//// Purpose ------- Information about security. //// [id="security_{context}"] = Security Red Hat Advanced Cluster Security (ACS) is deployed as the container security platform, providing vulnerability scanning, compliance checking, and runtime security for containerized workloads. == Identity and Access Management Access control is implemented through Helvetia's enterprise account system. The access management model follows the Principle of Least Privilege (POLP) with a maximum of two administrators per project. A dedicated RBAC tool is used to manage role-based access permissions across the platform. == Secrets Management Sealed Secrets are used to encrypt and manage secret resources on the OpenShift clusters. This implementation allows secret resources to be stored in version control while enforcing access controls and maintaining audit capabilities. == PKI Certificate management is handled through cert-manager with plans to implement an ACME provider. Currently, TLS certificates are issued through the internal Helvetia.io certificate authority. A migration project is underway to implement Helvetia.com certificates. Certificate lifecycle operations including issuance, renewal, and revocation are managed through automated processes. == Base Images The container image architecture uses Red Hat Universal Base Images (UBI) with additional components: - Custom certificates - Tracing agents - Specialized variants including Java, Quarkus, and JBoss tooling Base images are automatically rebuilt and pushed to Nexus on a monthly schedule to incorporate security updates and organizational requirements. == Compliance Helvetia maintains a customized set of CIS benchmarks adapted to organizational requirements. Compliance monitoring and reporting is performed through Red Hat Advanced Cluster Security, which replaced the previously used OpenShift Compliance Operator. == Operational Insights A central lifecycle management tool aggregates security and operational data across the platform through integration with: - Red Hat Advanced Cluster Security - LeanIX - MongoDB This integration enables: - Resource usage tracking and optimization - Security posture monitoring - Compliance status tracking Purpose-built dashboards track: - Resource allocation patterns - Containers configured with low requests but high limits - Security policy compliance == Conclusion The current security architecture demonstrates several strengths and challenges: **Strengths:** - Centralized secrets management using Sealed Secrets provides secure secret handling on OpenShift - Integration between operational and security tooling enables unified visibility - Resource usage tracking helps identify optimization opportunities **Challenges:** - Service-to-service communication security requires a solution that balances security needs with operational overhead - Red Hat Service Interconnect could provide mTLS between services without the complexity of a full service mesh implementation - Provides security for cross-namespace communication - Reduces operational overhead compared to service mesh - Enables gradual adoption based on service criticality - Maintains compatibility with existing networking policies