Skip to main content
Version: next

Security / Workload Protections

Workload security controls

Pod and container hardening, workload identity and TLS, and image verification.

Open pod and runtime securityReview TLS and identity

Workload protection routes

  1. 01

    Pod and runtime security

    Pod security context, filesystem, token, and container-hardening defaults.

    Open
  2. 02

    TLS and identity

    Server TLS, peer trust, certificate management, and workload-facing identity paths.

    Open
  3. 03

    Supply-chain verification

    Digest pinning, signature verification, and image-trust guardrails.

    Open
Default runtime hardening

OpenBao Pods are expected to run non-root with a read-only root filesystem, dropped Linux capabilities, and a RuntimeDefault seccomp profile. The detailed page should explain exceptions and platform dependencies, not re-argue the baseline. OpenBao Pods are expected to run non-root with a read-only root filesystem, dropped Linux capabilities, and a RuntimeDefault seccomp profile. The detailed page covers exceptions and platform dependencies.

Next actions

Open platform controlsHow runtime protections connect to RBAC, admission, and network boundaries.Review production postureTie workload protections back to the Hardened production contract.
Next release documentation

You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work