Status: IN
OpenShift security operates as a three-layer enforcement model: install-time constraints lock FIPS mode and CPU partitioning permanently, runtime TLS profiles and IPsec govern network encryption, and API-boundary controls (webhooks with mandatory TLS, admission with 13s timeout cap, tiered stability guarantees) prevent unauthorized or unstable mutations — creating defense-in-depth from cluster birth through ongoing operations.
depth-2 synthesis — three distinct enforcement points (install, runtime, API) form a unified security posture
Depends on (SL): encryption-and-tls-infrastructure-model, webhook-admission-enforcement-model, install-time-irreversible-constraints