////
Purpose
-------
Information about security.

////

[id="security_{context}"]
= Security

ACS is deployed as the container security platform, providing vulnerability scanning, compliance checking, and runtime security for containerized workloads.

== Identity and Access Management
Access control is implemented through Helvetia's enterprise account system. The access management model follows the Principle of Least Privilege [POLP] with a maximum of two administrators per project. A dedicated RBAC tool is used to manage role-based access permissions across the platform.

== Secrets Management
Sealed Secrets are used to encrypt and manage secret resources on the OpenShift clusters. This implementation allows secret resources to be stored in version control while enforcing access controls and maintaining audit capabilities.

== PKI
Certificate management is handled through cert-manager with plans to implement an ACME provider. Currently, TLS certificates are issued through the internal Helvetia.io certificate authority. A migration project is underway to implement Helvetia.com certificates. Certificate lifecycle operations including issuance, renewal, and revocation are managed through automated processes.

== Base Images
The container image architecture uses Red Hat Universal Base Images [UBI] with additional components:
- Custom certificates
- Tracing agents
- Specialized variants including Java, Quarkus, and JBoss tooling

Base images are automatically rebuilt and pushed to Nexus on a monthly schedule to incorporate security updates and organizational requirements.

== Compliance
{cust} maintains a tailored profile of CIS benchmarks adapted to organizational requirements. Compliance monitoring and reporting of workloads is performed through Red Hat Advanced Cluster Security, which replaced the previously used OpenShift Compliance Operator, which focused more on Node compliance.

== Conclusion 

{cust}’s security setup is centered on ACS for scanning, compliance, and runtime security. Access is controlled with sensible RBAC, secrets are managed through Sealed Secrets, and PKI is automated with cert-manager. Dashboards provide operational visibility. Expanding ACS policies, automating responses, and exploring mTLS for service communication via Red Hat Service Interconnect could further strengthen the security posture.