🧠 Deploying a Secure OpenShift Cluster with TLS and SCCs

Openshift RSH Network November 29, 2025 3 mins read

Learn how to configure TLS encryption and Security Context Constraints (SCCs) to harden and secure your OpenShift clusters.

Back to Blog Posts

1. Introduction to the OpenShift Security Model

OpenShift’s security architecture is built on Red Hat’s Kubernetes foundation, but with stronger guardrails:

  • SCCs (Security Context Constraints) define what pods can and cannot do.

  • RBAC controls who can perform cluster operations.

  • TLS Everywhere ensures encrypted communication between API server, nodes, pods, and external clients.

  • OAuth & Identity Providers ensure secure authentication.

In a real-world enterprise environment, failing to configure TLS or SCCs properly can expose your cluster to privilege escalation, MITM attacks, or container breakout risks.

2. Step-by-Step TLS Setup in OpenShift

Step 1: Generate TLS Certificates

Use your organization’s CA or OpenShift’s oc commands:

 
openssl req -new -x509 -days 365 -keyout api.key -out api.crt -nodes \ -subj "/CN=api.openshift.example.com"

Step 2: Apply Certificates to the API Server

Edit the cluster API configuration:

 
oc edit apiserver cluster

Update the following:

 
spec: servingCerts: namedCertificates: - names: - "api.openshift.example.com" servingCertificate: name: custom-api-cert

Apply the TLS cert as a secret:

 
oc create secret tls custom-api-cert \ --cert=api.crt \ --key=api.key -n openshift-config

Step 3: Configure Ingress TLS

 
oc create secret tls custom-router-cert \ --cert=wildcard.crt \ --key=wildcard.key \ -n openshift-ingress

Edit the Ingress Controller:

 
oc edit ingresscontroller default -n openshift-ingress-operator

Add:

 
spec: defaultCertificate: name: custom-router-cert

Step 4: Verify TLS

 
oc get apiserver cluster -o yaml | grep cert oc get ingresscontroller default -n openshift-ingress-operator -o yaml

3. SCCs: Default vs Custom

OpenShift ships with built-in SCCs like:

  • restricted (recommended default)

  • anyuid (dangerous if misused)

  • privileged (full host access)

  • hostnetwork / hostaccess

Create a Custom SCC

Example: Allow non-root containers but restrict host access.

 
apiVersion: security.openshift.io/v1 kind: SecurityContextConstraints metadata: name: custom-nonroot allowPrivilegedContainer: false runAsUser: type: MustRunAsNonRoot seLinuxContext: type: MustRunAs fsGroup: type: MustRunAs

Apply:

 
oc apply -f custom-scc.yaml

Assign the SCC to a service account:

 
oc adm policy add-scc-to-user custom-nonroot -z app-sa -n app-namespace

4. Useful oc Commands

Check SCC assigned to a pod

 
oc get pod <pod-name> -o yaml | grep scc

List all SCCs

 
oc get scc

Test TLS connectivity

 
openssl s_client -connect api.openshift.example.com:6443

5. Troubleshooting Common Errors

❗ “x509: certificate signed by unknown authority”

  • Missing CA trust on clients

  • Wrong certificate CN/SAN

  • Solution → Re-issue certs with proper DNS entries

❗ Pods stuck in CreateContainerConfigError

  • Wrong or missing SCC permissions

  • Solution → Assign correct SCC to the ServiceAccount

❗ Ingress routes show default backend - 404

  • Router pod failed to load TLS cert

  • Solution → Check ingress secret name and cert chain

Advertisement

R
RSH Network

39 posts published

Sign in to subscribe to blog updates