OpenShift Security Architecture
OpenShift extends Kubernetes with enterprise-grade security features including Security Context Constraints, built-in OAuth, and compliance automation through the Compliance Operator.
Core Security Pillars
Security Context Constraints
Granular pod security policies
OAuth & Identity
Enterprise identity integration
Network Security
Ingress/Egress controls
Compliance Automation
CIS, NIST, PCI-DSS scanning
OpenShift vs Kubernetes Security
- SCCs replace Pod Security Standards with more granular controls
- Built-in OAuth server with enterprise IdP integration
- Routes with TLS instead of standard Ingress
- Compliance Operator for automated security scanning
Implementation Roadmap
Security Hardening Phases
Assessment
Security baseline evaluation and gap analysis
SCC Hardening
Implement restrictive security contexts
Identity Integration
Configure OAuth with enterprise IdP
Network Controls
Deploy network policies and egress firewalls
Compliance Automation
Enable Compliance Operator scanning
Security Context Constraints (SCCs)
SCCs are OpenShift's primary mechanism for controlling pod security. They define what actions and resources a pod can access at runtime.
SCC Security Levels
restricted
baseline (custom)
privileged
Critical SCC Best Practices
- Default to restricted SCC for all workloads
- Never bind privileged or anyuid to service accounts without review
- Create custom SCCs for specific workload requirements
- Audit SCC usage regularly with
oc adm policy who-can use
Compliance Automation
The Compliance Operator enables automated security scanning against industry-standard benchmarks, providing continuous compliance validation.
CIS Kubernetes Benchmark
Industry standard security configuration
NIST 800-53
Federal security and privacy controls
PCI DSS v4.0
Payment card industry requirements
OpenShift CIS Profile
Platform-specific hardening
STIG Compliance
DoD security technical implementation
FedRAMP
Federal cloud security authorization
OpenShift Security Features
Configuration Requirements
Key Security Controls
Identity & Access
- OAuth provider configuration
- LDAP/AD integration
- OIDC with Keycloak
- RBAC role bindings
Network Security
- NetworkPolicy enforcement
- EgressFirewall rules
- Route TLS policies
- Service mesh (Istio)
Image Security
- Internal registry hardening
- Image signing (Sigstore)
- Vulnerability scanning
- Admission policies
Secrets Management
- Sealed Secrets
- HashiCorp Vault integration
- External Secrets Operator
- Encryption at rest
Key Takeaway
OpenShift provides enterprise-ready security controls out of the box, but they require proper configuration and continuous monitoring through the Compliance Operator to be effective.
Tags
Written by
Asfaleia Team
Security Consultant
Enterprise security specialist with expertise in OpenShift, Kubernetes, and cloud-native security architecture.