security-hardening.adoc

Hardening {op-system}

{op-system} was created and tuned to be deployed in {product-title} with few if any changes needed to {op-system} nodes. Every organization adopting {product-title} has its own requirements for system hardening. As a {op-system-base} system with OpenShift-specific modifications and features added (such as Ignition, ostree, and a read-only /usr to provide limited immutability), {op-system} can be hardened just as you would any {op-system-base} system. Differences lie in the ways you manage the hardening.

A key feature of {product-title} and its Kubernetes engine is to be able to quickly scale applications and infrastructure up and down as needed. Unless it is unavoidable, you do not want to make direct changes to {op-system} by logging into a host and adding software or changing settings. You want to have the {product-title} installer and control plane manage changes to {op-system} so new nodes can be spun up without manual intervention.

So, if you are setting out to harden {op-system} nodes in {product-title} to meet your security needs, you should consider both what to harden and how to go about doing that hardening.

modules/security-hardening-what.adoc

modules/security-hardening-how.adoc

Additional resources

• OpenShift Security Guide

• Choosing how to configure {op-system}

• Modifying Nodes

• Manually creating the installation configuration file

• Creating the Kubernetes manifest and Ignition config files

• Installing {op-system} by using an ISO image

• Customizing nodes

• Adding kernel arguments to Nodes

• Installation configuration parameters - see fips

• Support for FIPS cryptography

• {op-system-base} core crypto components