business™ chats between Angie and various security team members, service owners and incident management team members.

A critical incident has been raised but at this point the consensus is the application simple cannot be turned off. It's a core component of the banks payments processing and must continue running.

The ACME team now turn to you, seeking advice on how they could secure this existing vulnerable deployment in place, without scaling down the application, so that any attempt at exploiting the vulnerability would be automatically thwarted.

The clocks ticking, how will you respond?

Documentation you may find helpful is:

• https://docs.redhat.com/en/documentation/red_hat_advanced_cluster_security_for_kubernetes/4.5/html/operating/evaluate-security-risks#use-process-baselines_evaluate-security-risks

4.3 - Check your work

If you've successfully secured the banks vulnerable payments processor please post in #event-anz-ocp-security-hackathon with the message:

Please review [team name] solution for exercise 4, our payments processor application is now unhackable.

WARNING: The hackathon team will perform a brief penetration test of the application. If your application is not actually secured and remains exploitable by the log4shell vulnerability one of your OpenShift cluster nodes will be deleted for the lulz. No pressure!

This exercise is worth 25 points. The event team will reply in slack to confirm your updated team total score 🎉