OpenShift Security Use Cases

This repository provides a comprehensive walkthrough for implementing enterprise-grade security on OpenShift. To present a logical and high-impact story, the modules follow a Defense-in-Depth approach, layering defenses from infrastructure to runtime.

---

The RHACS Demo App

This repository uses a purposely vulnerable application to demonstrate real-world attacks and defenses.

• RHACS Demo App: The RHACS Demo Application
• Goal: Understand the target application, its architecture, and how to deploy it for the hands-on labs.

---

The CIS Framework - Small Quick Start

Focus: Standards and Best Practices

Adopting the Center for Internet Security (CIS) controls to build a data-driven security program and effective vulnerability management.

• Security Program: The CIS-Driven Security Operations Program
• Vulnerability Management: The CIS-Driven Vulnerability Management Program
• Goal: Align security operations with industry best practices and standards.

---

Module 1: Architecture, Threats & Security Strategy

Focus: Foundation and Threat Modeling

Before implementing controls, we must understand the architecture we are defending and the threats we face. This module sets the strategic baseline for the entire platform.

• Architecture & Threat Awareness: OpenShift Security Architecture & Threat Awareness
• Essential Controls: The 10 Essential Controls - A Unified Kubernetes Security Playbook
• Strategy: The 8 Pillars of a Secure Container Platform
• Business Context: The Risk-Driven Business Conversation
• Goal: Understand the "Why" and "What" of container security to effectively implement the "How".

---

Module 2: Secure Multi-Tenancy & Project Governance

Focus: Multi-tenancy and Day-0 Governance

Before users onboard, we define the infrastructure standards. This module demonstrates how to automate the provisioning of secured environments so that security is a default property of the platform.

• Overview: Multi-Tenancy
• Hands-on Demo: Automated Project Provisioning
• Goal: Automatically provision isolated namespaces with embedded security guardrails using Custom Project Templates.

---

Module 3: Identity and Access Management

Focus: Authentication and Least Privilege

Once the projects exist, we define who can enter them and what they are permitted to access.

• Overview: RBAC Fundamentals
• Advanced Case: Granular Custom Roles
• Goal: Use auth checks to demonstrate that a developer can manage their own applications but cannot access sensitive payment secrets or cluster-wide configurations.

---

Module 4: Admission Control & Enforcement

Focus: Resource Guardrails and Pod Security

Show what happens when applications attempt to exceed their resource limits or bypass pod-level security constraints.

• Overview: IAM and Admission Control Overview
• Quotas: Resource Quotas
• Cluster-Wide Quotas: Cluster-Wide Quotas
• Limits: LimitRanges
• Security Context Constraints (SCC):
  • SCC Fundamentals
  • SCC Defense in Depth - DAC & MAC
  • SCC Customization - Demo
• Privileged Containers: The Real Danger of Privileged Containers
• Validating Admission Policy: Validating Admission Policy (VAP) Overview
• VAP Demo: Validating Admission Demo
• Goal: Prove the cluster's ability to self-enforce security by blocking privileged pods and automatically rightsizing deployments.

---

Module 5: Network Security & Isolation

Focus: Microservice Isolation

Secure data in transit and prevent lateral movement between application tiers such as frontend, backend, and payments.

• NetworkPolicies Intro: Network Policies Intro
• NetworkPolicies - Demo: Network Policies - Demo
• AdminNetworkPolicies Intro: Admin Network Policies Intro
• AdminNetworkPolicies - Demo: AdminNetworkPolicies - Demo
• Goal: Use AdminNetworkPolicies to enforce global rules that remain immutable even if project owners attempt to override them.

---

Module 6: Compliance

Focus: Continuous Monitoring and Vulnerability Management

Verify that the cluster remains compliant over its entire lifecycle.

• Compliance Scan: Compliance Operator Demo
• Configuration: Compliance Operator Variables
• Goal: Scan against NIST/PCI-DSS standards and ensure continuous compliance posture.

---

Module 7: Incident Response & Forensics

Focus: Post-Mortem Analysis

The final stage covers how to react and investigate when a security event occurs.

• Audit Investigation: Mastering Audit Logs & Forensics
• Visualizing History: Kubectl Timemachine
• Goal: Use forensic tools to search through audit logs and identify the specific actors behind unauthorized access or privilege escalation.

---

Module 8: Sovereign

Focus: Data Residency and Operational Autonomy

Understanding the requirements and characteristics of Sovereign Cloud environments.

• Overview: Sovereign Cloud Overview
• Goal: Understand data residency, operational autonomy, and compliance with local regulations.