{op-system} was created and tuned to be deployed in {product-title} with
few if any changes needed to {op-system} nodes.
Every organization adopting {product-title} has its own requirements for
system hardening. As a {op-system-base} system with OpenShift-specific modifications and
features added (such as Ignition, ostree, and a read-only /usr
to provide
limited immutability),
{op-system} can be hardened just as you would any {op-system-base} system.
Differences lie in the ways you manage the hardening.
A key feature of {product-title} and its Kubernetes engine is to be able to quickly scale applications and infrastructure up and down as needed. Unless it is unavoidable, you do not want to make direct changes to {op-system} by logging into a host and adding software or changing settings. You want to have the {product-title} installer and control plane manage changes to {op-system} so new nodes can be spun up without manual intervention.
So, if you are setting out to harden {op-system} nodes in {product-title} to meet your security needs, you should consider both what to harden and how to go about doing that hardening.
-
Installation configuration parameters - see
fips