Infrastructure Security

Platform Controls

Infrastructure security focuses on the Kubernetes platform layer: protecting the Operator's control plane, isolating tenant namespaces, and enforcing policy compliance before workloads even start.

Overview

The OpenBao Operator leverages native Kubernetes security primitives to create a Zero Trust environment:

1. RBAC: A precise, split-controller model that grants permissions only where needed (Provisioning vs. Management).
2. Admission Policies: Guardrails that prevent insecure configurations (like disabling TLS) from being applied.
3. Network Security: Isolation layers that restrict traffic flow between tenants and the internet.

Topics

• RBAC Architecture

  ---

  Deep dive into the Provisioner and Controller role separation and the "Blind Write" pattern.

  Explore RBAC

• :material-policy: Admission Policies

  ---

  Using ValidatingAdmissionPolicy (CEL) to enforce security standards without webhooks.

  View Policies

• Network Security

  ---

  Default-deny NetworkPolicies and controlling Egress traffic for backups and upgrades.

  Network Controls

Prerequisites

Cluster Requirements

• Kubernetes v1.30+: Required for ValidatingAdmissionPolicy (GA in 1.30).
• CNI Plugin: A CNI that enforces NetworkPolicy (e.g., Cilium, Calico, Antrea) is required for isolation features to work.

See Also

• Security Fundamentals
• Workload Security