{"id":"security-enforced-at-install-runtime-and-api-boundary","text":"OpenShift security operates as a three-layer enforcement model: install-time constraints lock FIPS mode and CPU partitioning permanently, runtime TLS profiles and IPsec govern network encryption, and API-boundary controls (webhooks with mandatory TLS, admission with 13s timeout cap, tiered stability guarantees) prevent unauthorized or unstable mutations — creating defense-in-depth from cluster birth through ongoing operations.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["encryption-and-tls-infrastructure-model","webhook-admission-enforcement-model","install-time-irreversible-constraints"],"outlist":[],"label":"depth-2 synthesis — three distinct enforcement points (install, runtime, API) form a unified security posture"}],"dependents":["unified-security-from-install-through-api-governance"],"metadata":{},"explanation":{"steps":[{"node":"security-enforced-at-install-runtime-and-api-boundary","truth_value":"IN","reason":"SL justification valid","antecedents":["encryption-and-tls-infrastructure-model","webhook-admission-enforcement-model","install-time-irreversible-constraints"],"label":"depth-2 synthesis — three distinct enforcement points (install, runtime, API) form a unified security posture"},{"node":"encryption-and-tls-infrastructure-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-tls-four-profile-types","ipsec-cipher-aes-gcm-16-256","ipsec-pod-to-pod-transport-mode","ocp-410-san-certificate-requirement"],"label":"Four base beliefs about TLS/IPsec/certificates combine into a layered encryption model"},{"node":"ocp-tls-four-profile-types","truth_value":"IN","reason":"premise"},{"node":"ipsec-cipher-aes-gcm-16-256","truth_value":"IN","reason":"premise"},{"node":"ipsec-pod-to-pod-transport-mode","truth_value":"IN","reason":"premise"},{"node":"ocp-410-san-certificate-requirement","truth_value":"IN","reason":"premise"},{"node":"webhook-admission-enforcement-model","truth_value":"IN","reason":"SL justification valid","antecedents":["webhook-communication-requires-tls","webhook-max-timeout-13-seconds","webhook-never-invoked-on-own-kind","webhook-required-fields"],"label":"These four constraints collectively define the safety envelope for admission webhooks — TLS for integrity, timeout cap for availability, self-exclusion for stability, required fields for correctness"},{"node":"webhook-communication-requires-tls","truth_value":"IN","reason":"premise"},{"node":"webhook-max-timeout-13-seconds","truth_value":"IN","reason":"premise"},{"node":"webhook-never-invoked-on-own-kind","truth_value":"IN","reason":"premise"},{"node":"webhook-required-fields","truth_value":"IN","reason":"premise"},{"node":"install-time-irreversible-constraints","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-security-fips-install-time-only","cpu-partitioning-install-time-only","network-plugin-selected-at-install-time"],"label":"Three independent install-time-only constraints form a coherent class of irreversible cluster decisions"},{"node":"ocp-security-fips-install-time-only","truth_value":"IN","reason":"premise"},{"node":"cpu-partitioning-install-time-only","truth_value":"IN","reason":"premise"},{"node":"network-plugin-selected-at-install-time","truth_value":"IN","reason":"premise"}]}}