Skip to main content
Version: 0.2.x

Security / Workload Protections

Workload security controls

Pod and container hardening, workload identity and TLS, and image verification.

Open pod and runtime securityReview TLS and identity

Workload protection routes

  1. 01

    Pod and runtime security

    Pod security context, filesystem, token, and container-hardening defaults.

    Open
  2. 02

    TLS and identity

    Server TLS, peer trust, certificate management, and workload-facing identity paths.

    Open
  3. 03

    Supply-chain verification

    Digest pinning, signature verification, and image-trust guardrails.

    Open
Default runtime hardening

OpenBao Pods are expected to run non-root with a read-only root filesystem, dropped Linux capabilities, and a RuntimeDefault seccomp profile. The detailed page should explain exceptions and platform dependencies, not re-argue the baseline. OpenBao Pods are expected to run non-root with a read-only root filesystem, dropped Linux capabilities, and a RuntimeDefault seccomp profile. The detailed page covers exceptions and platform dependencies.

Next actions

Open platform controlsHow runtime protections connect to RBAC, admission, and network boundaries.Review production postureTie workload protections back to the Hardened production contract.
Published release documentation

You are reading docs for version 0.2.x. Use the version menu to switch to next or another archived release.

Edit this page
Last updated on by openbao-operator-release-pr[bot]

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work