Security design for Red Hat OpenShift Virtualization

Security is a foundational component of any cloud architecture that includes identity and access management, data protection, network security, and compliance. IBM Cloud® provides a comprehensive security framework for both Virtual Servers for VPC and Red Hat® OpenShift® on IBM Cloud Red Hat OpenShift Kubernetes Service environments. This security implements defense-in-depth strategies across multiple layers of the infrastructure stack.

The key security architecture elements are shown in the following diagram.

Red Hat OpenShift Virtualization on IBM Cloud Security

For workload migration and deployment, robust security capabilities are essential to maintain confidentiality, integrity, and availability while regulatory and compliance requirements are met. IBM Cloud security services integrate with default platform capabilities to provide end-to-end protection for virtualization and container workloads.

Shared responsibility

IBM Cloud uses a shared responsibility model that defines which security and compliance responsibilities are managed by IBM Cloud and which ones are yours. Understanding this model is critical to implement effective security controls. For more information, see Shared responsibilities for using IBM Cloud products and Infrastructure-as-a-service.

IBM Cloud compliance results from a platform and services that are built on best-in-industry security standards, including GDPR, HIPAA, ISO 9001, ISO 27001, ISO 27017, ISO 27018, PCI, SOC2, and others. See Understanding compliance in IBM Cloud.

Identity and access management

IBM Cloud Identity and Access Management (IAM) provides centralized access control for IBM Cloud resources to manage users, service IDs, access groups, and policies across the IBM Cloud platform.

For Red Hat OpenShift on IBM Cloud, IAM integrates with Kubernetes Role-Based Access Control (RBAC).

The following table details the features of both IAM and RBAC.

Identity and Access Management features
This table provides all the features for Identity and Access Management.
IAM features	Description
Users and services IDs	IBMid authentication for human users Service IDs for applications and automation API keys for programmatic access Multifactor authentication (MFA) support
Access groups	Logical grouping of users and service IDs Centralized policy management Dynamic membership based on identity attributes Simplified access governance at scale
IAM policies	Resource-level access control Platform roles for infrastructure management Service roles for workload operations Attribute-based access control (ABAC)

RBAC integration with IAM
This table provides information about RBAC integration with IAM.
Red Hat OpenShift RBAC features	Description
Platform access	IAM platform roles determine cluster infrastructure actions Administrator, Editor, Operator, and Viewer roles Cluster creation, deletion, and configuration management Worker node and networking operations
Service access	IAM service roles map to Kubernetes RBAC policies Manager, Writer, and Reader roles Namespace-level and cluster-level access Custom role definitions for specific workloads
Identity provider integration	IBMid as the default identity provider Integration with enterprise LDAP and SAML providers OAuth authentication flow Service account tokens for automation

Data encryption

IBM Cloud provides comprehensive encryption capabilities to protect data at rest and in transit across VPC and Red Hat OpenShift environments.

The following table details each encryption service and the encryption capabilities available with that service.

Encryption-at-rest encryption capabilities
This table provides all the encryption-at-rest encryption capabilities.
Service	Description
VPC block storage encryption	Provider-managed encryption by default (IBM-managed keys). Customer-managed encryption by using IBM Key Protect or Hyper Protect Crypto Services AES-256 encryption standard Encryption of virtual server boot volumes and data volumes.
Red Hat OpenShift Cluster Encryption	etcd data and worker disks encrypted by IBM-managed LUKS encryption keys. Integration with IBM Key Protect allows bring your own root of trust encryption keys that wrap the LUKS key that is used to encrypt etcd storage and worker disks. Kubernetes secrets encryption at rest. Persistent volume encryption through storage providers.
IBM Key Protect	Bring-your-own-key (BYOK) model with keys that are protected by FIPS 140-2 Level 2 cloud HSM. Centralized key lifecycle management. Key rotation and versioning. Provides audit logs for key operations. Integration with VPC and Red Hat OpenShift services
IBM Hyper Protect Crypto Services	Keep-your-own-key (KYOK) model that uses FIPS 140-2 Level 4 cloud HSM. Customer-controlled Hardware Security Module (HSM). Exclusive customer control over encryption keys. Enhanced compliance for regulated industries.

Encryption-in-transit encryption capabilities
This table provides all the encryption-in-transit encryption capabilities.
Service	Description
Network encryption	End-to-end encryption is possible when you use secure endpoints, such as HTTPS servers on port 443 or by using TLS/SSL for application layer security. VPN gateway encryption by using IPsec. Direct Link with MACsec encryption for private connectivity.
Red Hat OpenShift network encryption	TLS encryption for Red Hat OpenShift API server communication. Encrypted control plane to worker node communication.

Network security

IBM Cloud VPC provides multiple layers of network security controls to protect workloads and control traffic flow.

Red Hat OpenShift provides network policies and security context constraints (SCCs).

VPC network security controls
This table provides the list of all the VPC security controls.
VPC security control	Description	Key features
Security Groups	Security Groups are stateful firewall controls that protect virtual servers, with stateful rules where responses are automatically allowed when a request is permitted.	Instance-level (network interface) security Stateful traffic filtering \ - Attached to bare metal servers, virtual server NICs, or load balancers Ingress (inbound) and egress (outbound) rules Support for protocol, port, and source and destination specification
Access control lists (ACLs)	ACLs control traffic to and from subnets, acting as built-in virtual firewalls at the subnet level.	Subnet-level security Stateless traffic filtering - if you want to permit traffic both ways on a target you must set up two rules. All resources in a subnet with an associated ACL follow ACL rules. \ - Rules evaluated in numerical order (priority-based). Allow and deny rules for granular control. Use ACLs for broad subnet-level controls. Combine ACLs with security groups for defense-in-depth. Implement explicit deny rules for known malicious traffic. Order rules efficiently (most specific first). Document ACL rule purposes and maintenance procedures

OpenShift network security
This table provides the list of all the OpenShift security controls.
Red Hat OpenShift	Description
Network policies	Kubernetes NetworkPolicy resources for pod-to-pod traffic control Namespace isolation and segmentation. Application-level micro-segmentation. Ingress and egress rule definition
Security contexts constraints (SCCs)	Control pod security capabilities and permissions. Restrict privileged container execution. Define allowed volume types and host access. Enforce security best practices for workload deployment

Compliance and governance

IBM Cloud provides comprehensive compliance capabilities and certifications to meet regulatory requirements across industries.

IBM Cloud Compliance Certifications

Red Hat OpenShift on IBM Cloud includes automatic compliance with HIPAA, PCI, SOC2, and ISO standards, including the following industry certifications.

ISO 27001, 27017, 27018 (Information Security Management)
SOC 1, SOC 2, SOC 3 (Service Organization Controls)
PCI DSS (Payment Card Industry Data Security Standard)
HIPAA (Health Insurance Portability and Accountability Act)
FedRAMP (Federal Risk and Authorization Management Program)
GDPR (General Data Protection Regulation) compliance support

IBM Cloud Security and Compliance Center Workload Protection (SSC WP)

IBM Cloud Security and Compliance Center Workload Protection
Feature	Description
Posture management	Continuous security posture assessment. Configuration compliance scanning. Drift detection from security baselines. Remediation guidance and automation
Compliance monitoring	Regulatory compliance validation. Custom control framework definition. Evidence collection for audits. Compliance dashboards and reporting
Workload protection	Runtime threat detection. Vulnerability scanning for VMs and containers. File integrity monitoring. Compliance scanning for CIS benchmarks and other frameworks

Activity Tracking and Logging

Activity Tracking and Logging
Feature	Description
IBM Cloud Activity Tracker	Audit logging for all IBM Cloud API calls User activity tracking and attribution Resource lifecycle event logging
VPC Flow Logs	Network traffic capture and analysis Troubleshooting connectivity issues Security incident investigation Compliance evidence collection
Red Hat OpenShift Audit Logs	Kubernetes API server audit logs User and service account activity tracking RBAC policy enforcement logging. Integration with IBM Cloud Logging

Next steps

Now that you understand the security design for Red Hat OpenShift Virtualization, explore these related topics:

Networking: Review networking security controls including network policies
Compliance: Learn about observability and compliance monitoring
Storage: Explore storage encryption options for data protection
Reference architecture: Review the complete Red Hat OpenShift Virtualization reference architecture