Security / Platform Controls

Protect the control plane before you trust the workload.

Platform controls are the Kubernetes-level mechanisms that keep operator identities narrow, reject unsafe objects before they persist, and limit traffic between tenants, control-plane components, and external dependencies.

Open RBAC architectureReview admission policies

Use this section when you need to

• review who can do what in the control plane
• understand which unsafe changes are rejected before persistence
• verify tenant and egress network boundaries
• check which cluster prerequisites are required for the security model to hold

Platform control routes

1. 01

   RBAC architecture

   Understand the split-controller model, narrow identities, and mutation-locked access boundaries.

   Open
2. 02

   Admission policies

   See how CEL-based guardrails reject unsafe configurations and pause sensitive reconciliation when enforcement disappears.

   Open
3. 03

   Network security

   Review default-deny traffic boundaries and the explicit egress model used for backups, upgrades, and integrations.

   Open

Cluster prerequisites

• Kubernetes v1.33+ is required by OpenBao Operator. ValidatingAdmissionPolicy is GA on all supported versions.
• A CNI that actually enforces NetworkPolicy is required for the network isolation model to be real.

Next actions

Open workload protectionsMove from platform enforcement into pod hardening, TLS, and supply-chain controls.Open tenant isolationSee how these platform controls support the multi-tenant security model.