You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/policy-security-regulation-compliance.adoc
+11Lines changed: 11 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -28,6 +28,17 @@ Red Hat performs periodic vulnerability scanning of {product-title} using indust
28
28
=== Firewall and DDoS protection
29
29
Each {product-title} cluster is protected by a secure network configuration at the cloud infrastructure level using firewall rules (AWS Security Groups or Google Cloud Compute Engine firewall rules). {product-title} customers on AWS are also protected against DDoS attacks with link:https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html[AWS Shield Standard].
30
30
Similarly, all GCP load balancers and public IP addresses used by {product-title} on GCP are protected against DDoS attacks with link:https://cloud.google.com/armor/docs/managed-protection-overview[Google Cloud Armor Standard].
OpenShift Dedicated (OSD) components are configured to use Transport Layer Security (TLS) for secure communication, prioritizing TLS 1.3 for its performance and security enhancements. For components not yet supporting TLS 1.3, robust TLS 1.2 cipher suites are configured. This comprehensive TLS configuration ensures the encryption of various traffic flows within and to the OpenShift Dedicated environment. For more information, refer TLS configuration on OpenShift and Appendix 4 of the Red Hat Enterprise Agreement Appendix 4 (Online Subscription Services).
35
+
36
+
** Specific components like the API server (port 6443), kube-controller (port 10257), and kube-scheduler (port 10259) in OpenShift 4.7 and later versions utilize TLS 1.3 and a reduced set of secure cipher suites.
37
+
** The Web Console and Etcd also employ secure default cipher suites in recent versions, with specific version changes deprecating older vulnerable options.
38
+
** Kubelet (ports 10248, 10250) is enabled for TLS 1.3 and can have TLS 1.2 cipher suites explicitly declared, ensuring secure communication for node-level operations.
39
+
** The Router, particularly in OpenShift 4.6 and later, supports TLS 1.3, otherwise it uses a hardened set of TLS 1.2 cipher suites to secure ingress traffic.
40
+
** Other internal services such as the Machine Config Server (ports 22623-4), Node Exporter (ports 9100-9101), and Kube RBAC Proxy (port 9192) also have secure TLS configurations enabled by default in the latest OpenShift 4 versions.
41
+
31
42
[id="private-clusters_{context}"]
32
43
=== Private clusters and network connectivity
33
44
Customers can optionally configure their {product-title} cluster endpoints (web console, API, and application router) to be made private so that the cluster control plane or applications are not accessible from the Internet.
0 commit comments