Completing workload operator actions through a bastion host
All interactive operator actions on the resources in Satellite location must be run through a bastion host in the management plane. A bastion host is a server that can be accessed through SSH, Windows Remote Desktop Protocol (RDP), oc (Red Hat OpenShift CLI), or kubectl, but only through a private secure connection. After set up, the bastion host allows a secure connection to Red Hat OpenShift on IBM Cloud clusters, Satellite APIs, or Satellite location hosts.
Administrative tasks on the individual services or hosts are completed by using SSH, oc, or kubectl proxied through the bastion. In addition, session auditing must be enabled to record all privileged user actions.
After connecting to your management plane through your designated connection method specific to your environment, a complete bastion solution should meet the following requirements.
- Full session recording of actions executed via the bastion to perform session audits. This includes SSH, and Kubernetes exec (
kubectl exec -it) sessions.- Linux-based session recordings are captured as a raw dump of stdout and stderr streams, including TAB characters (bash escape sequences).
- Session recordings should be placed in to a storage service maintained within your environment for archiving. The storage should be configured as “immutable object storage.” Retention policies are should be applied to the storage, so that data is stored in a WORM (Write-Once-Read-Many), non-erasable and non-rewritable manner. The policy is set and enforced for a 12-month (minimum) retention period.
- Authenticating users with MFA using a physical hardware-based security key that generates a six-digit numerical code. A smart card or hardware token designed and operated to FIPS 140-2 level 2 or above or equivalent (e.g., ANSI X9.24, ISO 13491-1:2007) is recommended.
- Locking user accounts after three (3) consecutive failed logon attempts within 15 minutes.
- Locking user accounts for 30 minutes when there have been more than three unsuccessful logon attempts. After the lockout period ends, the user will be able to reset their password. Internal privileged accounts must remain locked until released by an administrator.
- Session timeout after 15 minutes of inactivity.
- Providing a system use notification banner from either the bastion or the target system. The warning banner is displayed before the system grants access to the user and the usage conditions must be approved before proceeding. The banner will
provide privacy and security notices consistent with applicable customer policies, regulations, standards, and guidance. The warning banner will state that:
- Users are accessing a financial services information system.
- Information system usage may be monitored, recorded, and subject to audit.
- Unauthorized use of the information system is prohibited and subject to criminal and civil penalties.
- Use of the information system indicates consent to monitoring and recording.
Access to Red Hat OpenShift on IBM Cloud management APIs
Red Hat OpenShift on IBM Cloud management tasks can be completed by using oc CLI tool and kubectl. If your bastion solution provides direct support for kubectl or oc sessions, it is recommended
to configure such capabilities for the Red Hat OpenShift on IBM Cloud clusters that are deployed to your Satellite locations. Otherwise, you should consider setting up hosts in your management plane that can provide shell access with oc or kubectl CLI tools to complete Red Hat OpenShift on IBM Cloud management. Operators should access those hosts through SSH connecting through a bastion.
Access to Red Hat OpenShift on IBM Cloud management UI
Red Hat OpenShift on IBM Cloud cluster that is deployed on a Satellite location provides a management UI (web console). You should consider UI access as an exception, preferring the operator actions should CLI or CI/CD automation for effective access control, reliability, and audit.
If the operators or administrators need to access this UI, the access should be facilitated by the bastion solution as well. In this scenario, a bastion solution would act as an HTTPS reverse proxy that the operator would use to access the Red Hat OpenShift on IBM Cloud management UI.
Access to Satellite hosts through SSH
In general, the Satellite architecture discourages shell to the host OS, including SSH. Host OS updates and other maintenance (for example, backups) should be automated or completed by creating and attaching a new host instance. Login with a
root account is explicitly blocked after a host is attached to a Satellite location.
If operator access to a Satellite host is required for troubleshooting purposes, SSH connection should be completed through a bastion that uses a nonroot account.
Set up a bastion host
You need to install and manage your own bastion solution within your management plane. A bastion solution can be implemented in a variety of ways. For one example that uses Teleport Enterprise Edition in the VPC reference architecture, see Setting up a bastion host for secure connectivity.
Related controls in IBM Cloud Framework for Financial Services
| Family | Control |
|---|---|
| Audit and Accountability (AU) | AU-14 Session Audit |
| Access Control (AC) | AC-6 (9) Least Privilege | Auditing Use of Privileged Functions AC-17 Remote Access |
| Identification and Authentication (IA) | IA-2 (1) Identification and Authentication (Organizational Users) | Network Access to Privileged Accounts |