Zero Trust on OpenShift

Reference Controls

• Implement workload identities

  Install the Red Hat Zero Trust Workload Identity Manager Operator, which automates the issuance, rotation, and lifecycle management of SPIFFE/SPIRE IDs — proving the identifier assigned to a specific piece of software.

• Enable mTLS

  Integrate OCP Service Mesh to enforce mutual TLS for secure service-to-service communication.

• Federate identities

  Securely exchange trust bundles with external Identity Providers (IdPs).

• Enforce RBAC controls

  Use Open Policy Agent (OPA) for fine-grained policy enforcement.

• Enable Trustee & Confidential Containers

• Use the External Secrets Operator

• Establish Zero Trust pipelines

• Install Zero Trust Workload Identity Manager Operator (SPIFFE/SPIRE)
• Enable mTLS via OCP Service Mesh
• Federate identities / exchange trust bundles with external IdPs
• Enforce RBAC with Open Policy Agent (OPA)
• Enable Trustee & Confidential Containers
• Deploy External Secrets Operator
• Establish Zero Trust pipelines

Reference Controls

• Enable default-deny policies

  Set up segmentation between all namespaces using a Baseline Admin Network Policy (BANP) to enforce "guardrails" across the entire cluster.

  • Create additional policies to explicitly allow necessary traffic, such as DNS or communication with the OCP ingress controller.
  • Use a supported network plugin.

• Whitelist required traffic

• Enforce DNS egress

  Must allow pods to reach core DNS resolution.

• Deploy Service Mesh to automatically handle cryptographic identity

• Install cert-manager

• Secure ingress controls

  Set up Egress IP policies.

• Use an API gateway

  To enforce authorization and rate-limiting.

• Integrate Advanced Cluster Security (ACS)

  To monitor environments and scan continuously.

• Apply least-privilege security contexts

• Enable default-deny segmentation across all namespaces (BANP)
• Add explicit allow policies for DNS and ingress controller traffic
• Use a supported network plugin
• Whitelist required traffic
• Enforce DNS egress (allow pods to reach core DNS)
• Deploy Service Mesh for cryptographic identity
• Install cert-manager
• Secure ingress controls + set up Egress IP policies
• Use an API gateway for authorization & rate-limiting
• Integrate Advanced Cluster Security (ACS) for continuous scanning
• Apply least-privilege security contexts

Reference Controls

• Deploy Service Mesh

  Configure a PeerAuthentication resource in the mesh root namespace, setting the mode to STRICT to reject all unencrypted traffic.

• Implement micro-segmentation

  Apply default-deny policies.

• Write explicit allow rules

  Layer NetworkPolicy rules on top of the default-deny policies to authorize only specific pod-to-pod and pod-to-external communication paths.

• Leverage Egress Firewall objects

  Strictly limit which external databases, IPs, or APIs a specific workload can call.

• Enforce Pod Security Standards (PSS)

  Bind namespaces to the restricted pod security profile using admission labels to block privileged containers.

• Migrate to custom Security Context Constraints (SCCs)

  Explicitly drop Linux capabilities (e.g. chown, net_admin) and force workloads to run as a non-root UID (runAsNonRoot: true).

• Deploy OCP sandboxed containers

  • Install the Sandboxed Containers Operator.
  • Update deployment manifests with runtimeClassName: kata to isolate untrusted or multi-tenant workloads.

• Configure ImagePolicyWebhook

  Allow container deployments only from a validated, internal registry.

• Enforce cosign signature verification

  Deploy ACS to block pods whose container images lack a valid cryptographic signature from the CI/CD pipeline.

• Automate via GitOps

• Enable API server logging

  • Configure the advanced audit profile.
  • Forward logs to an external SIEM for real-time analysis of API calls.

• Deploy RHACS risk profiling

  Continuously scan active containers for new CVEs and runtime anomalies.

• Deploy Service Mesh with PeerAuthentication mode = STRICT
• Implement micro-segmentation with default-deny policies
• Layer explicit NetworkPolicy allow rules for pod-to-pod / external paths
• Use Egress Firewall objects to limit external DB/IP/API access
• Enforce Pod Security Standards (restricted profile)
• Migrate to custom SCCs (drop capabilities, runAsNonRoot: true)
• Deploy sandboxed containers (Operator + runtimeClassName: kata)
• Configure ImagePolicyWebhook (validated internal registry only)
• Enforce cosign signature verification via ACS
• Automate deployment via GitOps
• Enable API server logging (advanced profile) to external SIEM
• Deploy RHACS risk profiling for CVEs & runtime anomalies

Reference Controls

• Enable etcd encryption

  Modify the APIServer cluster object to use the aescbc or secretbox type to encrypt secrets, configmaps, and tokens.

• Configure node-level disk encryption

  • Utilize RHCOS disk encryption.
  • During install, enable Tang or TPM 2.0 with Network-Bound Disk Encryption (NBDE) to encrypt root/data partitions on all worker and master nodes.

• Implement persistent volume (PV) encryption

  Use OpenShift Data Foundation (ODF).

• Enforce ingress TLS termination

  Configure all routes and ingress objects to use edge, reencrypt, or passthrough TLS profiles with secure ciphers — reject any plain HTTP.

• Secure pod-to-pod traffic

  Apply a global PeerAuthentication policy set to STRICT mode, ensuring all inter-service data movement is encrypted using mTLS.

• Enable OVN-Kubernetes IPsec

  Enable IPsec encryption within the OVN-Kubernetes network plugin config to secure node-to-node traffic automatically.

• Deploy ACS for secret discovery

• Integrate external secrets management

  Install the External Secrets Operator to pull cryptographic keys dynamically into pods from external vaults using short-lived tokens.

• Apply RBAC to data APIs

• Enforce Egress Firewall

• Block host volume mounts

  Deny apps the ability to use hostPath mounts — this prevents compromised workloads from reading data directly from the node's filesystem.

• Configure advanced audit logging

  Update cluster APIServer configs to log data metadata and request bodies (RequestResponse level) for critical data resources.

• Forward logs to a secure SIEM

• Enable etcd encryption (aescbc / secretbox)
• Configure node-level disk encryption (RHCOS + Tang/TPM NBDE)
• Implement persistent volume encryption with ODF
• Enforce ingress TLS termination (edge/reencrypt/passthrough; no HTTP)
• Secure pod-to-pod traffic with global STRICT PeerAuthentication
• Enable OVN-Kubernetes IPsec for node-to-node encryption
• Deploy ACS for secret discovery
• Integrate external secrets management (short-lived tokens)
• Apply RBAC to data APIs
• Enforce Egress Firewall
• Block hostPath volume mounts
• Configure advanced audit logging (RequestResponse level)
• Forward logs to a secure SIEM

Reference Controls

• Enable UEFI Secure Boot

  Ensures RHCOS nodes only boot with cryptographically signed, trusted software kernels.

• Implement TPM 2.0 verification

  • Utilize Trusted Platform Modules on hardware nodes.
  • Use MachineConfig objects to bind node disk encryption to the hardware's TPM chip — ensuring data can't be read if the drive is moved to an unauthorized device.

• Install the Compliance Operator

  Configure it to scan against official Zero Trust benchmarks (NIST SP 800-53, FedRAMP, or CIS Benchmark).

• Remediate node config drift

  Use the Compliance Operator to automatically apply MachineConfig fixes when a node drifts from its secure baseline.

• Enforce FIPS mode

• Isolate the control plane

  Set the API server to private to hide management endpoints from the public internet.

• Disable host SSH access

  Use MachineConfig to disable or lock down the SSH daemon (sshd) on all nodes.

• Configure node firewalls

  Use the NodeNetworkConfigurationPolicy to configure strict host-level packet filtering (iptables/nftables) on nodes.

• Monitor host file integrity (AIDE)

  Use the Advanced Intrusion Detection Environment via the Compliance Operator to continuously monitor the integrity of critical system files.

• Forward host OS security logs

  Configure the logging operator (ClusterLogForwarder) to scrape system-level logs from every node and stream them in real time to an immutable external SIEM for device-anomaly detection.

• Use identity providers supporting MFA

• Enforce conditional access policies

• Enable UEFI Secure Boot
• Implement TPM 2.0 verification (bind disk encryption to TPM)
• Install Compliance Operator (scan vs. NIST SP 800-53 / FedRAMP / CIS)
• Remediate node config drift via Compliance Operator
• Enforce FIPS mode
• Isolate control plane (private API server)
• Disable / lock down host SSH (sshd) on all nodes
• Configure node firewalls (NodeNetworkConfigurationPolicy)
• Monitor host file integrity with AIDE
• Forward host OS security logs to immutable external SIEM
• Use identity providers supporting MFA
• Enforce conditional access policies