Red Hat OpenShift Virtualization Hardening Guide

Updated -

Summary

The Red Hat OpenShift Virtualization Hardening Guide, Rev 1.0, serves as a crucial blueprint for enhancing the security posture of OpenShift Virtualization environments. This comprehensive document provides actionable, prescriptive instructions to establish a more secure, standard configuration baseline. It systematically breaks down hardening recommendations across five critical domains: Platform Configuration, Virtual Machine Configuration, Storage Components, Networking Components, and Host Firmware and Kernel. The core objective is to extend the robust security capabilities of the underlying OpenShift Container Platform and Red Hat CoreOS to the virtualized workloads themselves. By implementing these guidelines, organizations can significantly reduce risks associated with unauthorized data sharing, privilege escalation, and potential disruptions to virtual machine operations, thereby fostering a more resilient and reliable hybrid cloud infrastructure.

Scope

The scope of this document is precisely defined to focus on OpenShift Virtualization as an OpenShift extension installed on top of the platform. It addresses security configurations and best practices for the virtualization layer, including the interaction and management of virtual machines within the OpenShift ecosystem. This guide is specifically designed to complement existing hardening guidelines for the OpenShift Container Platform (OCP) and Red Hat CoreOS (RHCOS). It delves into specific aspects such as device pass-through, feature gate management, storage policy enforcement, network traffic segmentation, and the security of the underlying host's firmware and kernel as they pertain to KVM-based virtualization.

Assumptions

This hardening guide operates under several key assumptions to ensure its applicability and effectiveness:

  • Prior OpenShift Platform Hardening: It assumes that cluster administrators have already implemented proper hardening measures for the core OpenShift platform itself, acknowledging that OpenShift Virtualization builds upon this secure foundation.
  • Existing Compliance Frameworks: The document recognizes that guidance for hardening OpenShift Container Platform (OCP) and Red Hat CoreOS (RHCOS) is typically provided by the Compliance Operator, implying that administrators are familiar with or have implemented these foundational security controls.
  • Guest Operating System Responsibility: It explicitly states that guest operating systems deployed within OpenShift Virtualization require their own separate validation and adherence to their respective hardening procedures, outside the direct scope of this document.
  • CIS Benchmark Alignment (Future State): While the document follows the formatting conventions of the Center for Internet Security (CIS), it clarifies that it is not affiliated with CIS. However, it notes that Red Hat is actively working towards formalizing these recommendations as an OpenShift Virtualization CIS benchmark, indicating a move towards industry-recognized security standards.
  • Administrator Skill Level: It assumes a degree of technical proficiency from cluster administrators, including familiarity with OpenShift command-line tools (oc), JSONPath queries, and basic patching operations.

Target Audience

The primary target audience for the Red Hat OpenShift Virtualization Hardening Guide is Cluster Administrators. These individuals are directly responsible for the deployment, configuration, ongoing management, and security of OpenShift clusters that include OpenShift Virtualization.
Beyond direct administrators, the document is highly relevant for:

  • Security Architects and Engineers: Those designing and reviewing the security posture of OpenShift environments, particularly in hybrid cloud and virtualized contexts.
  • Compliance Officers: Individuals tasked with ensuring that IT infrastructure adheres to organizational or regulatory security standards, especially given Red Hat's intent to formalize these recommendations as a CIS benchmark.
  • DevOps and Site Reliability Engineers (SREs): Professionals who manage the operational aspects and reliability of applications running on OpenShift Virtualization, as hardening practices directly impact stability and performance.
  • Anyone responsible for the secure operation of virtual machines within an OpenShift environment.

Attachments

Comments