The three pillars of trust: The hardened OpenShift foundation

The age of generative AI brings great opportunity and new risks. As large organizations adopt agentic AI and face increasingly strict digital sovereignty requirements, the underlying infrastructure must provide integrity, isolation, and identity management to protect sensitive data, workloads, and end users. Protecting organizational reputation, maintaining and building trust in the software we interact with every day  is not just a secondary requirement, but the fundamental mission.

Imagine a regional public utility responsible for keeping the lights on for millions of homes, schools, and hospitals. In this environment, a security breach is a threat to the community's safety. If the grid goes dark because of a technical failure or an outside attack, the city would come to a halt. To address this kind of threat and to deliver on the core mission, the future architecture of Red Hat OpenShift is anchored in three core pillars: Integrity, isolation, and identity.

Pillar 1: Integrity (beyond encryption)

To prevent data tampering, encryption of data at rest and data in motion has been a standard protection in computer systems for many years. Integrity is provided by the encryption and verification of components, mitigating supply-chain attacks or insider mistakes through the use of digital signatures, signature verification, and hardware-based attestation.

Current OpenShift capabilities include multiple options for encrypting data at rest as well as data in motion. Modern technologies for encryption and verification include transport layer security (TLS) v1.3 and support for module-lattice-based key-encapsulation mechanism (ML-KEM) in core Kubernetes and Service Mesh, node-level file integrity monitoring, validation of image signatures at admission and runtime, as well as confidential computing for containers and clusters. In addition to encrypting data at rest and in motion, confidential computing encrypts data in use and leverages hardware-based trusted execution environments (TEE) for attestation. 

The OpenShift roadmap expands these controls significantly to further strengthen integrity

• Node attestation: We plan to add attestation for Red Hat CoreOS 10 nodes.
• Confidential virtual machines: We plan to add support for confidential VMs in OpenShift Virtualization to secure data in use for more workload types.
• Post-quantum cryptography (PQC): Future updates will expand the use of  next-generation encryption algorithms, including TSL 1.3 and ML-KEM, and add support for module-lattice-based digital signature algorithm (ML-DSA) with Red Hat CoreOS 10. These algorithms are designed to protect systems from "harvest now, decrypt later" attacks, where bad actors collect encrypted data now in anticipation of using  quantum computers to decrypt stolen information in future.
• AI bills of materials (AIBOM): Upcoming roadmap features will enable you to scan AI systems before deployment. By leveraging an AI Bill of Materials (AI BOM) a machine-readable inventory of models, datasets, and dependencies you can verify lineage and provenance to proactively mitigate risks like bias, tampering, and supply chain vulnerabilities.

Pillar 2: Isolation (multitenancy without compromise)

Large enterprises or service providers that support different teams or customers on a single cluster need to protect against lateral movement. Multi-layered isolation separates individual workloads completely  across your environment.

OpenShift provides a large set of capabilities that support isolating different teams and workloads from the same organization within a single cluster. Those capabilities include OpenShift projects (Kubernetes namespaces with SELinux annotations), identity management integrations, role-based access controls (RBAC), ingress and egress controls, Kubernetes network policies, and OpenShift Service Mesh.

Red Hat has been investing in features to support enhanced multitenancy through several new capabilities that enable isolating different customers on a single cluster. This incorporates network isolation comparable to separate physical or near-physical networks, even if some hardware is shared. Multitenancy constructs can be layered on top of each other.

• Hosted control planes: Decouples the control plane and data plane and makes it easier to create individual sets of worker nodes per customer with minimal cost and resource usage. Control planes run as containerized pods within a dedicated management OpenShift cluster, while the workloads (worker nodes) run on separate infrastructure. The customer only sees the worker nodes that are allocated to them.
• User-defined networking (UDN): Enables layer 2 isolation where nodes no longer need to reside on the same network. UDN can serve as both the primary and secondary network interface, and each supports layer2 (VLAN) and layer3 (subnet) topologies. UDN provides isolation that goes well beyond what OpenShift Projects, RBAC, and network policies can provide.
• OpenShift sandboxed containers: Sandboxed containers provide enhanced security by running containers in lightweight virtual machines (VM) with dedicated kernels, offering strong isolation for untrusted, privileged, or sensitive workloads. Sandboxed containers are particularly useful to isolate and execute untested or untrusted programs without risking harm to the host machine or operating system. 

Pillar 3: Identity (control AI agent access and actions)

Verifying human and machine identity are key elements of security, especially in Kubernetes where the creation of new workloads is declarative and automated. As autonomous agents become standard in your environment, validating the identity of every entity, whether it's a person, a microservice, or an agent, is critical.

Red Hat's zero trust workload identity manager is a universal framework that simplifies identity across hybrid clouds by replacing risky, long-lived API keys with short-lived, verifiable certificates. Zero trust workload identity manager is available today to enhance the security of containerized workloads, and a future release will extend it to your AI agents providing them with unique identities that make autonomous decisions traceable. By anchoring this in a unified identity plane, you create an effective audit trail from human to machine, keeping your evolving agentic workforce accountable, compliant, and trusted.

Using conditional authorization, the platform moves beyond all-or-nothing permissions. Consider these real-world scenarios:

• The "on-call" shift: Elevate permissions only during a specific on-call shift, automatically reverting them to read-only once the shift ends.
• Device posture: Block access to production code if a user logs in from an unencrypted or non-compliant device.
• "Break-glass" protection: For dangerous actions like deleting a production database, the system can require a second factor of authentication and a valid ticket ID.

Trust as a productive advantage

Building on these pillars, your security team can stop reacting and start scaling with a resilient foundation. Safeguards are built in, including:

• Know which AI touched your data: Issue verifiable identities to every agent through integration with Zero Trust Workload Identity Manager (ZT WIM) and the Red Hat MCP Gateway.
• Enforce minimum access: Use fine-grained, context-aware guardrails to help ensure humans and machines have the only the minimum access needed to do the job.
• Agent sandboxing: Run agents in OpenShift Sandboxed Containers during development and, when in production, run agents in user namespaces and confidential containers to prevent privilege escalation and protect data in use, respectively.

Red Hat provides the integrity, isolation, and identity that help you meet your needs in a regulated world. We want to give you the confidence to innovate while maintaining sovereign control.

Read to get started? Explore digital sovereignty and security with Red Hat OpenShift.