Security features in Container Backup Support

In addition to basic security features that are integrated into Container Backup Support, advanced security features are provided to help protect containers, secure network connections, encrypt data, and verify installation packages.

Security scanning of containers

Container Backup Support components are built on containers that are derived from the Red Hat® Universal Based Image (UBI). The Container Backup Support software on each container was statically scanned for vulnerable components or libraries. In addition, the containers are dynamically scanned to help prevent runtime vulnerabilities such as code injection. After the scan, the software is tested by using an automated test suite to verify that Container Backup Support can operate as expected and correctly process erroneous input.

All containers, except for the data mover container, run in a dedicated namespace that provides further security isolation. The data mover must run in the same namespace as the persistent volume claim (PVC) for backup or restore operations because the mounting of the volume is limited to containers in a single namespace.

Least privileged containers

Each of the components in Container Backup Support runs under the principle of least privilege. The actions of the containers are constrained by the role-based authentication control rules that are associated with their service accounts in their separate namespace. In addition, the software in each container runs as a non-root user. The data mover runs as a privileged container because the data mover requires access to the device location on the host system of the volume that is backed up or restored. All other container agents run as restricted security context constraints (SCCs).

Note: When using Red Hat Advanced Cluster Security for an OpenShift cluster with Fusion, the backup and restore feature requires the default Least privileged container policy with the Policy Behavior set to Inform option, instead of Inform and enforce option.

Important: If you do not want to apply the policy to the entities that you select, you must add the label app.kubernetes.io/component=datamover to the exclusion list. For more information about excluding the deployments, clusters, namespaces, and labels which you specify, refer Red Hat Advanced Cluster Security for Kubernetes product documentation. You can also add multiple scopes and use regular expressions in RE2 Syntax for namespaces and labels. However, you cannot use regular expressions for selecting deployments.

Authentication of network connections

The network connections between Container Backup Support components are controlled by network policies that limit the connections to the ones that are required for correct operation. Connections to IBM Spectrum® Protect Plus rely upon the security protocols that are provided by IBM Spectrum Protect Plus.

Multitenancy

Multitenancy is supported in Container Backup Support, which relies extensively on the authentication and authorization that is provided by the Kubernetes or OpenShift® cluster for namespaces. Because the authorization is related to a namespace, any user who is authorized to create a BaaSReq object in that namespace can request a backup or restore for any PVC that is associated with that namespace. A BaaSReq object is a custom resource that is used in Container Backup Support requests.

Snapshots are protected by the Container Storage Interface (CSI) to restrict access to the namespace of the original PVC. Container Backup Support associates the namespace with the backup copies that are stored in IBM Spectrum Protect Plus, and the backup copies must be restored to volumes in the same namespace.

Encryption of data at rest

The cluster and storage administrators are responsible for enabling the mechanisms for protecting data at rest through encryption. The sensitive data includes the copy backup data and Container Backup Support secrets, which consist of user IDs and passwords that were specified during the installation process. The cluster administrator can specify that secrets are encrypted when stored in the cluster etcd database. For more information, see Encrypting Secret Data at Rest.

Container Backup Support does not implement additional encryption beyond what is provided by the cluster. However, the storage administrator can deploy an IBM Spectrum Protect Plus vSnap server that is enabled for encryption.

By using the IBM Spectrum Protect Plus user interface, the storage administrator can define service level agreements (SLAs) that store backup data on encrypted disks. When backup requests are created that specify encryption-enabled SLAs, data is directed to a vSnap server for encryption if the vSnap server is enabled for encryption of data at rest.

Code signing

The cluster administrator can verify that the Container Backup Support installation package has not been modified since it was generated by IBM®. This process is accomplished by verifying the signature file that is included with the installation package against the appropriate signature and certificates. The verification process is described in the installation documentation.

For more information, see Installing and configuring Container Backup Support.