OpenShift Security Use Cases
This repository provides a comprehensive walkthrough for implementing enterprise-grade security on OpenShift. To present a logical and high-impact story, the modules follow a Defense-in-Depth approach, layering defenses from infrastructure to runtime.
Module 1: Architecture, Threats & Security Strategy
Focus: Foundation and Threat Modeling
Before implementing controls, we must understand the architecture we are defending and the threats we face. This module sets the strategic baseline for the entire platform.
- Architecture & Threat Awareness: OpenShift Security Architecture & Threat Awareness
- Essential Controls: The 10 Essential Controls - A Unified Kubernetes Security Playbook
- Strategy: The 8 Pillars of a Secure Container Platform
- Business Context: The Risk-Driven Business Conversation
- Goal: Understand the "Why" and "What" of container security to effectively implement the "How".
Module 2: Secure Multi-Tenancy & Project Governance
Focus: Multi-tenancy and Day-0 Governance
Before users onboard, we define the infrastructure standards. This module demonstrates how to automate the provisioning of secured environments so that security is a default property of the platform.
- Overview: Multi-Tenancy
- Hands-on Demo: Automated Project Provisioning
- Goal: Automatically provision isolated namespaces with embedded security guardrails using Custom Project Templates.
Module 3: Identity and Access Management
Focus: Authentication and Least Privilege
Once the projects exist, we define who can enter them and what they are permitted to access.
- Overview: RBAC Fundamentals
- Advanced Case: Granular Custom Roles
- Goal: Use auth checks to demonstrate that a developer can manage their own applications but cannot access sensitive payment secrets or cluster-wide configurations.
Module 4: Admission Control & Enforcement
Focus: Resource Guardrails and Pod Security
Show what happens when applications attempt to exceed their resource limits or bypass pod-level security constraints.
- Overview: IAM and Admission Control Overview
- Quotas: Resource Quotas
- Cluster-Wide Quotas: Cluster-Wide Quotas
- Limits: LimitRanges
- Security Context Constraints: Security Context Constraints (SCC)
- Validating Admission Policy: Validating Admission Policy (VAP) Overview
- VAP Demo: Validating Admission Demo
- Goal: Prove the cluster's ability to self-enforce security by blocking privileged pods and automatically rightsizing deployments.
Module 5: Network Security & Isolation
Focus: Microservice Isolation
Secure data in transit and prevent lateral movement between application tiers such as frontend, backend, and payments.
- NetworkPolicies Intro: Network Policies Intro
- NetworkPolicies - Demo: Network Policies - Demo
- AdminNetworkPolicies Intro: Admin Network Policies Intro
- AdminNetworkPolicies - Demo: AdminNetworkPolicies - Demo
- Goal: Use AdminNetworkPolicies to enforce global rules that remain immutable even if project owners attempt to override them.
Module 6: Compliance
Focus: Continuous Monitoring and Vulnerability Management
Verify that the cluster remains compliant over its entire lifecycle.
- Compliance Scan: Compliance Operator Demo
- Configuration: Compliance Operator Variables
- Goal: Scan against NIST/PCI-DSS standards and ensure continuous compliance posture.
Module 7: Incident Response & Forensics
Focus: Post-Mortem Analysis
The final stage covers how to react and investigate when a security event occurs.
- Audit Investigation: Mastering Audit Logs & Forensics
- Visualizing History: Kubectl Timemachine
- Goal: Use forensic tools to search through audit logs and identify the specific actors behind unauthorized access or privilege escalation.