OpenShift hardening should focus on cluster RBAC, admission policy, image provenance, node-level isolation, and supply chain security. OpenShift provides enterprise-grade security features built on Kubernetes with additional controls and automation.
¶ 1) Enforce RBAC and Project Boundaries
- Restrict
cluster-admin role: Limit to minimal number of operators (2-3 maximum)
- Use project-level roles: Assign namespace-scoped roles instead of cluster-wide
- Service account least privilege: Create dedicated service accounts with minimal permissions
- Disable broad token use: Avoid
cluster-admin service accounts for workloads
- Rotate service account tokens: Use bound service account tokens with expiration
¶ Identity and Access Management
- Integrate enterprise IdP: Configure OIDC, LDAP, or Active Directory integration
- Enable MFA: Require multi-factor authentication for console and API access
- Centralized audit logging: Forward authentication events to SIEM
- Just-in-time access: Implement time-bound elevated access (Cluster Administrator)
# Review cluster-admin assignments
oc adm policy who-can create pods --all-namespaces | grep cluster-admin
# List service accounts with elevated privileges
oc get serviceaccount --all-namespaces -o yaml | grep -A5 "cluster-admin"
# Check role bindings
oc get rolebindings,clusterrolebindings --all-namespaces
¶ 2) Harden Workload Policy and Admission
- Enforce restricted SCC: Use
restricted or restricted-v2 as default
- Block privileged containers: Deny
privileged SCC except for specific operators
- Custom SCC for workloads: Create workload-specific SCCs with minimum capabilities
- Audit SCC usage: Monitor which SCCs are assigned to pods
¶ Pod Security Standards
- Apply Pod Security Admission: Enforce baseline or restricted profiles
- Namespace labels: Use
pod-security.kubernetes.io labels for enforcement
- Override defaults: Set stricter policies than cluster defaults
- Regular audits: Scan workloads for policy violations
- Require signed images: Configure image signature verification
- Trusted registries only: Whitelist approved container registries
- ImageContentSourcePolicy: Mirror images from trusted sources
- Scan images before deployment: Integrate vulnerability scanning in CI/CD
- Block latest tags: Require specific image digests or versions
# Check SCC assignments
oc get scc
oc describe scc restricted
# Review pod security admission
oc get namespace --show-labels | grep pod-security
# List images in use
oc get pods --all-namespaces -o jsonpath="{range .items[*]}{.spec.containers[*].image}{'\n'}{end}"
- Default deny policies: Apply default-deny NetworkPolicy to namespaces
- Explicit allow rules: Define specific ingress/egress rules
- Isolate sensitive workloads: Separate databases, secrets management
- Egress filtering: Control outbound traffic from pods
¶ 3) Secure Control Plane and Node Infrastructure
- Restrict API access: Limit API server to authorized networks
- Enable audit logging: Configure audit policy for all API requests
- Rate limiting: Enable API request rate limiting
- Anonymous auth disabled: Ensure anonymous authentication is off
- Encrypt etcd data: Enable encryption at rest for etcd
- Secure etcd backups: Encrypt and protect backup files
- Restrict etcd access: Limit network access to etcd cluster
- Monitor etcd metrics: Watch for unusual access patterns
# Check node status
oc get nodes
oc describe node <node-name> | grep -A10 "Taints"
# Review MachineConfig for node settings
oc get machineconfig
# Check for privileged pods
oc get pods --all-namespaces -o jsonpath='{range .items[?(@.spec.containers[*].securityContext.privileged==true)]} {.metadata.namespace}{"\t"}{.metadata.name}{"\n"}{end}'
- Keep clusters updated: Apply OpenShift updates promptly
- Test in staging: Validate updates before production
- Monitor CVEs: Track OpenShift security advisories
- Node updates: Ensure worker nodes receive security patches
¶ 4) Supply Chain and Secrets Management
- Encrypt secrets at rest: Enable encryption for etcd secrets
- Use External Secrets Operator: Integrate with external secret stores
- Rotate secrets regularly: Implement secret rotation policies
- Limit secret access: Use RBAC to restrict secret access
- Secure build configs: Restrict who can trigger builds
- Isolate build pods: Run builds in dedicated namespaces
- Scan build outputs: Vulnerability scan built images
- Source control integration: Use trusted Git repositories
- Enable ValidatingAdmissionWebhooks: Deploy admission webhooks
- Policy enforcement: Use OPA Gatekeeper or Kyverno
- Custom policies: Define organization-specific rules
- Audit policy violations: Log and alert on violations
¶ 5) Monitoring and Compliance
# Review audit logs
oc get events --all-namespaces --field-selector type=Warning
# Check for security events
oc logs -n openshift-apiserver apiserver-<node> | grep -i "denied\|unauthorized"
# Monitor cluster operators
oc get clusteroperators
oc get clusteroperators -o jsonpath='{range .items[?(@.status.conditions[?(@.status=="True" && @.type=="Degraded")])} {.metadata.name}{"\n"}{end}'
- STIG compliance: Apply Security Technical Implementation Guide
- PCI-DSS: Configure for payment card industry requirements
- HIPAA: Enable healthcare data protection controls
- SOC 2: Implement service organization controls
- OpenShift Compliance Operator: Automated compliance scanning
- Aqua Security/Twistlock: Container security platform
- Sysdig Secure: Runtime security and compliance
- Red Hat Advanced Cluster Security: RHACS for threat detection
¶ Verification Commands
# Check cluster operator status
oc get clusteroperators
# List Security Context Constraints
oc get scc
# Review who can create pods
oc adm policy who-can create pods --all-namespaces | head -30
# Check API services
oc get apiservices
# Review network policies
oc get networkpolicy --all-namespaces
# Check image registry configuration
oc get configs.imageregistry.operator.openshift.io/cluster -o yaml
# Audit privileged containers
oc get pods --all-namespaces -o jsonpath='{range .items[*]}{.metadata.namespace}{"\t"}{.metadata.name}{"\n"}{end}' | while read ns name; do
oc get pod $name -n $ns -o jsonpath='{.spec.containers[*].securityContext.privileged}' 2>/dev/null | grep -q "true" && echo "$ns/$name: PRIVILEGED"
done
# Check encryption configuration
oc get encryptionconfiguration --all-namespaces 2>/dev/null || echo "Encryption config not found"
# Review authentication configuration
oc get oauth/cluster -o yaml
- OpenShift Security Documentation: https://docs.openshift.com/container-platform/latest/security/index.html
- OpenShift Hardening Guide: https://docs.openshift.com/container-platform/latest/security/hardening/index.html
- Security Context Constraints: https://docs.openshift.com/container-platform/latest/authentication/managing-security-context-constraints.html
- Red Hat Security Advisories: https://access.redhat.com/security/security-updates/
- CIS OpenShift Benchmark: https://www.cisecurity.org/benchmark/red_hat_openshift
- NIST Container Security: https://csrc.nist.gov/publications/detail/sp/800-190/final
- OpenShift Compliance Operator: https://docs.openshift.com/container-platform/latest/security/compliance/compliance-operator.html