Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-2599

Unified Trust Fabric in Agentic AI Workflows

XMLWordPrintable

    • Icon: Outcome Outcome
    • Resolution: Unresolved
    • Icon: Critical Critical
    • None
    • None
    • Security & Compliance
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • None

      Outcome Overview

      Once all Features and Initiatives under this outcome are complete, OpenShift customers will be able to securely leverage AI copilots and agentic assistants like OpenShift Lightspeed to interact with cluster and enterprise data through a trusted identity framework.

      This outcome delivers secure, fine-grained, identity-bound access control for AI-driven workflows by integrating:

      • MCP Server – securely exposes OpenShift APIs to AI workloads
      • MCP Gateway – enforces contextual authorization and policy
      • Keycloak – manages federated user identity and token propagation
      • SPIRE/ZTWIM – provides workload attestation and SPIFFE-based trust

      The result will be a Zero Trust Agentic Platform on OpenShift, where AI systems operate within the same enterprise identity, access, and compliance posture as traditional applications.

       

      Success Criteria

      • An end-to-end validated and documented workflow exists for setting up agentic identity correctly across Keycloak, MCP Server, MCP Gateway, and SPIRE/ZTWIM.
      • OpenShift Lightspeed and other AI agents access cluster APIs only through authenticated, authorized, and attested workloads
      • User identity, agent behavior, and workload trust are cryptographically bound during all AI interactions

      Expected Results (what, how, when)

      • Secure and trusted integration between OpenShift Lightspeed, MCP Server, and Gateway enables policy-bound AI access to cluster data.
      • Customer environments benefit from measurable reduction in credential sprawl and improved audit visibility for AI-driven interactions.
      • Establishes the baseline for Zero Trust Agentic workloads across OpenShift and Red Hat AI ecosystem.
      • Demonstrates early customer validation of secure MCP-mediated API access patterns.

      Proposed Work Aligned with this Outcome:

      • Integrate MCP Server with Keycloak OIDC for user token validation.
      • Enable SPIFFE/SPIRE-based workload identity issuance for agentic workloads.
      • MCP Gateway for contextual, fine-grained access policy enforcement. 
      • Build unified audit and observability framework across Keycloak, MCP Gateway, and ZTWIM.
      • Develop and validate end-to-end setup and documentation for Agentic Identity on OpenShift.

      Post Completion Review – Actual Results

      After completing the work (as determined by the "when" in Expected Results above), list the actual results observed / measured during Post Completion review(s).

       

              atelang@redhat.com Anjali Telang
              atelang@redhat.com Anjali Telang
              Gaurav Singh, Mrunal Patel, Trilok Geer
              Mrunal Patel Mrunal Patel
              None
              None
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: