Turtini

OpenShift Guide

Day 7 — Advanced Security

Zero trust, supply chain security, SSO, image hardening, and FedRAMP alignment

Zero Trust Networking

Zero Trust on OpenShift means every workload authenticates every request — no implicit trust based on network location. mTLS between all services, NetworkPolicy to deny-all-by-default, and short-lived credentials enforced by SPIFFE/SPIRE or the OpenShift Service Mesh (Istio).

Deny-All NetworkPolicy (Namespace Default)

# Apply to every namespace via a MutatingAdmissionWebhook or Kyverno policy
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}      # matches every pod in namespace
  policyTypes:
  - Ingress
  - Egress
---
# Explicit allow: frontend → backend on port 8080
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080

Service Mesh mTLS (PeerAuthentication)

# Enforce STRICT mTLS across the entire mesh
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
  namespace: istio-system
spec:
  mtls:
    mode: STRICT
---
# Per-namespace permissive mode during migration
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: migration-permissive
  namespace: legacy-apps
spec:
  mtls:
    mode: PERMISSIVE
---
# Authorization policy: only allow payments-service to reach billing-service
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: billing-authz
  namespace: billing
spec:
  selector:
    matchLabels:
      app: billing-service
  action: ALLOW
  rules:
  - from:
    - source:
        principals:
        - cluster.local/ns/payments/sa/payments-service

SPIFFE/SPIRE

Workload identity based on cryptographic attestation rather than IP addresses. SPIRE issues short-lived X.509 SVIDs to each pod via the SPIFFE CSI driver.

Egress Control

Use an Egress gateway in Istio to funnel all outbound traffic through a controlled exit point. Log and alert on any pod bypassing the gateway.

OPA / Gatekeeper

Admission webhook enforces Zero Trust posture at deploy time — reject workloads missing network labels, host networking pods, or containers running as root.

Network Observability

OpenShift Network Observability Operator provides eBPF-based flow logs. Visualize east-west traffic and detect unexpected connections in Grafana.

Turtini uses cookies to improve your experience, analyze site traffic, and personalize content. By clicking Accept, you consent to our use of cookies. Privacy Policy

Wally

Your Turtini assistant

Hi, I'm Wally!

Ask me anything about Turtini — features, pricing, how things work, and more.

or

Already have an account? Sign in

Wally can make mistakes — verify important info.