Security / Workload Protections

Treat pod hardening, TLS, and image trust as one runtime surface.

Workload protections cover the controls that apply once the cluster is allowed to run: pod and container hardening, workload identity and TLS, and the supply-chain rules that decide which images the operator will trust.

Open pod and runtime securityReview TLS and identity

Use this section when you need to

• verify the default pod hardening posture
• understand how server TLS, peer identity, and trust material are managed
• decide how image verification should work in production
• review runtime protections separately from RBAC and admission policy concerns

Workload protection routes

1. 01

   Pod and runtime security

   Review pod security context, filesystem, token, and container-hardening defaults.

   Open
2. 02

   TLS and identity

   Understand server TLS, peer trust, certificate management, and workload-facing identity paths.

   Open
3. 03

   Supply-chain verification

   Review digest pinning, signature verification, and the production guardrails around image trust.

   Open

Default runtime hardening

OpenBao Pods are expected to run non-root with a read-only root filesystem, dropped Linux capabilities, and a RuntimeDefault seccomp profile. The detailed page should explain exceptions and platform dependencies, not re-argue the baseline.

Next actions

Open platform controlsConnect runtime protections back to RBAC, admission, and network boundaries.Review production postureTie workload protections back to the Hardened production contract.