Case | DPIA on Red Hat OpenShift: all lights on green

May 15, 2025

Privacy Company, on behalf of Strategic Supplier Management (SLM) Rijk for Red Hat, conducted a Data Protection Impact Assessment (DPIA) with technical investigation on Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes. Privacy Company conducted this research in collaboration with Government Data Centre North (ODC-North), which offers Red Hat OpenShift. The outcome of the DPIA is that there are no high risks associated with the deployment of Red Hat OpenShift.

Containers

Red Hat OpenShift is a container platform. But what are these containers?

When you create an application, you want to be able to run it in a standard environment. 'Containers' provide such a standard environment. Using a tool like 'Kubernetes', you can describe what your application needs and the platform then automatically configures that environment. Containers make it easier to run an application reliably and scalable. That's why all major cloud providers (and many small ones too) offer containers hosted on their infrastructure. But you can also host your own container platform. That sounds very privacy-friendly, but is it?

The outcome

It is normal for an application to write log data to a separate log server, just as it is normal for an application to use a database and be able to store files. All things the application builder has control over. But beyond that control, does personal data leak out of the container?

To test this, we created a very simple application that did only one thing: scatter personal data around in the container. We then checked whether this data ended up outside the container. In doing so, we mapped all the platform's network traffic. We also searched all storage, temporary and fixed. Furthermore, we submitted a support request to Red Hat. In doing so, we used the most comprehensive scripts to collect diagnostic data from the platform and containers, to see if the personal data was in the diagnostic data sent to Red Hat. Our work was made easier because Red Hat OpenShift is open source software: if we saw something unfamiliar, we could always look back to see where it came from.

The conclusion

The research revealed three risks:

1. If the application builder and the system administrator together stack up three specific security sins, personal data could end up in a support request to Red Hat. And for each of those security sins separately, it is standard practice not to do it that way. Therefore, this risk is low, but we do recommend explicit instructions on this to application developers and administrators just to be sure.

2. When administrators log into Red Hat's support site for work, and when diagnostic data is collected for a support request, Red Hat processes some log data about the administrators. That in itself is fine, only the data centre needs to document that this data is processed by Red Hat.

3. Finally, there was a bug in Red Hat's support site for data centre employees. This bug caused a small number of non-essential cookies to be placed before consent was given. Red Hat has since fixed this bug.

So one risk has been fully resolved. The other two risks are low (or negligible) risks.

The conclusion: all lights on green! In a setup like ODC-North's, personal data remains completely under the control of the application developer.

We also had to rub our eyes for a moment: We are used to finding dozens of, often high, risks.

Read our DPIA here.

Download

—