Red Hat Service Reliability Engineering (SRE) manages security updates to the cluster. Any maintenance that is required to address an open security issue as identified by the OpenShift Security team or the Red Hat Security team will be communicated in the status portal. The customer will be notified of the security updates to be applied and updates will be scheduled depending on the urgency and priority of the fix. In the case of extremely critical errata, your cluster can be patched without the usual advance warning associated with cluster maintenance.

rkhunter (root kit hunter) scans are run daily on every node in the cluster to check the root file system for infected files. Port scan attack detection (PSAD) is installed on the cluster and passively watches iptable logs for suspicious network traffic. Any anomalies detected by the scans are consolidated by the centralized management and reporting platform and escalated to the SREs on duty.

Users are allowed to run security assessments and penetration tests for their own applications. The cloud infrastructure provider’s rules must be followed. See the AWS infrastructure penetration test criteria.