The OpenShift Security Guide Book

Updated -

As the state of IT has advanced, the number of vulnerabilities and regulatory concerns has exponentially increased. Fortunately, the tools, methodologies, and core technologies available to enhance our security posture have also increased. In this e-book, we discuss how security is addressed throughout the Red Hat® OpenShift® technology stack and how compliance and regulatory concerns can be mitigated.

This resource has moved. Please update your bookmarks:


Page 263 reads, "Additional protection for secrets at-rest can be provided by encrypting the etcd datastore. Once enabled, encryption cannot be disabled."

However, the linked documentation - - contains the process for subsequent decryption.

At the time when this document was created the admin-protected decryption was not available. We will update the guide with this updated feature.

How would you answer auditor questions related to monitoring baseline configuration compliance and vulnerability scanning?

I wanted to refer them back to this document, however, the RHCOS actually opens up the possibility of doing changes manually/cluster wide use machine configs, which brings the question that this could be not locked down OS, and changes could be not in compliance or cause vulnerabilities due to misconfigurations.