Finance Blueprint
Purpose: For platform engineers and security officers, explains how the Finance blueprint maps openCenter controls to SOC2, PCI-DSS, and NIST 800-53 requirements.
Overview
Financial services need to move fast and prove they did it safely. This blueprint layers policy enforcement, audit trails, and change discipline on the platform foundation — built into every deploy, not bolted on after an audit finding.
What You Get
- Audit-Ready on Deploy — Deployment models that map to SOC2, PCI, and NIST controls with real enforcement via Kyverno and Pod Security Admission.
- Every Change Is Traceable — Versioned blueprints and GitOps workflows mean every platform change has a commit, a review, and a rollback path.
- Recover Fast, Not Frantically — Standardized operations and tested recovery workflows via Velero with defined RPO/RTO.
Compliance Framework Mapping
| Framework | Controls | openCenter Implementation |
|---|---|---|
| SOC2 CC6 | Logical and physical access | Keycloak OIDC + RBAC Manager + namespace isolation |
| SOC2 CC7 | System operations | FluxCD drift detection + Prometheus alerting |
| SOC2 CC8 | Change management | Git-based approval workflow + immutable audit trail |
| PCI-DSS Req 1 | Network segmentation | NetworkPolicies + Kyverno enforcement |
| PCI-DSS Req 2 | Secure defaults | Kyverno 17 ClusterPolicies + Pod Security Admission |
| PCI-DSS Req 6 | Secure development | GitOps pipeline + image scanning (Harbor) |
| PCI-DSS Req 7 | Restrict access | RBAC Manager + Keycloak group-based access |
| PCI-DSS Req 8 | Authentication | Keycloak OIDC + mTLS (optional Istio) |
| PCI-DSS Req 10 | Logging and monitoring | Loki audit logs + Prometheus metrics + Alertmanager |
| NIST 800-53 AC | Access control | Keycloak + RBAC Manager + Pod Security Admission |
| NIST 800-53 AU | Audit and accountability | Git commit history + Loki + Kubernetes audit logs |
| NIST 800-53 CM | Configuration management | FluxCD reconciliation + drift detection |
| NIST 800-53 SC | System/comms protection | SOPS encryption + TLS (cert-manager) + NetworkPolicies |
Change Traceability
Every platform change follows this path:
- Developer commits change to Git (infrastructure or application overlay)
- PR review required before merge (branch protection)
- FluxCD reconciles the change to the cluster
- Drift detection flags unauthorized modifications
- Full audit trail: commit hash → PR → deployment timestamp → reconciliation status
Rollback: revert the Git commit. FluxCD reconciles the previous state.
Workload Segregation
- Namespace isolation with Kyverno policies preventing cross-namespace access
- NetworkPolicies enforcing least-privilege network communication
- Dedicated node pools for sensitive workloads (configurable via Kubespray inventory)
- Pod Security Admission prevents privilege escalation
Recovery
| Component | Mechanism | Evidence |
|---|---|---|
| Cluster state | Velero scheduled backups | Backup logs in object storage |
| Secrets | SOPS-encrypted in Git | Git history + Age key backups |
| Configuration | Git repository (single source of truth) | Full commit history |
| Infrastructure | OpenTofu/Terraform state | State file + plan output |
Platform Controls (Inherited from Foundation)
All controls from the Platform Foundation apply:
- 17 Kyverno ClusterPolicies (baseline security enforcement)
- SOPS Age encryption with 90-day automated rotation
- Pod Security Admission (baseline enforce, restricted audit/warn)
- Observability stack for continuous monitoring
- Air-gap support for isolated environments
Further Reading
- Platform Foundation — inherited security and observability
- Healthcare Blueprint — similar regulated-environment approach for HIPAA
- Blueprint Catalog — all blueprints