Security features in Container Backup Support
In addition to basic security features that are integrated into Container Backup Support, advanced security features are provided to help protect containers, secure network connections, encrypt data, and verify installation packages.
Security scanning of containers
Container Backup Support components are built on containers that are derived from the Red Hat® Universal Based Image (UBI). The Container Backup Support software on each container was statically scanned for vulnerable components or libraries. In addition, the containers are dynamically scanned to help prevent runtime vulnerabilities such as code injection. After the scan, the software is tested by using an automated test suite to verify that Container Backup Support can operate as expected and correctly process erroneous input.
All containers, except for the data mover container, run in a dedicated namespace that provides further security isolation. The data mover must run in the same namespace as the persistent volume claim (PVC) for backup or restore operations because the mounting of the volume is limited to containers in a single namespace.
Least privileged containers
Authentication of network connections
The network connections between Container Backup Support components are controlled by network policies that limit the connections to the ones that are required for correct operation. Connections to IBM Spectrum® Protect Plus rely upon the security protocols that are provided by IBM Spectrum Protect Plus.
Multitenancy
Multitenancy is supported in Container Backup Support,
which relies extensively on the authentication and authorization that is provided by the Kubernetes
or OpenShift® cluster for namespaces. Because the
authorization is related to a namespace, any user who is authorized to create a
BaaSReq
object in that namespace can request a backup or restore for any PVC that
is associated with that namespace. A BaaSReq
object is a custom resource that is
used in Container Backup Support requests.
Snapshots are protected by the Container Storage Interface (CSI) to restrict access to the namespace of the original PVC. Container Backup Support associates the namespace with the backup copies that are stored in IBM Spectrum Protect Plus, and the backup copies must be restored to volumes in the same namespace.
Encryption of data at rest
The cluster and storage administrators are responsible for enabling the mechanisms for protecting data at rest through encryption. The sensitive data includes the copy backup data and Container Backup Support secrets, which consist of user IDs and passwords that were specified during the installation process. The cluster administrator can specify that secrets are encrypted when stored in the cluster etcd database. For more information, see Encrypting Secret Data at Rest.
Container Backup Support does not implement additional encryption beyond what is provided by the cluster. However, the storage administrator can deploy an IBM Spectrum Protect Plus vSnap server that is enabled for encryption.
By using the IBM Spectrum Protect Plus user interface, the storage administrator can define service level agreements (SLAs) that store backup data on encrypted disks. When backup requests are created that specify encryption-enabled SLAs, data is directed to a vSnap server for encryption if the vSnap server is enabled for encryption of data at rest.
Code signing
The cluster administrator can verify that the Container Backup Support installation package has not been modified since it was generated by IBM®. This process is accomplished by verifying the signature file that is included with the installation package against the appropriate signature and certificates. The verification process is described in the installation documentation.
For more information, see Installing and configuring Container Backup Support.