tencrypt encrypting tenant traffic in openshift
play

Tencrypt: Encrypting Tenant-Traffic in OpenShift Forschungsprojekt - PowerPoint PPT Presentation

Jul 09, 2023 •8 likes •1.26k views

Dominik Pataky Faculty of Computer Science, Institute of Systems Architecture, Chair of Computer Networks Tencrypt: Encrypting Tenant-Traffic in OpenShift Forschungsprojekt Anwendung // Dresden, 15th November, 2018 Contents Introduction Red

  1. OpenShift, Kubernetes and Docker • Docker : wrapper for Linux kernel namespaces and cgroup features. Introduces features like reproducible images (Docker fi les), image registries and toolchain • Kubernetes : uses Docker as containerisation engine for multi-node application deployment • OpenShift : uses Kubernetes as the app orchestration engine, adding more features for a smoother work fl ow • Not mentioned: multiple other APIs, engines and projects with similar toolchains and goals Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 7/32 Dresden, 15th November, 2018

  2. OpenShift, Kubernetes and Docker • Docker : wrapper for Linux kernel namespaces and cgroup features. Introduces features like reproducible images (Docker fi les), image registries and toolchain • Kubernetes : uses Docker as containerisation engine for multi-node application deployment • OpenShift : uses Kubernetes as the app orchestration engine, adding more features for a smoother work fl ow • Not mentioned: multiple other APIs, engines and projects with similar toolchains and goals Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 7/32 Dresden, 15th November, 2018

  3. OpenShift, Kubernetes and Docker • Docker : wrapper for Linux kernel namespaces and cgroup features. Introduces features like reproducible images (Docker fi les), image registries and toolchain • Kubernetes : uses Docker as containerisation engine for multi-node application deployment • OpenShift : uses Kubernetes as the app orchestration engine, adding more features for a smoother work fl ow • Not mentioned: multiple other APIs, engines and projects with similar toolchains and goals Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 7/32 Dresden, 15th November, 2018

  4. What is Red Hat OpenShift? • Available as open source project OKD (formerly Origin) • Supported instances by Red Hat as „ Online “ , „ Dedicated “ or „ Container Platform “ • Hardware resources called Nodes connect to Master and host Pods Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 8/32 Dresden, 15th November, 2018

  5. What is Red Hat OpenShift? • Available as open source project OKD (formerly Origin) • Supported instances by Red Hat as „ Online “ , „ Dedicated “ or „ Container Platform “ • Hardware resources called Nodes connect to Master and host Pods Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 8/32 Dresden, 15th November, 2018

  6. What is Red Hat OpenShift? • Available as open source project OKD (formerly Origin) • Supported instances by Red Hat as „ Online “ , „ Dedicated “ or „ Container Platform “ • Hardware resources called Nodes connect to Master and host Pods Related tools Related technologies Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 8/32 Dresden, 15th November, 2018

  7. Components of OpenShift • Nodes (RHEL) • Master (APIs, Authentication, Storage, Scheduling, Scaling) • Pods (grouping of Containers, Users/Projects, Policies) • Container image Registry • Persistent Storage (Volumes, NFS/GlusterFS/Ceph/Clouds) • Service Layer with Service Discovery (Load-Balancing, virtual IPs) • Routing Layer (HAProxy, routing external access, egress routing, A/B testing) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 9/32 Dresden, 15th November, 2018

  8. Components of OpenShift • Nodes (RHEL) • Master (APIs, Authentication, Storage, Scheduling, Scaling) • Pods (grouping of Containers, Users/Projects, Policies) • Container image Registry • Persistent Storage (Volumes, NFS/GlusterFS/Ceph/Clouds) • Service Layer with Service Discovery (Load-Balancing, virtual IPs) • Routing Layer (HAProxy, routing external access, egress routing, A/B testing) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 9/32 Dresden, 15th November, 2018

  9. Components of OpenShift • Nodes (RHEL) • Master (APIs, Authentication, Storage, Scheduling, Scaling) • Pods (grouping of Containers, Users/Projects, Policies) • Container image Registry • Persistent Storage (Volumes, NFS/GlusterFS/Ceph/Clouds) • Service Layer with Service Discovery (Load-Balancing, virtual IPs) • Routing Layer (HAProxy, routing external access, egress routing, A/B testing) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 9/32 Dresden, 15th November, 2018

  10. Components of OpenShift • Nodes (RHEL) • Master (APIs, Authentication, Storage, Scheduling, Scaling) • Pods (grouping of Containers, Users/Projects, Policies) • Container image Registry • Persistent Storage (Volumes, NFS/GlusterFS/Ceph/Clouds) • Service Layer with Service Discovery (Load-Balancing, virtual IPs) • Routing Layer (HAProxy, routing external access, egress routing, A/B testing) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 9/32 Dresden, 15th November, 2018

  11. Components of OpenShift • Nodes (RHEL) • Master (APIs, Authentication, Storage, Scheduling, Scaling) • Pods (grouping of Containers, Users/Projects, Policies) • Container image Registry • Persistent Storage (Volumes, NFS/GlusterFS/Ceph/Clouds) • Service Layer with Service Discovery (Load-Balancing, virtual IPs) • Routing Layer (HAProxy, routing external access, egress routing, A/B testing) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 9/32 Dresden, 15th November, 2018

  12. Components of OpenShift • Nodes (RHEL) • Master (APIs, Authentication, Storage, Scheduling, Scaling) • Pods (grouping of Containers, Users/Projects, Policies) • Container image Registry • Persistent Storage (Volumes, NFS/GlusterFS/Ceph/Clouds) • Service Layer with Service Discovery (Load-Balancing, virtual IPs) • Routing Layer (HAProxy, routing external access, egress routing, A/B testing) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 9/32 Dresden, 15th November, 2018

  13. Components of OpenShift • Nodes (RHEL) • Master (APIs, Authentication, Storage, Scheduling, Scaling) • Pods (grouping of Containers, Users/Projects, Policies) • Container image Registry • Persistent Storage (Volumes, NFS/GlusterFS/Ceph/Clouds) • Service Layer with Service Discovery (Load-Balancing, virtual IPs) • Routing Layer (HAProxy, routing external access, egress routing, A/B testing) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 9/32 Dresden, 15th November, 2018

  14. Networking in OpenShift • Internal DNS servers for Services • Split DNS with SkyDNS • Container Networking Interface (CNI) • Software De fi ned Networking (SDN) – Flat network: all Pods reach each other – Multi-Tenant: isolated tra ffi c on Project-level by Virtual Network ID (VNID) – Network policy: granular policy-rules for Projects/Pods • VXLAN overlay for Pod-to-Pod by Open vSwitch (OVS) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 10/32 Dresden, 15th November, 2018

  15. Networking in OpenShift • Internal DNS servers for Services • Split DNS with SkyDNS • Container Networking Interface (CNI) • Software De fi ned Networking (SDN) – Flat network: all Pods reach each other – Multi-Tenant: isolated tra ffi c on Project-level by Virtual Network ID (VNID) – Network policy: granular policy-rules for Projects/Pods • VXLAN overlay for Pod-to-Pod by Open vSwitch (OVS) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 10/32 Dresden, 15th November, 2018

  16. Networking in OpenShift • Internal DNS servers for Services • Split DNS with SkyDNS • Container Networking Interface (CNI) • Software De fi ned Networking (SDN) – Flat network: all Pods reach each other – Multi-Tenant: isolated tra ffi c on Project-level by Virtual Network ID (VNID) – Network policy: granular policy-rules for Projects/Pods • VXLAN overlay for Pod-to-Pod by Open vSwitch (OVS) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 10/32 Dresden, 15th November, 2018

  17. Networking in OpenShift • Internal DNS servers for Services • Split DNS with SkyDNS • Container Networking Interface (CNI) • Software De fi ned Networking (SDN) – Flat network: all Pods reach each other – Multi-Tenant: isolated tra ffi c on Project-level by Virtual Network ID (VNID) – Network policy: granular policy-rules for Projects/Pods • VXLAN overlay for Pod-to-Pod by Open vSwitch (OVS) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 10/32 Dresden, 15th November, 2018

  18. Networking in OpenShift • Internal DNS servers for Services • Split DNS with SkyDNS • Container Networking Interface (CNI) • Software De fi ned Networking (SDN) – Flat network: all Pods reach each other – Multi-Tenant: isolated tra ffi c on Project-level by Virtual Network ID (VNID) – Network policy: granular policy-rules for Projects/Pods • VXLAN overlay for Pod-to-Pod by Open vSwitch (OVS) Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 10/32 Dresden, 15th November, 2018

  19. Node Internet Pod C C eth0 NAT tun0 vethA C C C br0 VXLAN vxlan0 overlay vethB Underlaying network Figure 1: Overview of networking of Nodes, Pods and Containers Tencrypt: Encrypting Tenant-Traffic in OpenShift Chair of Computer Networks // Dominik Pataky 11/32 Dresden, 15th November, 2018

  20. Security in OpenShift • Policies for Container deployment • Multi-tenancy through Users and Projects • Container host pinning • Additional mechanisms to secure Container image creation • Secret Management through secured storage in Master – Access within Pods through ENV or mounts Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 12/32 Dresden, 15th November, 2018

  21. Security in OpenShift • Policies for Container deployment • Multi-tenancy through Users and Projects • Container host pinning • Additional mechanisms to secure Container image creation • Secret Management through secured storage in Master – Access within Pods through ENV or mounts Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 12/32 Dresden, 15th November, 2018

  22. Security in OpenShift • Policies for Container deployment • Multi-tenancy through Users and Projects • Container host pinning • Additional mechanisms to secure Container image creation • Secret Management through secured storage in Master – Access within Pods through ENV or mounts Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 12/32 Dresden, 15th November, 2018

  23. Security in OpenShift • Policies for Container deployment • Multi-tenancy through Users and Projects • Container host pinning • Additional mechanisms to secure Container image creation • Secret Management through secured storage in Master – Access within Pods through ENV or mounts Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 12/32 Dresden, 15th November, 2018

  24. Security in OpenShift • Policies for Container deployment • Multi-tenancy through Users and Projects • Container host pinning • Additional mechanisms to secure Container image creation • Secret Management through secured storage in Master – Access within Pods through ENV or mounts Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 12/32 Dresden, 15th November, 2018

  25. Introduction Red Hat OpenShift Networking, Security Security requirements and threat model Encrypting traffic between Pods Fundamentals, ideas and possible approaches Using Minishift for experimental implementations Implementation concepts Proof of concept implementation Throughput measurements Conclusion Tencrypt: Encrypting Tenant-Traffic in OpenShift Chair of Computer Networks // Dominik Pataky 13/32 Dresden, 15th November, 2018

  26. Security requirements • Authentication : Pods must be able to ensure sender authenticity • Integrity : Transmitted data must not be corrupted or manipulated • Confidentiality : Pod-to-Pod tra ffi c must not be readable by third parties • Availability : Key concept in underlying Kubernetes engine, which Tencrypt must not interfere with • Authorisation : Pods should reject unencrypted tra ffi c from internal Pods • Based on STRIDE/AINCAA given in [Sho14]. • Introduced in PoC: Con fi dentiality Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 14/32 Dresden, 15th November, 2018

  27. Security requirements • Authentication : Pods must be able to ensure sender authenticity • Integrity : Transmitted data must not be corrupted or manipulated • Confidentiality : Pod-to-Pod tra ffi c must not be readable by third parties • Availability : Key concept in underlying Kubernetes engine, which Tencrypt must not interfere with • Authorisation : Pods should reject unencrypted tra ffi c from internal Pods • Based on STRIDE/AINCAA given in [Sho14]. • Introduced in PoC: Con fi dentiality Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 14/32 Dresden, 15th November, 2018

  28. Security requirements • Authentication : Pods must be able to ensure sender authenticity • Integrity : Transmitted data must not be corrupted or manipulated • Confidentiality : Pod-to-Pod tra ffi c must not be readable by third parties • Availability : Key concept in underlying Kubernetes engine, which Tencrypt must not interfere with • Authorisation : Pods should reject unencrypted tra ffi c from internal Pods • Based on STRIDE/AINCAA given in [Sho14]. • Introduced in PoC: Con fi dentiality Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 14/32 Dresden, 15th November, 2018

  29. Security requirements • Authentication : Pods must be able to ensure sender authenticity • Integrity : Transmitted data must not be corrupted or manipulated • Confidentiality : Pod-to-Pod tra ffi c must not be readable by third parties • Availability : Key concept in underlying Kubernetes engine, which Tencrypt must not interfere with • Authorisation : Pods should reject unencrypted tra ffi c from internal Pods • Based on STRIDE/AINCAA given in [Sho14]. • Introduced in PoC: Con fi dentiality Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 14/32 Dresden, 15th November, 2018

  30. Security requirements • Authentication : Pods must be able to ensure sender authenticity • Integrity : Transmitted data must not be corrupted or manipulated • Confidentiality : Pod-to-Pod tra ffi c must not be readable by third parties • Availability : Key concept in underlying Kubernetes engine, which Tencrypt must not interfere with • Authorisation : Pods should reject unencrypted tra ffi c from internal Pods • Based on STRIDE/AINCAA given in [Sho14]. • Introduced in PoC: Con fi dentiality Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 14/32 Dresden, 15th November, 2018

  31. Security requirements • Authentication : Pods must be able to ensure sender authenticity • Integrity : Transmitted data must not be corrupted or manipulated • Confidentiality : Pod-to-Pod tra ffi c must not be readable by third parties • Availability : Key concept in underlying Kubernetes engine, which Tencrypt must not interfere with • Authorisation : Pods should reject unencrypted tra ffi c from internal Pods • Based on STRIDE/AINCAA given in [Sho14]. • Introduced in PoC: Con fi dentiality Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 14/32 Dresden, 15th November, 2018

  32. Security requirements • Authentication : Pods must be able to ensure sender authenticity • Integrity : Transmitted data must not be corrupted or manipulated • Confidentiality : Pod-to-Pod tra ffi c must not be readable by third parties • Availability : Key concept in underlying Kubernetes engine, which Tencrypt must not interfere with • Authorisation : Pods should reject unencrypted tra ffi c from internal Pods • Based on STRIDE/AINCAA given in [Sho14]. • Introduced in PoC: Con fi dentiality Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 14/32 Dresden, 15th November, 2018

  33. Threats ID Description Mitigation T1 An attacker uses a Pod to intercept traffic originating Encryption of traffic, hardening of isol- from other namespaces (Pods) on the br0 bridge. ation mechanisms (Linux kernel). T2 An attacker not only intercepts, but is able to modify Encryption and integrity checks. traffic on the br0 bridge or the vxlan0 adapter. T3 Interception and modification of Master-to-Node traffic. IPsec. T4 Interception of Node-to-Node traffic, both Project- A combination of Node-to-Node IPsec internal and cross-Project. and Tencrypt for Project-internal traffic T5 Incoming external Service traffic is intercepted (and OKD Secured routes. maybe modified) before it reaches the handling Service namespace. T6 The Pod image used by OpenShift to deploy new Pods, is Securing the image registry. The registry maliciously modified. depends on the used container techno- logy and might be an external compon- ent. T7 Resources requested by a Pod limit the availability of Continuous resource monitoring, mi- other Pods on the same Node. gration or halting of resource intensive Pods if needed. Note about containerisation

  34. Introduction Red Hat OpenShift Networking, Security Security requirements and threat model Encrypting traffic between Pods Fundamentals, ideas and possible approaches Using Minishift for experimental implementations Implementation concepts Proof of concept implementation Throughput measurements Conclusion Tencrypt: Encrypting Tenant-Traffic in OpenShift Chair of Computer Networks // Dominik Pataky 16/32 Dresden, 15th November, 2018

  35. Fundamentals • „ Encrypted tra ffi c “ only includes Tenant-internal (Project-internal) tra ffi c, not egress or cross-Project tra ffi c Primary focus: eth0 interface shared between Containers in a Pod • • At fi rst, only application data (OSI layers 5-7) was to be encrypted. PoC encapsulates whole encrypted packet. • Deployed container images of developers should not have to be customised at all Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 17/32 Dresden, 15th November, 2018

  36. Fundamentals • „ Encrypted tra ffi c “ only includes Tenant-internal (Project-internal) tra ffi c, not egress or cross-Project tra ffi c Primary focus: eth0 interface shared between Containers in a Pod • • At fi rst, only application data (OSI layers 5-7) was to be encrypted. PoC encapsulates whole encrypted packet. • Deployed container images of developers should not have to be customised at all Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 17/32 Dresden, 15th November, 2018

  37. Fundamentals • „ Encrypted tra ffi c “ only includes Tenant-internal (Project-internal) tra ffi c, not egress or cross-Project tra ffi c Primary focus: eth0 interface shared between Containers in a Pod • • At fi rst, only application data (OSI layers 5-7) was to be encrypted. PoC encapsulates whole encrypted packet. • Deployed container images of developers should not have to be customised at all Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 17/32 Dresden, 15th November, 2018

  38. Fundamentals • „ Encrypted tra ffi c “ only includes Tenant-internal (Project-internal) tra ffi c, not egress or cross-Project tra ffi c Primary focus: eth0 interface shared between Containers in a Pod • • At fi rst, only application data (OSI layers 5-7) was to be encrypted. PoC encapsulates whole encrypted packet. • Deployed container images of developers should not have to be customised at all Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 17/32 Dresden, 15th November, 2018

  39. Ideas and possible approaches • Using symmetric AES with a shared key. Payload size and MTU? Rotation of keys? Ful fi lls security requirements? • Asymmetric encryption with public keys in shared storage. Who generates key pair? Which system to use (e.g. X.509)? Realisable without a new OpenShift component? • Using existing technology like Wireguard . Does it scale? Can compiled tools be integrated at all? Which component creates the interfaces? Can peer keys be shared through Secret Storage? Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 18/32 Dresden, 15th November, 2018

  40. Ideas and possible approaches • Using symmetric AES with a shared key. Payload size and MTU? Rotation of keys? Ful fi lls security requirements? • Asymmetric encryption with public keys in shared storage. Who generates key pair? Which system to use (e.g. X.509)? Realisable without a new OpenShift component? • Using existing technology like Wireguard . Does it scale? Can compiled tools be integrated at all? Which component creates the interfaces? Can peer keys be shared through Secret Storage? Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 18/32 Dresden, 15th November, 2018

  41. Ideas and possible approaches • Using symmetric AES with a shared key. Payload size and MTU? Rotation of keys? Ful fi lls security requirements? • Asymmetric encryption with public keys in shared storage. Who generates key pair? Which system to use (e.g. X.509)? Realisable without a new OpenShift component? • Using existing technology like Wireguard . Does it scale? Can compiled tools be integrated at all? Which component creates the interfaces? Can peer keys be shared through Secret Storage? Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 18/32 Dresden, 15th November, 2018

  42. Using Minishift • Fork of the Kubernetes Minikube project • Development environment bundled with OKD, advertised as „ local OpenShift “ • Con fi gures a virtual machine (VirtualBox, KVM,. . . ) as host for components deployed as Docker containers • Either uses a Boot2Docker or CentOS VM ISO image • Simulates networking and Virtual IPs (VIPs) with IPtables NAT rules • Tencrypt: CentOS on VirtualBox, using default „ developer “ account with two Projects Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 19/32 Dresden, 15th November, 2018

  43. Using Minishift • Fork of the Kubernetes Minikube project • Development environment bundled with OKD, advertised as „ local OpenShift “ • Con fi gures a virtual machine (VirtualBox, KVM,. . . ) as host for components deployed as Docker containers • Either uses a Boot2Docker or CentOS VM ISO image • Simulates networking and Virtual IPs (VIPs) with IPtables NAT rules • Tencrypt: CentOS on VirtualBox, using default „ developer “ account with two Projects Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 19/32 Dresden, 15th November, 2018

  44. Using Minishift • Fork of the Kubernetes Minikube project • Development environment bundled with OKD, advertised as „ local OpenShift “ • Con fi gures a virtual machine (VirtualBox, KVM,. . . ) as host for components deployed as Docker containers • Either uses a Boot2Docker or CentOS VM ISO image • Simulates networking and Virtual IPs (VIPs) with IPtables NAT rules • Tencrypt: CentOS on VirtualBox, using default „ developer “ account with two Projects Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 19/32 Dresden, 15th November, 2018

  45. Using Minishift • Fork of the Kubernetes Minikube project • Development environment bundled with OKD, advertised as „ local OpenShift “ • Con fi gures a virtual machine (VirtualBox, KVM,. . . ) as host for components deployed as Docker containers • Either uses a Boot2Docker or CentOS VM ISO image • Simulates networking and Virtual IPs (VIPs) with IPtables NAT rules • Tencrypt: CentOS on VirtualBox, using default „ developer “ account with two Projects Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 19/32 Dresden, 15th November, 2018

  46. Using Minishift • Fork of the Kubernetes Minikube project • Development environment bundled with OKD, advertised as „ local OpenShift “ • Con fi gures a virtual machine (VirtualBox, KVM,. . . ) as host for components deployed as Docker containers • Either uses a Boot2Docker or CentOS VM ISO image • Simulates networking and Virtual IPs (VIPs) with IPtables NAT rules • Tencrypt: CentOS on VirtualBox, using default „ developer “ account with two Projects Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 19/32 Dresden, 15th November, 2018

  47. Using Minishift • Fork of the Kubernetes Minikube project • Development environment bundled with OKD, advertised as „ local OpenShift “ • Con fi gures a virtual machine (VirtualBox, KVM,. . . ) as host for components deployed as Docker containers • Either uses a Boot2Docker or CentOS VM ISO image • Simulates networking and Virtual IPs (VIPs) with IPtables NAT rules • Tencrypt: CentOS on VirtualBox, using default „ developer “ account with two Projects Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 19/32 Dresden, 15th November, 2018

  48. Docker image patching and Secrets • Approach: patching the Pod image to deploy encryption proxy and custom networking • Access to Docker daemon and images possible 1. Re-tag original Pod image 2. Use original image as base for patched version 3. Build patched image with Tencrypt scripts and proxy app, tagged as „ original “ • As mentioned, Secrets are either in ENV or mounts. Blocker: „ Pod “ container has no access. Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 20/32 Dresden, 15th November, 2018

  49. Docker image patching and Secrets • Approach: patching the Pod image to deploy encryption proxy and custom networking • Access to Docker daemon and images possible 1. Re-tag original Pod image 2. Use original image as base for patched version 3. Build patched image with Tencrypt scripts and proxy app, tagged as „ original “ • As mentioned, Secrets are either in ENV or mounts. Blocker: „ Pod “ container has no access. Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 20/32 Dresden, 15th November, 2018

  50. Docker image patching and Secrets • Approach: patching the Pod image to deploy encryption proxy and custom networking • Access to Docker daemon and images possible 1. Re-tag original Pod image 2. Use original image as base for patched version 3. Build patched image with Tencrypt scripts and proxy app, tagged as „ original “ • As mentioned, Secrets are either in ENV or mounts. Blocker: „ Pod “ container has no access. Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 20/32 Dresden, 15th November, 2018

  51. Docker image patching and Secrets • Approach: patching the Pod image to deploy encryption proxy and custom networking • Access to Docker daemon and images possible 1. Re-tag original Pod image 2. Use original image as base for patched version 3. Build patched image with Tencrypt scripts and proxy app, tagged as „ original “ • As mentioned, Secrets are either in ENV or mounts. Blocker: „ Pod “ container has no access. Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 20/32 Dresden, 15th November, 2018

  52. Docker image patching and Secrets • Approach: patching the Pod image to deploy encryption proxy and custom networking • Access to Docker daemon and images possible 1. Re-tag original Pod image 2. Use original image as base for patched version 3. Build patched image with Tencrypt scripts and proxy app, tagged as „ original “ • As mentioned, Secrets are either in ENV or mounts. Blocker: „ Pod “ container has no access. Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 20/32 Dresden, 15th November, 2018

  53. Docker image patching and Secrets • Approach: patching the Pod image to deploy encryption proxy and custom networking • Access to Docker daemon and images possible 1. Re-tag original Pod image 2. Use original image as base for patched version 3. Build patched image with Tencrypt scripts and proxy app, tagged as „ original “ • As mentioned, Secrets are either in ENV or mounts. Blocker: „ Pod “ container has no access. Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 20/32 Dresden, 15th November, 2018

  54. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  55. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  56. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  57. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  58. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  59. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  60. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  61. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  62. Part 1: Setting up the Pods network • Tra ffi c should either fl ow untouched or encrypted eth0 adapter only egress interface in Pod • Approach: introduce tenc0 interface which has listening proxy application • Con fi gure network to route Service tra ffi c through tenc0 TUN • • Proxy application reads from interface, encrypts and forwards • Blockers: Pod has no NET_ADMIN capability, cannot self-con fi gure network – Using setcap , manipulating Docker or Security Context Constraint (SCC) does not – work • Tencrypt: runs proxy from Host inside network namespace Networking pitfalls Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 21/32 Dresden, 15th November, 2018

  63. Part 2: Differentiation of Project-internal and -external traffic fl ows • Tra ffi c can be either Project-internal, -external or egress (NAT) • Only Project-internal tra ffi c should be encrypted Pods do not have access to NAMESPACE environment variable • • Services use DNS hierarchy with name of Project • Approach: use DNS to identify type of remote (virtual) IP by reverse lookup Tencrypt: reads local /etc/resolv.conf for own name, • queries hostnames of remote IPs and compares Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 22/32 Dresden, 15th November, 2018

  64. Part 2: Differentiation of Project-internal and -external traffic fl ows • Tra ffi c can be either Project-internal, -external or egress (NAT) • Only Project-internal tra ffi c should be encrypted Pods do not have access to NAMESPACE environment variable • • Services use DNS hierarchy with name of Project • Approach: use DNS to identify type of remote (virtual) IP by reverse lookup Tencrypt: reads local /etc/resolv.conf for own name, • queries hostnames of remote IPs and compares Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 22/32 Dresden, 15th November, 2018

  65. Part 2: Differentiation of Project-internal and -external traffic fl ows • Tra ffi c can be either Project-internal, -external or egress (NAT) • Only Project-internal tra ffi c should be encrypted Pods do not have access to NAMESPACE environment variable • • Services use DNS hierarchy with name of Project • Approach: use DNS to identify type of remote (virtual) IP by reverse lookup Tencrypt: reads local /etc/resolv.conf for own name, • queries hostnames of remote IPs and compares Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 22/32 Dresden, 15th November, 2018

  66. Part 2: Differentiation of Project-internal and -external traffic fl ows • Tra ffi c can be either Project-internal, -external or egress (NAT) • Only Project-internal tra ffi c should be encrypted Pods do not have access to NAMESPACE environment variable • • Services use DNS hierarchy with name of Project • Approach: use DNS to identify type of remote (virtual) IP by reverse lookup Tencrypt: reads local /etc/resolv.conf for own name, • queries hostnames of remote IPs and compares Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 22/32 Dresden, 15th November, 2018

  67. Part 2: Differentiation of Project-internal and -external traffic fl ows • Tra ffi c can be either Project-internal, -external or egress (NAT) • Only Project-internal tra ffi c should be encrypted Pods do not have access to NAMESPACE environment variable • • Services use DNS hierarchy with name of Project • Approach: use DNS to identify type of remote (virtual) IP by reverse lookup Tencrypt: reads local /etc/resolv.conf for own name, • queries hostnames of remote IPs and compares Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 22/32 Dresden, 15th November, 2018

  68. Part 2: Differentiation of Project-internal and -external traffic fl ows • Tra ffi c can be either Project-internal, -external or egress (NAT) • Only Project-internal tra ffi c should be encrypted Pods do not have access to NAMESPACE environment variable • • Services use DNS hierarchy with name of Project • Approach: use DNS to identify type of remote (virtual) IP by reverse lookup Tencrypt: reads local /etc/resolv.conf for own name, • queries hostnames of remote IPs and compares Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 22/32 Dresden, 15th November, 2018

  69. Part 3: Encryption of traffic • Client issues a request to a remote Service, asks DNS and connects to VIP VIP is routed through tenc0 interface, proxy app reads packets • • Proxy app encrypts and encapsulates packet, sends it as UDP payload to remote Tencrypt endpoint • Remote Tencrypt UDP socket decrypts packet, changes destination address, forwards to local Service • Reply same way but in reverse Other ideas in paper: IP_TRANSPARENT , SOCKS5, enforcing encrypted traffic • Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 23/32 Dresden, 15th November, 2018

  70. Part 3: Encryption of traffic • Client issues a request to a remote Service, asks DNS and connects to VIP VIP is routed through tenc0 interface, proxy app reads packets • • Proxy app encrypts and encapsulates packet, sends it as UDP payload to remote Tencrypt endpoint • Remote Tencrypt UDP socket decrypts packet, changes destination address, forwards to local Service • Reply same way but in reverse Other ideas in paper: IP_TRANSPARENT , SOCKS5, enforcing encrypted traffic • Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 23/32 Dresden, 15th November, 2018

  71. Part 3: Encryption of traffic • Client issues a request to a remote Service, asks DNS and connects to VIP VIP is routed through tenc0 interface, proxy app reads packets • • Proxy app encrypts and encapsulates packet, sends it as UDP payload to remote Tencrypt endpoint • Remote Tencrypt UDP socket decrypts packet, changes destination address, forwards to local Service • Reply same way but in reverse Other ideas in paper: IP_TRANSPARENT , SOCKS5, enforcing encrypted traffic • Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 23/32 Dresden, 15th November, 2018

  72. Part 3: Encryption of traffic • Client issues a request to a remote Service, asks DNS and connects to VIP VIP is routed through tenc0 interface, proxy app reads packets • • Proxy app encrypts and encapsulates packet, sends it as UDP payload to remote Tencrypt endpoint • Remote Tencrypt UDP socket decrypts packet, changes destination address, forwards to local Service • Reply same way but in reverse Other ideas in paper: IP_TRANSPARENT , SOCKS5, enforcing encrypted traffic • Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 23/32 Dresden, 15th November, 2018

  73. Part 3: Encryption of traffic • Client issues a request to a remote Service, asks DNS and connects to VIP VIP is routed through tenc0 interface, proxy app reads packets • • Proxy app encrypts and encapsulates packet, sends it as UDP payload to remote Tencrypt endpoint • Remote Tencrypt UDP socket decrypts packet, changes destination address, forwards to local Service • Reply same way but in reverse Other ideas in paper: IP_TRANSPARENT , SOCKS5, enforcing encrypted traffic • Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 23/32 Dresden, 15th November, 2018

  74. Part 3: Encryption of traffic • Client issues a request to a remote Service, asks DNS and connects to VIP VIP is routed through tenc0 interface, proxy app reads packets • • Proxy app encrypts and encapsulates packet, sends it as UDP payload to remote Tencrypt endpoint • Remote Tencrypt UDP socket decrypts packet, changes destination address, forwards to local Service • Reply same way but in reverse Other ideas in paper: IP_TRANSPARENT , SOCKS5, enforcing encrypted traffic • Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 23/32 Dresden, 15th November, 2018

  75. Node Pod eth0 C tun0 binds vethA to eth0 Proxy app reads br0 default route for Services IPs tenc0 Figure 2 : Overview of the proxy application implementation schema Tencrypt: Encrypting Tenant-Traffic in OpenShift Chair of Computer Networks // Dominik Pataky 24 / 32 Dresden, 15 th November, 2018

  76. Proof of concept implementation • Four components: 1. DNS upstream proxy , parsing replies 2. TUN interface handler , reading packets and writing replies 3. UDP encapsulation , encryption and decryption, UDP listener on a speci fi ed port 4. Raw sockets to forward packets on local interface • DNS proxy uses static connection to upstream • White-listing of external hosts • DNAT on received packets Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 25/32 Dresden, 15th November, 2018

  77. Flow for DNS request/reply Client App Upstream DNS Client Pod Binds to tenc0 Socket DNS request DNS request DNS reply Parsing of answers White-listing of host if external DNS reply Figure 3 : Traffic fl ow part one, DNS proxy Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 26 / 32 Dresden, 15 th November, 2018

  78. Flow for client request to remote Service Figure 4 : Traffic fl ow part two, client issues a request to a Service

  79. Flow for Service replies Figure 5 : Traffic fl ow part three, Service replies to request

  80. Throughput measurements Test description Transmitted Throughput server Throughput client no patch, 1 client 22640 . 38 MB 2262 . 3 MB/s 2263 . 83 MB/s no patch, 5 clients 27350 . 0 MB 2724 . 02 MB/s 2727 . 22 MB/s no patch, 10 clients 25817 . 38 MB 2410 . 15 MB/s 2538 . 02 MB/s patched, 1 client 2 . 46 MB 0 . 01 MB/s 0 . 16 MB/s patched, 5 clients 12 . 29 MB 0 . 06 MB/s 0 . 82 MB/s patched, 10 clients 24 . 58 MB 0 . 13 MB/s 1 . 64 MB/s patched, 20 clients 24 . 86 MB 0 . 12 MB/s 3 . 27 MB/s Figure 6 : Results of iperf measurements with di ff erent amounts of clients. Taken with iperf inside the Minishift VM (Virtualbox, 2 CPUs, 2 GB RAM). Observation: amount of clients in patched environment makes a di ff erence, bandwidth is summed up. Probable cause: caching. Should not be taken too seriously, as implementation is unoptimised proof of concept. Tencrypt: Encrypting Tenant-Traffic in OpenShift Chair of Computer Networks // Dominik Pataky 29 / 32 Dresden, 15 th November, 2018

  81. I ntroduction Red Hat OpenShift Networking, Security Security requirements and threat model Encrypting tra ffi c between Pods Fundamentals, ideas and possible approaches Using Minishift for experimental implementations I mplementation concepts Proof of concept implementation Throughput measurements Conclusion Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 30 / 32 Dresden, 15 th November, 2018

  82. Conclusion • Original aim: transparent encryption of Pod-to-Pod tra ffi c per Tenant • Step 1: Analysis of the OpenShift network setup • Step 2: De fi ning security requirements and threats • Step 3: Design approach alternatives • Step 4: Exploration of different implementation parts • Step 5: Proof of concept implementation • Result: implementation works, concept proved to be usable • Future work: test integration of concept into existing OpenShift code base, re-write proxy application Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 31/32 Dresden, 15th November, 2018

  83. Conclusion • Original aim: transparent encryption of Pod-to-Pod tra ffi c per Tenant • Step 1: Analysis of the OpenShift network setup • Step 2: De fi ning security requirements and threats • Step 3: Design approach alternatives • Step 4: Exploration of different implementation parts • Step 5: Proof of concept implementation • Result: implementation works, concept proved to be usable • Future work: test integration of concept into existing OpenShift code base, re-write proxy application Tencrypt: Encrypting Tenant-Tra ffi c in OpenShift Chair of Computer Networks // Dominik Pataky 31/32 Dresden, 15th November, 2018

Recommend

First things first, sign up! http://openshift.redhat.com OpenShift, a little history Nov 2010

First things first, sign up! http://openshift.redhat.com OpenShift, a little history Nov 2010

First things first, sign up! http://openshift.redhat.com OpenShift, a little history Nov 2010 Makara acquired In 2011 merged into OpenShift project May 2012 Open Sourced GitHub, blogs, howto's, quickstarts, webinars

651 views • 32 slides
Openshift di Massimiliano Dessi Openshift Massimiliano Dessi The linuxday 2014 in

Openshift di Massimiliano Dessi Openshift Massimiliano Dessi The linuxday 2014 in

Openshift di Massimiliano Dessi Openshift Massimiliano Dessi The linuxday 2014 in Cagliari and this preso are dedicated to the memory of Giulio Concas. 2 Openshift Massimiliano Dessi 20 min with @desmax74 &

471 views • 16 slides
OpenShift on you own cloud Troy Dawson OpenShift Engineer, Red Hat tdawson@redhat.com November

OpenShift on you own cloud Troy Dawson OpenShift Engineer, Red Hat tdawson@redhat.com November

OpenShift on you own cloud Troy Dawson OpenShift Engineer, Red Hat tdawson@redhat.com November 1, 2013 2 Infrastructure-as-a-Service Servers in the Cloud You must build and manage everything (OS, App Servers, DB, App, etc.) How do I use

662 views • 50 slides
Enabling GPU-as-a-Service Providers with Red Hat OpenShift @jeremyeder Senior Principal Software

Enabling GPU-as-a-Service Providers with Red Hat OpenShift @jeremyeder Senior Principal Software

Enabling GPU-as-a-Service Providers with Red Hat OpenShift @jeremyeder Senior Principal Software Engineer, Red Hat March, 2018 1 JEREMY EDER - RED HAT PERFORMANCE ENGINEERING Agenda OpenShift Cluster Overview Infrastructure

1.1k views • 25 slides
LANDLORD TENANT LAW UPDATES HIGHLIGHTS FROM LAWS PASSED IN 2019 STARTING A LANDLORD-TENANT

LANDLORD TENANT LAW UPDATES HIGHLIGHTS FROM LAWS PASSED IN 2019 STARTING A LANDLORD-TENANT

LANDLORD TENANT LAW UPDATES HIGHLIGHTS FROM LAWS PASSED IN 2019 STARTING A LANDLORD-TENANT RELATIONSHIP A landlord cannot reject a tenant on the basis of involvement in prior disputes cannot use tenant screening reports or

315 views • 18 slides
Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS Operation Data Encryption

Unit OS8: File System 8.3. Encrypting File System Security in Windows Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Roadmap for Section 8.3 Encrypting File System (EFS) Terminology EFS

250 views • 12 slides
CI/CD with OpenShift and Jenkins Michal Fojtik < mfojtik@redhat.com > @mfojtik Agenda

CI/CD with OpenShift and Jenkins Michal Fojtik < mfojtik@redhat.com > @mfojtik Agenda

CI/CD with OpenShift and Jenkins Michal Fojtik < mfojtik@redhat.com > @mfojtik Agenda Intro to containers and CI/CD Deploying Jenkins in OpenShift Kubernetes plugin Defining CI/CD workflow Demo! Containers

519 views • 16 slides
TENANT OV E RV I E W O F T H E L AW PROTECTI ON ACT P R E S E N T E D T O OF 2 0 19 ( AB

TENANT OV E RV I E W O F T H E L AW PROTECTI ON ACT P R E S E N T E D T O OF 2 0 19 ( AB

TENANT OV E RV I E W O F T H E L AW PROTECTI ON ACT P R E S E N T E D T O OF 2 0 19 ( AB H O U S I N G N OW ! O C T O B E R 3 0 , 2 0 1 9 14 8 2 ) BRIEF OVERVIEW OF THE TENANT PROTECTION ACT (TPA) Rent Cap 5% + CPI annually,

665 views • 23 slides
Northampton Tenant Panel Housing Options Appraisal Appendix 2 Results and Analysis of the Tenant

Northampton Tenant Panel Housing Options Appraisal Appendix 2 Results and Analysis of the Tenant

Northampton Tenant Panel Housing Options Appraisal Appendix 2 Results and Analysis of the Tenant Panels Options Scoring Exercise + Issues for the Tenant Panels Report Steve Sharples Christine Bailey PS Consultants (ITA) October 1 st and 2 nd

463 views • 34 slides
Election s Agenda Agenda 1. Welcome and Introduction 2. Why we are here today 3. Tenant

Election s Agenda Agenda 1. Welcome and Introduction 2. Why we are here today 3. Tenant

2020 TENANT 2020 Tenant ELECTIONS Election s Agenda Agenda 1. Welcome and Introduction 2. Why we are here today 3. Tenant Engagement System 4. Tenant Election process 5. Thinking about being a candidate? 6. Election Day 7.

584 views • 21 slides
Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author

Information Hiding in Email Services Based on Confused Document Encrypting Schemes Author Wei-Shyun Pan Po-Kang Chen Quincy Wu Outline Introduction Related works A Confused Document Encrypting Schemes and its

514 views • 33 slides
Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia

Encrypted DNS Privacy? A Traffic Analysis Perspective Sandra Siby, Marc Juarez, Claudia Diaz, Narseo Vallina-Rodriguez, Carmela Troncoso NDSS, 25 February 2020 Encrypted DNS > Privacy? Can encrypting DNS protect users from tra ffi

533 views • 40 slides
4/12/2018 SEVEN THINGS TO KNOW ABOUT FOR DISTRICT COURT LANDLORD-TENANT JUDGES LAW THING #1:

4/12/2018 SEVEN THINGS TO KNOW ABOUT FOR DISTRICT COURT LANDLORD-TENANT JUDGES LAW THING #1:

4/12/2018 SEVEN THINGS TO KNOW ABOUT FOR DISTRICT COURT LANDLORD-TENANT JUDGES LAW THING #1: WHAT IS SUMMARY EJECTMENT? A remedy created by GS 42-26 that allows a landlord to evict a tenant from rental premises if the tenant remains on the

448 views • 8 slides
February 14, 2018 Staff: Kim Painter, Laura London Queens Court Tenant Profile Tenant Profile

February 14, 2018 Staff: Kim Painter, Laura London Queens Court Tenant Profile Tenant Profile

Queens Court Relocation Plan Tenant Landlord Commission February 14, 2018 Staff: Kim Painter, Laura London Queens Court Tenant Profile Tenant Profile Updates (pg. 9) - 30 current residents have been surveyed; 8 to be surveyed - Average

503 views • 13 slides
OpenShift 4: Whats Awesome, Why, and Where is it going? Clayton Coleman, Senior Distinguished

OpenShift 4: Whats Awesome, Why, and Where is it going? Clayton Coleman, Senior Distinguished

OpenShift 4: Whats Awesome, Why, and Where is it going? Clayton Coleman, Senior Distinguished Engineer of Cloud Platforms Derek Carr, Kubernetes Steering Committee & Co-Chair of SIG Architecture, Node Mike Barrett, Senior Director Cloud

1.77k views • 9 slides
How nCipher HSMs enhance security for Red Hat OpenShift Platform www.ncipher.com Red Hat and

How nCipher HSMs enhance security for Red Hat OpenShift Platform www.ncipher.com Red Hat and

How nCipher HSMs enhance security for Red Hat OpenShift Platform www.ncipher.com Red Hat and nCipher partnership history Long standing 10+ years technology partnership Supported integrations Red Hat Enterprise Linux Certificate System

712 views • 10 slides
assigning a lease from tenant to guarantor Peter Williams June 2016 www.shoosmiths.co.uk

assigning a lease from tenant to guarantor Peter Williams June 2016 www.shoosmiths.co.uk

1 assigning a lease from tenant to guarantor Peter Williams June 2016 www.shoosmiths.co.uk Assigning a lease from tenant to guarantor Landlord and Tenant (Covenants) Act 1995 House of Fraser case** (2011) CA held that a

565 views • 10 slides
Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt numbers using a simple version of the RSA algorithm. Each team should have two members. Each team-member should complete the exercise as Bob, then pass

229 views • 4 slides
Ansible and OpenShift: Red Hats Celebrity Marriage Til Death Do We Part Joshua jag

Ansible and OpenShift: Red Hats Celebrity Marriage Til Death Do We Part Joshua jag

Ansible and OpenShift: Red Hats Celebrity Marriage Til Death Do We Part Joshua jag Ginsberg - jag@redhat.com @j00bar (those are zeroes) Chief Architect - Management Platform Engineering 2 (graphic by Leigh Ann Ivey) (graphic by

1.01k views • 32 slides
got HW crypto? On the (in)security of a Self-Encrypting Drive series Research motivation is HW

got HW crypto? On the (in)security of a Self-Encrypting Drive series Research motivation is HW

got HW crypto? On the (in)security of a Self-Encrypting Drive series Research motivation is HW crypto more secure? JMS538S SW6316 OXUF943SE INIC-1607E x x x x JMS569 INIC-3608 x x 2 Speakers intro Gunnar Alendal: Christian Kison:

718 views • 56 slides
Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel Jeffery Linux Foundation Why HTTPS? As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it.

746 views • 40 slides
5 Minutes to Enterprise JavaScript With Red Hat OpenShift Application Runtimes Lance Ball John

5 Minutes to Enterprise JavaScript With Red Hat OpenShift Application Runtimes Lance Ball John

5 Minutes to Enterprise JavaScript With Red Hat OpenShift Application Runtimes Lance Ball John Clingan Principal Software Engineer Product Manager RHOAR Wednesday, May 9 2018 NODE.JS Is a Thing at Red Hat So What Do You Mean? RHOAR - Red

714 views • 40 slides
Exclude Human Continuous Deployment and OpenShift by Valdas Marimas Join at Slido.com with

Exclude Human Continuous Deployment and OpenShift by Valdas Marimas Join at Slido.com with

Exclude Human Continuous Deployment and OpenShift by Valdas Marimas Join at Slido.com with #devdays2019 1 A few words about me My name is Valdas Mazrimas, I am full stack javascript engineer @ Metasite Business Solutions. Join at

1.1k views • 40 slides
Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman,

Encrypting/Decrypting, cont CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ March 14, 2013 Announcements / Goals For

459 views • 9 slides

More recommend