Please enable JavaScript.
Coggle requires JavaScript to display documents.
2026 - Coggle Diagram
2026
OCP
UDN/CUDN/NAD/NNCP
Layer2, Layer3, Localnet
- L2 OVN (virtual switch inside K8s)
- Localnet (access to physical world)
-
-
-
-
Secret mgmt
(Cert-mgr, SSCSI, Secret Repos, etcd and base64, Sealed Secret, SOPS, Encryption at Rest)
-
-
Security: SCC (see K8s Generic) enforces, PSA warns
-
-
RHEL
-
-
Trainings
- DO316: Managing Virtual Machines with Red Hat OpenShift Virtualization EX316 & DO316
- DO430:
Securing Kubernetes Clusters with Red Hat Advanced Cluster Security DO430
- DO180: Operating a Production Kubernetes Cluster
- DO280: Configuring a Production Kubernetes Cluster
- RH124: Red Hat System Admin 1
- RH134: Red Hat System Admin 2
- Virtualization Learning Hub Link
- Ansible Automation Platform Skill path Path
- 90min/4h/6h Product Demos/Labs Labs
- Interactive Labs Link
- Container/Kubernetes and ACS Foundations Learning Path
- RedHat Learning Subscription Link
- Openshift Starter Guide Link
-
K8s Generic
PSA (Pod Security Admission)
- K8s enforcement engine (K8s native)
- can enforce a PSS level
- warn and audit
- configured via namespace labels, e.g pod-security.kubernetes.io/enforce=restricted
- replaces PSP (PodSecurityPolicy)
- Basic enforcer of PSS with limited capability
SCC (Security Context Constraints)
- (originally from RedHat, OCP only, now contributed to upstream, OCP uses this)
- predates PSA, more powerful
- controls UID ranges, SELinux labels, capabilities, host access, volume types, privilege escalation, host networking
- SCC implements and extends the intent of Pod Security Standards (PSS). (Enhanced enforcer of PSS)
Pod Security Standards (PSS)
- define what, not how
- Poliy Intent
-
-
-
-
-
Isovalent
Tetragon
Use Cases
- Audit Trails
- Detect Container Escape
- Virtual patching for Zero Days & CVEs
- Visibility into Runtime (syscall, I/O, proc, network)
- Low overhead logging (SIEM)
- Security for ephemeral workload (idenity based)
- Compliance (NIST, SOC2, PCI-DSS)
- High Per network health monitor (TCP, UDP, DNS, HTTP, TLS)
- Reduce tool sprawl & SIEM Export
- Monitor access to sensitive files (SIEM)
- Correlate network and runtime events
- File integrity monitoring at scale
- Anomoulous behaviour tracking
- Alternative to seccomp profiles
- Supply. Chain vulnerability
- Zero Trust for LInux
-