Understanding security for OpenShift Container Platform
This document details the Red Hat, Amazon Web Services (AWS), and customer security responsibilities for the managed OpenShift Container Platform.
Acroynm |
Definition |
AWS |
Amazon Web Services |
* CEE |
Customer Experience and Engagement (Red Hat Support) |
* CI/CD |
Continuous Integration / Continuous Delivery |
* CVE |
Common Vulnerabilities and Exposures |
* PVs |
Persistent Volumes |
* SRE |
Red Hat Site Reliability Engineering |
* VPC |
Virtual Private Cloud |
Security and regulation compliance
Security and regulation compliance includes tasks such as the implementation of security controls and compliance certification.
Data classification
Red Hat defines and follows a data classification standard to determine the sensitivity of data and highlight inherent risk to the confidentiality and integrity of that data while it is collected, used, transmitted, stored, and processed. Customer-owned data is classified at the highest level of sensitivity and handling requirements.
Data management
OpenShift Container Platform (ROSA) uses AWS Key Management Service (KMS) to help securely manage keys for encrypted data. These keys are used for control plane, infrastructure, and worker data volumes that are encrypted by default. Persistent volumes (PVs) for customer applications also use AWS KMS for key management.
When a customer deletes their ROSA cluster, all cluster data is permanently deleted, including control plane data volumes and customer application data volumes, such as persistent volumes (PV).
Vulnerability management
Red Hat performs periodic vulnerability scanning of ROSA using industry standard tools. Identified vulnerabilities are tracked to their remediation according to timelines based on severity. Vulnerability scanning and remediation activities are documented for verification by third-party assessors in the course of compliance certification audits.
Network security
Firewall and DDoS protection
Each ROSA cluster is protected by a secure network configuration using firewall rules for AWS Security Groups. ROSA customers are also protected against DDoS attacks with AWS Shield Standard.
Private clusters and network connectivity
Customers can optionally configure their ROSA cluster endpoints, such as web console, API, and application router, to be made private so that the cluster control plane and applications are not accessible from the Internet. Red Hat SRE still requires Internet-accessible endpoints that are protected with IP allow-lists.
AWS customers can configure a private network connection to their ROSA cluster through technologies such as AWS VPC peering, AWS VPN, or AWS Direct Connect.
Cluster network access controls
Fine-grained network access control rules can be configured by customers, on a per-project basis, using NetworkPolicy objects and the
OpenShift SDN.
Penetration testing
Red Hat performs periodic penetration tests against ROSA. Tests are performed by an independent internal team by using industry standard tools and best practices.
Any issues that may be discovered are prioritized based on severity. Any issues found belonging to open source projects are shared with the community for resolution.
Compliance
OpenShift Container Platform follows common industry best practices for security and controls. The certifications are outlined in the following table.
| Compliance | OpenShift Container Platform (ROSA) | Red Hat OpenShift Service on AWS |
|---|---|---|
HIPAA Qualified[1] |
Yes |
Yes |
ISO 27001 |
Yes |
Yes |
ISO 27017 |
Yes |
Yes |
ISO 27018 |
Yes |
Yes |
PCI DSS 4.0 |
Yes |
Yes |
SOC 1 Type 2 |
Yes |
Yes |
SOC 2 Type 2 |
Yes |
Yes |
SOC 3 |
Yes |
Yes |
FedRAMP High[2] |
Yes (GovCloud requisite) |
Yes |
-
For more information about Red Hat’s HIPAA Qualified ROSA offerings, see the HIPAA Overview.
-
For more information about ROSA on GovCloud, see FedRAMP Marketplace ROSA Agency.