Skip to content

Files

Latest commit

71ed952 · Feb 28, 2022

History

History
49 lines (42 loc) · 3 KB

security-hardening.adoc

File metadata and controls

49 lines (42 loc) · 3 KB

Hardening {op-system}

{op-system} was created and tuned to be deployed in {product-title} with few if any changes needed to {op-system} nodes. Every organization adopting {product-title} has its own requirements for system hardening. As a {op-system-base} system with OpenShift-specific modifications and features added (such as Ignition, ostree, and a read-only /usr to provide limited immutability), {op-system} can be hardened just as you would any {op-system-base} system. Differences lie in the ways you manage the hardening.

A key feature of {product-title} and its Kubernetes engine is to be able to quickly scale applications and infrastructure up and down as needed. Unless it is unavoidable, you do not want to make direct changes to {op-system} by logging into a host and adding software or changing settings. You want to have the {product-title} installer and control plane manage changes to {op-system} so new nodes can be spun up without manual intervention.

So, if you are setting out to harden {op-system} nodes in {product-title} to meet your security needs, you should consider both what to harden and how to go about doing that hardening.