Introduction & Context

The Shift to Zero-Trust: Discuss how the shift to cloud-native architectures requires moving away from traditional perimeter security to a multi-layered, zero-trust framework within OpenShift

Networking Evolution: Briefly cover the architectural evolution to OVN-Kubernetes as the default Container Network Interface (CNI) provider, replacing the legacy OpenShift SDN, to achieve higher scalability and advanced policy sophistication

The Defense-in-Depth Model: Introduce the core pillars we will cover today: pod-level admission control, granular access management, and distributed software-defined networking rules

Core Architecture & Theory (SCCs, Network Policies)

Pod Security Admission (PSA) and Security Context Constraints (SCCs)

Explain the dual-controller model: Operating within the kube-apiserver where PSA ensures global standard compliance, while SCCs provide granular, field-level mutation and validation

Outline the three PSA profiles: Privileged (unrestricted), Baseline (minimally restrictive), and Restricted (highly restrictive, best practice)

Discuss SCCs behavior: How SCCs like restricted-v2 drop ALL Linux capabilities (except NET_BIND_SERVICE) and enforce strict SELinux contexts, fsGroups, and non-root execution

Tiered Network Policies (OVN-Kubernetes)

Explain the three-tier ACL model: Access Control List (ACL) evaluation model used by OVN-Kubernetes

Switches/Routers to OVN/OVS: Traditional physical switching is replaced by the Open Virtual Network (OVN) and Open vSwitch (OVS), which provide distributed logical routers and switches across the cluster

Firewalls/ACLs to Network Policies: Perimeter firewalls are supplemented by micro-segmentation using Kubernetes Network Policies and OpenShift Egress Firewalls, which use labels to control traffic instead of static IPs

Load Balancers to Ingress/Routes: Hardware load balancers map to the OpenShift Ingress Operator (HAProxy), which routes external HTTP/HTTPS traffic to internal services using hostnames

and DEMO