Security / Compliance Learning Path

Purpose: For security and compliance reviewers, provides a guided reading order covering controls, policies, audit evidence, and secrets management.

Reading Order

#	Phase	Topic	Link	Time
1	Overview	Platform architecture	Architecture	10 min
2	Overview	Security architecture (5-layer model)	Security Arch	10 min
3	Defense	Defense in depth	Defense	15 min
4	Defense	Pod Security Admission (baseline enforce, restricted audit)	PSA	10 min
5	Defense	Network policies (FluxCD, OLM isolation)	Network Policies	10 min
6	Policy	Kyverno policy catalog (17 ClusterPolicies)	Kyverno	15 min
7	Policy	Edition-specific policy packs	Editions	5 min
8	Secrets	SOPS Age encryption model	Secrets	10 min
9	Secrets	SOPS configuration & usage	SOPS	15 min
10	Secrets	Key rotation (90-day Age, 180-day SSH)	Rotation	10 min
11	Identity	Keycloak OIDC integration	Keycloak	15 min
12	Identity	RBAC Manager (RBACDefinition CRs)	RBAC	10 min
13	Audit	Audit evidence collection	Audit	15 min
14	Compliance	Compliance mappings (NIST, PCI-DSS, SOC2)	Mappings	10 min
15	Air-gap	Air-gap compliance (Zarf + SBOM + Cosign)	Airgap	15 min
16	Supply Chain	Container image security & SBOM	Image Security	15 min
17	Supply Chain	Harbor registry scanning	Harbor	10 min
18	Advisories	Security advisories process	Advisories	10 min

Security Controls Summary

Layer 1: Cluster Security (CLI + Kubespray)

Pod Security Admission: baseline enforcement, restricted audit/warn
Admission controllers: PodSecurity, EventRateLimit, AlwaysPullImages
Audit logging and encryption at rest
Configured via k8s_hardening.yml generated by opencenter cluster generate

Layer 2: Platform Security (gitops-base + FluxCD)

17 Kyverno ClusterPolicies (disallow-privileged-containers, require-run-as-nonroot, restrict-seccomp, etc.)
NetworkPolicies for platform services (FluxCD, OLM)
Hardened Helm values for all services

Layer 3: Secrets Management (CLI + SOPS)

SOPS Age encryption for all secrets in Git
90-day Age key rotation, 180-day SSH key rotation
Dual-key strategy for zero-downtime rotation
CLI commands: opencenter secrets keys check, rotate, validate, sync

Layer 4: Access Control (Keycloak + RBAC Manager)

Keycloak OIDC for authentication
RBAC Manager converts RBACDefinition CRs to RoleBindings
Default policies: cluster-admins, viewers
Headlamp and Grafana integrate via OIDC

Layer 5: Supply Chain (Harbor + openCenter-AirGap)

Harbor for registry scanning and vulnerability detection
openCenter-AirGap produces SBOM and Cosign signatures
hack/scripts/verify-package.sh enforces no :latest tags, no HIGH/CRITICAL CVEs

CLI Security Commands

opencenter secrets keys check                   # Monitor key expiration
opencenter secrets keys rotate --type sops      # Rotate Age keys
opencenter secrets validate my-cluster          # Detect secret drift
opencenter secrets sync my-cluster              # Re-encrypt after rotation
opencenter cluster validate my-cluster          # Catch misconfigurations

Reading Order​

Security Controls Summary​

Layer 1: Cluster Security (CLI + Kubespray)​

Layer 2: Platform Security (gitops-base + FluxCD)​

Layer 3: Secrets Management (CLI + SOPS)​

Layer 4: Access Control (Keycloak + RBAC Manager)​

Layer 5: Supply Chain (Harbor + openCenter-AirGap)​

CLI Security Commands​

Reading Order

Security Controls Summary

Layer 1: Cluster Security (CLI + Kubespray)

Layer 2: Platform Security (gitops-base + FluxCD)

Layer 3: Secrets Management (CLI + SOPS)

Layer 4: Access Control (Keycloak + RBAC Manager)

Layer 5: Supply Chain (Harbor + openCenter-AirGap)

CLI Security Commands