Skip to main content

Security Architecture

Purpose: For platform engineers and security officers, explains the defense-in-depth security model across five layers.

Defense-in-Depth Model

openCenter implements security at five distinct layers:

Layer 1: Cluster Security

Configured via Kubespray during cluster deployment:

Pod Security Admission: Baseline enforcement, restricted audit/warn
Admission Controllers: PodSecurity, EventRateLimit, AlwaysPullImages
Audit Logging: API server audit logs for compliance
Encryption at Rest: etcd encryption for secrets

Layer 2: Platform Security

Deployed via FluxCD from gitops-base:

Kyverno Policies: 17 ClusterPolicies enforcing baseline security
NetworkPolicies: Platform service isolation (FluxCD, OLM)
Service Hardening: Security contexts, resource limits

Layer 3: Secrets Management

Managed by openCenter-cli:

SOPS Encryption: Age keys for Git-stored secrets
Key Rotation: 90-day Age keys, 180-day SSH keys
Dual Encryption: SOPS in Git + Kubernetes encryption at rest

Layer 4: Access Control

Deployed via platform services:

Keycloak: OIDC identity provider
RBAC Manager: Declarative RoleBindings from groups
Default Policies: cluster-admins, viewers

Layer 5: Network Security

Application-level isolation:

NetworkPolicies: Default deny, explicit allow
Istio mTLS: Optional service mesh for zero-trust (multi-tenant scenarios)

Defense-in-Depth Model
Layer 1: Cluster Security
Layer 2: Platform Security
Layer 3: Secrets Management
Layer 4: Access Control
Layer 5: Network Security