`<< Back <../../kubernetes>`__ .. _2-architecture-requirements: 2. Architecture Requirements ============================ .. raw:: html

scope

.. _table-of-contents-: Table of Contents ----------------- - `2. Architecture Requirements <#2-architecture-requirements>`__ - `2.1 Introduction <#21-introduction>`__ - `2.1.1 Definitions <#211-definitions>`__ - `2.2 Reference Model Requirements <#22-reference-model-requirements>`__ - `2.2.1 Cloud Infrastructure Software Profile Capabilities <#221-cloud-infrastructure-software-profile-capabilities>`__ - `2.2.2 Virtual Network Interface Specifications <#222-virtual-network-interface-specifications>`__ - `2.2.3 Cloud Infrastructure Software Profile Requirements <#223-cloud-infrastructure-software-profile-requirements>`__ - `2.2.4 Cloud Infrastructure Hardware Profile Requirements <#224-cloud-infrastructure-hardware-profile-requirements>`__ - `2.2.5 Cloud Infrastructure Management Requirements <#225-cloud-infrastructure-management-requirements>`__ - `2.2.6 Cloud Infrastructure Security Requirements <#226-cloud-infrastructure-security-requirements>`__ - `2.3 Kubernetes Architecture Requirements <#23-kubernetes-architecture-requirements>`__ .. _21-introduction: 2.1 Introduction ---------------- This chapter will use the requirements defined in the overall Reference Model and only make additional entries in section `2.3 <#2.3>`__ if there are additional requirements needed for this Reference Architecture. .. _211-definitions: 2.1.1 Definitions ----------------- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in `RFC2119 `__. .. _22-reference-model-requirements: 2.2 Reference Model Requirements -------------------------------- The tables below contains the requirements from the Reference Model to cover the Basic and Network Intensive profiles. The table also includes a reference to the specification from `Chapter 04 - Architecture Specification <./chapter04.md>`__ to ensure traceability. To ensure alignment with the infrastructure profile catalogue, the following requirements are referenced through: - Those relating to Cloud Infrastructure Software Profiles - Those relating to Cloud Infrastructure Hardware Profiles - Those relating to Storage Extensions (S extension) - Those relating to Network Acceleration Extensions (A extension) - Those relating to Cloud Infrastructure Management .. Note; where "(if offered)" is used in the Reference Model, this has been replaced with "Optional" in the table below in order to align with the RFC2119 wording. .. _221-cloud-infrastructure-software-profile-capabilities: 2.2.1 Cloud Infrastructure Software Profile Capabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------+----------+----------+----------+----------+----------+ | R | R | Des | Req | Req | Speci | | eference | eference | cription | uirement | uirement | fication | | Model | | | for | for | R | | Section | | | Basic | Network | eference | | | | | Profile | I | | | | | | | ntensive | | | | | | | Profile | | +==========+==========+==========+==========+==========+==========+ | `4 | e | Max | At least | At least | `ra2.ch. | | .2.5 <.. | .cap.001 | number | 16 (1) | 16 (1) | 011 `__ | | r04.md#4 | | to a | | | | | 25-cloud | | single | | | | | -infrast | | Pod by | | | | | ructure- | | the | | | | | profile- | | Cloud | | | | | capabili | | Infras | | | | | ties-map | | tructure | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Max | at least | at least | `ra2.ch. | | .2.5 <.. | .cap.002 | memory | 32 GB(1) | 32 GB(1) | 012 `__ | | r04.md#4 | | to a | | | | | 25-cloud | | single | | | | | -infrast | | Pod by | | | | | ructure- | | the | | | | | profile- | | Cloud | | | | | capabili | | Infras | | | | | ties-map | | tructure | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Max | at least | at least | `ra2.ch. | | .2.5 <.. | .cap.003 | storage | 320 | 320 | 010 `__ | | r04.md#4 | | to a | | | | | 25-cloud | | single | | | | | -infrast | | Pod by | | | | | ructure- | | the | | | | | profile- | | Cloud | | | | | capabili | | Infras | | | | | ties-map | | tructure | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Max | 6 | 6 | `ra2.n | | .2.5 <.. | .cap.004 | number | | | tw.003 < | | /../../r | | of | | | chapter0 | | ef_model | | co | | | 4.md#45- | | /chapter | | nnection | | | networki | | s/chapte | | points | | | ng-solut | | r04.md#4 | | that can | | | ions>`__ | | 25-cloud | | be | | | | | -infrast | | assigned | | | | | ructure- | | to a | | | | | profile- | | single | | | | | capabili | | Pod by | | | | | ties-map | | the | | | | | ping>`__ | | Cloud | | | | | | | Infras | | | | | | | tructure | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Max | Up to | Up to | | | .2.5 <.. | .cap.005 | storage | 16TB(2) | 16TB(2) | | | /../../r | | in GB | | | | | ef_model | | that can | | | | | /chapter | | be | | | | | s/chapte | | attached | | | | | r04.md#4 | | / | | | | | 25-cloud | | mounted | | | | | -infrast | | to Pod | | | | | ructure- | | by the | | | | | profile- | | Cloud | | | | | capabili | | Infras | | | | | ties-map | | tructure | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | CPU | Not | Must | `ra2 | | .2.5 <.. | .cap.006 | pinning | required | support | .k8s.009 | | /../../r | | support | | | `__ | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | NUMA | Not | Must | `ra2 | | .2.5 <.. | .cap.007 | support | required | support | .k8s.006 | | /../../r | | | | | `__ | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | IPSec | Not | Optional | | | .2.5 <.. | .cap.008 | Acce | required | | | | /../../r | | leration | | | | | ef_model | | using | | | | | /chapter | | the | | | | | s/chapte | | virt | | | | | r04.md#4 | | io-ipsec | | | | | 25-cloud | | i | | | | | -infrast | | nterface | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Crypto | Not | Optional | | | .2.5 <.. | .cap.009 | Acce | required | | | | /../../r | | leration | | | | | ef_model | | using | | | | | /chapter | | the | | | | | s/chapte | | virti | | | | | r04.md#4 | | o-crypto | | | | | 25-cloud | | i | | | | | -infrast | | nterface | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Tra | Not | Not | | | .2.5 <.. | .cap.010 | nscoding | required | required | | | /../../r | | Acce | | | | | ef_model | | leration | | | | | /chapter | | | | | | | s/chapte | | | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Prog | Not | Not | | | .2.5 <.. | .cap.011 | rammable | required | required | | | /../../r | | Acce | | | | | ef_model | | leration | | | | | /chapter | | | | | | | s/chapte | | | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | Enhanced | E | E | | | .2.5 <.. | .cap.012 | Cache | | | | | /../../r | | Man | | | | | ef_model | | agement: | | | | | /chapter | | L=Lean; | | | | | s/chapte | | E=Equal; | | | | | r04.md#4 | | X= | | | | | 25-cloud | | eXpanded | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | SR-IOV | Not | Must | `ra2.ch. | | .2.5 <.. | .cap.013 | over | required | support | 002 `__ | | r04.md#4 | | | | | \ \ `ra2 | | 25-cloud | | | | | .ch.003 | | -infrast | | | | | `__\ \ | | ping>`__ | | | | | `ra2.k8s | | | | | | | .007 `__\ \ | | | | | | | `ra2.ntw | | | | | | | .004 `__\ | | | | | | | \ `ra2.n | | | | | | | tw.008 < | | | | | | | chapter0 | | | | | | | 4.md#45- | | | | | | | networki | | | | | | | ng-solut | | | | | | | ions>`__ | +----------+----------+----------+----------+----------+----------+ | `4 | e | Hardware | Not | Not | N/A | | .2.5 <.. | .cap.014 | cop | required | required | | | /../../r | | rocessor | | | | | ef_model | | support | | | | | /chapter | | ( | | | | | s/chapte | | GPU/NPU) | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | S | Not | Optional | | | .2.5 <.. | .cap.015 | martNICs | required | | | | /../../r | | | | | | | ef_model | | | | | | | /chapter | | | | | | | s/chapte | | | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | e | FP | Not | Optional | `ra2.k | | .2.5 <.. | .cap.016 | GA/other | required | | 8s.007 < | | /../../r | | Acce | | | chapter0 | | ef_model | | leration | | | 4.md#43- | | /chapter | | H/W | | | kubernet | | s/chapte | | | | | es>`__\ | | r04.md#4 | | | | | \ `ra2.n | | 25-cloud | | | | | tw.012 < | | -infrast | | | | | chapter0 | | ructure- | | | | | 4.md#45- | | profile- | | | | | networki | | capabili | | | | | ng-solut | | ties-map | | | | | ions>`__ | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | *e. | *Ability | *n/a(3)* | *n/a(3)* | | | .2.5 <.. | cap.017* | to | | | | | /../../r | | monitor | | | | | ef_model | | L2-L7 | | | | | /chapter | | data | | | | | s/chapte | | from | | | | | r04.md#4 | | w | | | | | 25-cloud | | orkload* | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i | S | 2 | 2 | `ra2 | | .2.5 <.. | .cap.014 | pecifies | | | .k8s.008 | | /../../r | | the | | | `__ | | r04.md#4 | | cores | | | | | 25-cloud | | consumed | | | | | -infrast | | by the | | | | | ructure- | | Cloud | | | | | profile- | | Infras | | | | | capabili | | tructure | | | | | ties-map | | system | | | | | ping>`__ | | on the | | | | | | | worker | | | | | | | nodes. | | | | | | | If SMT | | | | | | | is used, | | | | | | | it | | | | | | | i | | | | | | | ndicates | | | | | | | the | | | | | | | number | | | | | | | of | | | | | | | consumed | | | | | | | SMT | | | | | | | threads. | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i | I | 16 GB | 16GB | | | .2.5 <.. | .cap.015 | ndicates | | | | | /../../r | | the | | | | | ef_model | | memory | | | | | /chapter | | consumed | | | | | s/chapte | | by Cloud | | | | | r04.md#4 | | Infras | | | | | 25-cloud | | tructure | | | | | -infrast | | on the | | | | | ructure- | | worker | | | | | profile- | | nodes | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i | Number | 1:1 | 1:1 | `ra2 | | .2.5 <.. | .cap.016 | of | | | .ch.004 | | /../../r | | virtual | | | `__\ \ | | 25-cloud | | also | | | `ra2.ch. | | -infrast | | known as | | | 005 `__ | | ping>`__ | | that is | | | | | | | required | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i | QoS | Not | Must | | | .2.5 <.. | .cap.017 | en | required | support | | | /../../r | | ablement | | | | | ef_model | | of the | | | | | /chapter | | co | | | | | s/chapte | | nnection | | | | | r04.md#4 | | point | | | | | 25-cloud | | (vNIC or | | | | | -infrast | | in | | | | | ructure- | | terface) | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i | Support | Not | Must | `ra2.ch. | | .2.5 <.. | .cap.018 | for huge | required | support | 001 `__ | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i.pm.001 | Monitor | Must | Must | | | .2.5 <.. | | worker | support | support | | | /../../r | | node CPU | | | | | ef_model | | usage, | | | | | /chapter | | per | | | | | s/chapte | | na | | | | | r04.md#4 | | nosecond | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i.pm.002 | Monitor | Must | Must | | | .2.5 <.. | | pod CPU | support | support | | | /../../r | | usage, | | | | | ef_model | | per | | | | | /chapter | | na | | | | | s/chapte | | nosecond | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i.pm.003 | Monitor | Must | Must | | | .2.5 <.. | | worker | support | support | | | /../../r | | node CPU | | | | | ef_model | | uti | | | | | /chapter | | lisation | | | | | s/chapte | | (%) | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i.pm.004 | Monitor | Must | Must | | | .2.5 <.. | | pod CPU | support | support | | | /../../r | | uti | | | | | ef_model | | lisation | | | | | /chapter | | | | | | | s/chapte | | | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i.pm.005 | Measure | Must | Must | | | .2.5 <.. | | external | support | support | | | /../../r | | storage | | | | | ef_model | | IOPs | | | | | /chapter | | | | | | | s/chapte | | | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i.pm.006 | Measure | Must | Must | | | .2.5 <.. | | external | support | support | | | /../../r | | storage | | | | | ef_model | | th | | | | | /chapter | | roughput | | | | | s/chapte | | | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `4 | i.pm.007 | Measure | Must | Must | | | .2.5 <.. | | external | support | support | | | /../../r | | storage | | | | | ef_model | | capacity | | | | | /chapter | | | | | | | s/chapte | | | | | | | r04.md#4 | | | | | | | 25-cloud | | | | | | | -infrast | | | | | | | ructure- | | | | | | | profile- | | | | | | | capabili | | | | | | | ties-map | | | | | | | ping>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ .. raw:: html

Table 2-1: Reference Model Requirements: Cloud Infrastructure Software Profile Capabilities

**(1)** Defined in the ``.4xlarge`` flavour in section `4.2.1.1 Predefined Compute Flavours <../../../ref_model/chapters/chapter04.md#4211-predefined-compute-flavours>`__\ **(2)** Defined in the ``.bronze`` configuration in section `4.2.3 Storage Extensions <../../../ref_model/chapters/chapter04.md#423-storage-extensions>`__\ **(3)** In Kubernetes based infrastructures packet monitoring is out of the scope for the infrastructure. .. _222-virtual-network-interface-specifications: 2.2.2 Virtual Network Interface Specifications ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The required number of connection points to a Pod is described in ``e.cap.004`` above. This section describes the required bandwidth of those connection points. +----------+----------+----------+----------+----------+----------+ | R | R | Des | Req | Req | Speci | | eference | eference | cription | uirement | uirement | fication | | Model | | | for | for | R | | Section | | | Basic | Network | eference | | | | | Profile | I | | | | | | | ntensive | | | | | | | Profile | | +==========+==========+==========+==========+==========+==========+ | ` | n1, n2, | 1, 2, 3, | Must | Must | | | 4.2.2 <. | n3, n4, | 4, 5, 6 | support | support | | | ./../../ | n5, n6 | Gbps | | | | | ref_mode | | | | | | | l/chapte | | | | | | | rs/chapt | | | | | | | er04.md# | | | | | | | 422-virt | | | | | | | ual-netw | | | | | | | ork-inte | | | | | | | rface-sp | | | | | | | ecificat | | | | | | | ions>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | ` | nn10, | 10, 20, | Must | Must | | | 4.2.2 <. | n20, | 30, 40, | support | support | | | ./../../ | n30, | 50, 60 | | | | | ref_mode | n40, | Gbps | | | | | l/chapte | n50, n60 | | | | | | rs/chapt | | | | | | | er04.md# | | | | | | | 422-virt | | | | | | | ual-netw | | | | | | | ork-inte | | | | | | | rface-sp | | | | | | | ecificat | | | | | | | ions>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | ` | n25, | 25, 50, | Must | Must | | | 4.2.2 <. | n50, | 75, 100, | support | support | | | ./../../ | n75, | 125, 150 | | | | | ref_mode | n100, | Gbps | | | | | l/chapte | n125, | | | | | | rs/chapt | n150 | | | | | | er04.md# | | | | | | | 422-virt | | | | | | | ual-netw | | | | | | | ork-inte | | | | | | | rface-sp | | | | | | | ecificat | | | | | | | ions>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | ` | nn50, | 50, 100, | Must | Must | | | 4.2.2 <. | n100, | 150, | support | support | | | ./../../ | n150, | 200, | | | | | ref_mode | n200, | 250, 300 | | | | | l/chapte | n250, | Gbps | | | | | rs/chapt | n300 | | | | | | er04.md# | | | | | | | 422-virt | | | | | | | ual-netw | | | | | | | ork-inte | | | | | | | rface-sp | | | | | | | ecificat | | | | | | | ions>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | ` | n100, | 100, | Must | Must | | | 4.2.2 <. | n200, | 200, | support | support | | | ./../../ | n300, | 300, | | | | | ref_mode | n400, | 400, | | | | | l/chapte | n500, | 500, 600 | | | | | rs/chapt | n600 | Gbps | | | | | er04.md# | | | | | | | 422-virt | | | | | | | ual-netw | | | | | | | ork-inte | | | | | | | rface-sp | | | | | | | ecificat | | | | | | | ions>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ .. raw:: html

Table 2-2: Reference Model Requirements: Network Interface Specifications

.. _223-cloud-infrastructure-software-profile-requirements: 2.2.3 Cloud Infrastructure Software Profile Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------+----------+----------+----------+----------+----------+ | R | R | Des | Req | Req | Speci | | eference | eference | cription | uirement | uirement | fication | | Model | | | for | for | R | | Section | | | Basic | Network | eference | | | | | Profile | I | | | | | | | ntensive | | | | | | | Profile | | +==========+==========+==========+==========+==========+==========+ | `5.2.1 < | i | CPU | 1:1 | 1:1 | `ra2 | | ../../.. | nfra.com | al | | | .ch.005 | | /ref_mod | .cfg.001 | location | | | `__\ \ | | tual-com | | | | | `ra2.ch. | | pute>`__ | | | | | 006 `__ | +----------+----------+----------+----------+----------+----------+ | `5.2.1 < | i | NUMA | Must | Must | `ra2 | | ../../.. | nfra.com | a | support | support | .k8s.006 | | /ref_mod | .cfg.002 | wareness | | | `__ | | #521-vir | | | | | | | tual-com | | | | | | | pute>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.2.1 < | i | CPU | Not | Must | `ra2 | | ../../.. | nfra.com | pinning | required | support | .k8s.009 | | /ref_mod | .cfg.003 | ca | | | `__ | | #521-vir | | | | | | | tual-com | | | | | | | pute>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.2.1 < | i | Huge | Must | Must | `ra2.ch. | | ../../.. | nfra.com | Pages | support | support | 001 `__ | | #521-vir | | | | | | | tual-com | | | | | | | pute>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.2.2 < | i | Storage | Must | Must | `ra2 | | ../../.. | nfra.stg | Block | support | support | .stg.004 | | /ref_mod | .cfg.002 | | | | `__ | | tual-sto | | | | | | | rage>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.2.2 < | i | Storage | Not | Must | | | ../../.. | nfra.stg | with | required | support | | | /ref_mod | .cfg.003 | rep | | | | | el/chapt | | lication | | | | | ers/chap | | | | | | | ter05.md | | | | | | | #522-vir | | | | | | | tual-sto | | | | | | | rage>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.2.2 < | i | Storage | Must | Must | | | ../../.. | nfra.stg | with | support | support | | | /ref_mod | .cfg.004 | en | | | | | el/chapt | | cryption | | | | | ers/chap | | | | | | | ter05.md | | | | | | | #522-vir | | | | | | | tual-sto | | | | | | | rage>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.2.2 < | infra | Storage | Not | Must | | | ../../.. | .stg.acc | IOPS | required | support | | | /ref_mod | .cfg.001 | oriented | | | | | el/chapt | | | | | | | ers/chap | | | | | | | ter05.md | | | | | | | #522-vir | | | | | | | tual-sto | | | | | | | rage>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.2.2 < | infra | Storage | Not | Not | | | ../../.. | .stg.acc | capacity | required | required | | | /ref_mod | .cfg.002 | oriented | | | | | el/chapt | | | | | | | ers/chap | | | | | | | ter05.md | | | | | | | #522-vir | | | | | | | tual-sto | | | | | | | rage>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | i | IO | Must | Must | | | 2.3 <../ | nfra.net | virtua | su | su | | | ../../re | .cfg.001 | lisation | pport(1) | pport(1) | | | f_model/ | | using | | | | | chapters | | v | | | | | /chapter | | irtio1.1 | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | i | The | Must | *No | | | 2.3 <../ | nfra.net | overlay | support | req | | | ../../re | .cfg.002 | network | VXLAN, | uirement | | | f_model/ | | encap | M | sp | | | chapters | | sulation | PLSoUDP, | ecified* | | | /chapter | | protocol | GENEVE, | | | | 05.md#52 | | needs to | other | | | | 3-virtua | | enable | | | | | l-networ | | ECMP in | | | | | king>`__ | | the | | | | | | | underlay | | | | | | | to take | | | | | | | a | | | | | | | dvantage | | | | | | | of the | | | | | | | s | | | | | | | cale-out | | | | | | | features | | | | | | | of the | | | | | | | network | | | | | | | fa | | | | | | | bric.(2) | | | | +----------+----------+----------+----------+----------+----------+ | `5. | i | Network | Must | Must | | | 2.3 <../ | nfra.net | Address | support | support | | | ../../re | .cfg.003 | Tra | | | | | f_model/ | | nslation | | | | | chapters | | | | | | | /chapter | | | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | i | Security | Must | Must | | | 2.3 <../ | nfra.net | Groups | support | support | | | ../../re | .cfg.004 | | | | | | f_model/ | | | | | | | chapters | | | | | | | /chapter | | | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | i | SFC | Not | Must | | | 2.3 <../ | nfra.net | support | required | support | | | ../../re | .cfg.005 | | | | | | f_model/ | | | | | | | chapters | | | | | | | /chapter | | | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | i | Traffic | Must | Must | | | 2.3 <../ | nfra.net | patterns | support | support | | | ../../re | .cfg.006 | symmetry | | | | | f_model/ | | | | | | | chapters | | | | | | | /chapter | | | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | infra | vSwitch | Not | Must | `ra2.n | | 2.3 <../ | .net.acc | opti | required | support | tw.010 < | | ../../re | .cfg.001 | misation | | DPDK(3) | chapter0 | | f_model/ | | | | | 4.md#45- | | chapters | | | | | networki | | /chapter | | | | | ng-solut | | 05.md#52 | | | | | ions>`__ | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | infra | Support | Not | Must | | | 2.3 <../ | .net.acc | of HW | required | support | | | ../../re | .cfg.002 | offload | | SmartNic | | | f_model/ | | | | | | | chapters | | | | | | | /chapter | | | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | infra | Crypto | Not | Must | | | 2.3 <../ | .net.acc | acce | required | support | | | ../../re | .cfg.003 | leration | | | | | f_model/ | | | | | | | chapters | | | | | | | /chapter | | | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5. | infra | Crypto | Not | Must | | | 2.3 <../ | .net.acc | Acce | required | support | | | ../../re | .cfg.004 | leration | | | | | f_model/ | | I | | | | | chapters | | nterface | | | | | /chapter | | | | | | | 05.md#52 | | | | | | | 3-virtua | | | | | | | l-networ | | | | | | | king>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ .. raw:: html

Table 2-3: Reference Model Requirements: Cloud Infrastructure Software Profile Requirements

**(1)** `Workload Transition Guidelines. <../chapters/appendix-a.md>`__ might have other interfaces (such as SR-IOV VFs to be directly passed to a VM or a Pod) or NIC-specific drivers on guest machines transiently allowed until more mature solutions are available with an acceptable level of efficiency to support telecom workloads (for example regarding CPU and energy consumption). **(2)** In Kubernetes based infrastructures network separation is possible without an overlay (e.g.: with IPVLAN) **(3)** This feature is not applicable for Kubernetes based infrastructures due to lack of vSwitch however workloads need access to user space networking solutions. .. _224-cloud-infrastructure-hardware-profile-requirements: 2.2.4 Cloud Infrastructure Hardware Profile Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +----------+----------+----------+----------+----------+----------+ | R | R | Des | Req | Req | Speci | | eference | eference | cription | uirement | uirement | fication | | Model | | | for | for | R | | Section | | | Basic | Network | eference | | | | | Profile | I | | | | | | | ntensive | | | | | | | Profile | | +==========+==========+==========+==========+==========+==========+ | `5 | infr | Minimum | 2 | 2 | `ra2.ch. | | .4.1 <.. | a.hw.cpu | number | | | 008 `__ | | r05.md#5 | | | | | | | 41-compu | | | | | | | te-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | Minimum | 20 | 20 | `ra2.ch. | | .4.1 <.. | a.hw.cpu | number | | | 008 `__ | | r05.md#5 | | | | | | | 41-compu | | | | | | | te-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | NUMA | Not | Must | `ra2 | | .4.1 <.. | a.hw.cpu | | required | support | .k8s.006 | | /../../r | .cfg.003 | | | | `__ | | r05.md#5 | | | | | | | 41-compu | | | | | | | te-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | Simu | Must | Must | `ra2.ch. | | .4.1 <.. | a.hw.cpu | ltaneous | support | support | 004 `__ | | r05.md#5 | | ocessing | | | | | 41-compu | | ( | | | | | te-resou | | SMT/SMP) | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | GPU | Not | Not | | | .4.1 <.. | a.hw.cac | | required | required | | | /../../r | .cfg.001 | | | | | | ef_model | | | | | | | /chapter | | | | | | | s/chapte | | | | | | | r05.md#5 | | | | | | | 41-compu | | | | | | | te-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.4.2 | infra.hw | Local | *No | *No | | | <../../. | .stg.hdd | Storage | req | req | | | ./ref_mo | .cfg.001 | HDD | uirement | uirement | | | del/chap | | | sp | sp | | | ters/cha | | | ecified* | ecified* | | | pter05.m | | | | | | | d#542-st | | | | | | | orage-co | | | | | | | nfigurat | | | | | | | ions>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5.4.2 | infra.hw | Local | Should | Should | `ra2.ch. | | <../../. | .stg.ssd | Storage | support | support | 009 `__ | | d#542-st | | | | | | | orage-co | | | | | | | nfigurat | | | | | | | ions>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | Total | 4 | 4 | `ra2.ch. | | .4.3 <.. | a.hw.nic | Number | | | 013 `__ | | r05.md#5 | | in the | | | | | 43-netwo | | host | | | | | rk-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | Port | 10 | 25 | `ra2 | | .4.3 <.. | a.hw.nic | speed | | | .ch.014 | | /../../r | .cfg.002 | s | | | `__\ \ | | 43-netwo | | | | | `ra2.ch. | | rk-resou | | | | | 015 `__ | | | | | pter04.m | | | | | | | d#42-kub | | | | | | | ernetes- | | | | | | | node>`__ | +----------+----------+----------+----------+----------+----------+ | `5 | infr | Number | 8 | 8 | `ra2.ch. | | .4.3 <.. | a.hw.pci | of PCIe | | | 016 `__ | | r05.md#5 | | host | | | | | 43-netwo | | | | | | | rk-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | PCIe | Gen 3 | Gen 3 | `ra2.ch. | | .4.3 <.. | a.hw.pci | speed | | | 016 `__ | | r05.md#5 | | | | | | | 43-netwo | | | | | | | rk-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | PCIe | 8 | 8 | `ra2.ch. | | .4.3 <.. | a.hw.pci | Lanes | | | 016 `__ | | r05.md#5 | | | | | | | 43-netwo | | | | | | | rk-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | Crypt | Not | Optional | | | .4.3 <.. | a.hw.nac | ographic | required | | | | /../../r | .cfg.001 | Acce | | | | | ef_model | | leration | | | | | /chapter | | | | | | | s/chapte | | | | | | | r05.md#5 | | | | | | | 43-netwo | | | | | | | rk-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | A | Not | Opt | | | .4.3 <.. | a.hw.nac | SmartNIC | required | ional(1) | | | /../../r | .cfg.002 | that is | | | | | ef_model | | used to | | | | | /chapter | | offload | | | | | s/chapte | | vSwitch | | | | | r05.md#5 | | funct | | | | | 43-netwo | | ionality | | | | | rk-resou | | to | | | | | rces>`__ | | hardware | | | | +----------+----------+----------+----------+----------+----------+ | `5 | infr | Com | *No | *No | | | .4.3 <.. | a.hw.nac | pression | req | req | | | /../../r | .cfg.003 | | uirement | uirement | | | ef_model | | | sp | sp | | | /chapter | | | ecified* | ecified* | | | s/chapte | | | | | | | r05.md#5 | | | | | | | 43-netwo | | | | | | | rk-resou | | | | | | | rces>`__ | | | | | | +----------+----------+----------+----------+----------+----------+ .. raw:: html

Table 2-4: Reference Model Requirements: Cloud Infrastructure Hardware Profile Requirements

**(1)** There is no vSwitch in case of containers, but a SmartNIC can be used to offload any other network processing. .. _225-cloud-infrastructure-management-requirements: 2.2.5 Cloud Infrastructure Management Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-------------+-----------+-------------+-------------+-------------+ | Reference | Reference | Description | Requirement | Sp | | Model | | | (common to | ecification | | Section | | | all | Reference | | | | | Profiles) | | +=============+===========+=============+=============+=============+ | `4 | e.man.001 | Capability | Must | | | .1.5 <../.. | | to allocate | support | | | /../ref_mod | | virtual | | | | el/chapters | | compute | | | | /chapter04. | | resources | | | | md#415-clou | | to a | | | | d-infrastru | | workload | | | | cture-manag | | | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.002 | Capability | Must | | | .1.5 <../.. | | to allocate | support | | | /../ref_mod | | virtual | | | | el/chapters | | storage | | | | /chapter04. | | resources | | | | md#415-clou | | to a | | | | d-infrastru | | workload | | | | cture-manag | | | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.003 | Capability | Must | | | .1.5 <../.. | | to allocate | support | | | /../ref_mod | | virtual | | | | el/chapters | | networking | | | | /chapter04. | | resources | | | | md#415-clou | | to a | | | | d-infrastru | | workload | | | | cture-manag | | | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.004 | Capability | Must | | | .1.5 <../.. | | to isolate | support | | | /../ref_mod | | resources | | | | el/chapters | | between | | | | /chapter04. | | tenants | | | | md#415-clou | | | | | | d-infrastru | | | | | | cture-manag | | | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.005 | Capability | Must | | | .1.5 <../.. | | to manage | support | | | /../ref_mod | | workload | | | | el/chapters | | software | | | | /chapter04. | | images | | | | md#415-clou | | | | | | d-infrastru | | | | | | cture-manag | | | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.006 | Capability | Must | | | .1.5 <../.. | | to provide | support | | | /../ref_mod | | information | | | | el/chapters | | related to | | | | /chapter04. | | allocated | | | | md#415-clou | | virtualised | | | | d-infrastru | | resources | | | | cture-manag | | per tenant | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.007 | Capability | Must | | | .1.5 <../.. | | to notify | support | | | /../ref_mod | | state | | | | el/chapters | | changes of | | | | /chapter04. | | allocated | | | | md#415-clou | | resources | | | | d-infrastru | | | | | | cture-manag | | | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.008 | Capability | Must | | | .1.5 <../.. | | to collect | support | | | /../ref_mod | | and expose | | | | el/chapters | | performance | | | | /chapter04. | | information | | | | md#415-clou | | on | | | | d-infrastru | | virtualised | | | | cture-manag | | resources | | | | ement-capab | | allocated | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ | `4 | e.man.009 | Capability | Must | | | .1.5 <../.. | | to collect | support | | | /../ref_mod | | and notify | | | | el/chapters | | fault | | | | /chapter04. | | information | | | | md#415-clou | | on | | | | d-infrastru | | virtualised | | | | cture-manag | | resources | | | | ement-capab | | | | | | ilities>`__ | | | | | +-------------+-----------+-------------+-------------+-------------+ .. raw:: html

Table 2-5: Reference Model Requirements: Cloud Infrastructure Management Requirements

.. _226-cloud-infrastructure-security-requirements: 2.2.6 Cloud Infrastructure Security Requirements ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +-----------------+-------------+-----------------+-----------------+ | Reference Model | Reference | Requirement | Specification | | Section | | (common to all | Reference | | | | Profiles) | | +=================+=============+=================+=================+ | `7.9.1 <../.. | sec.gen.001 | The Platform | | | /../ref_model/c | | **must** | | | hapters/chapter | | maintain the | | | 07.md#791-syste | | specified | | | m-hardening>`__ | | configuration. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.002 | All systems | | | /../ref_model/c | | part of Cloud | | | hapters/chapter | | Infrastructure | | | 07.md#791-syste | | **must** | | | m-hardening>`__ | | support | | | | | password | | | | | hardening as | | | | | defined in `CIS | | | | | Password Policy | | | | | Gui | | | | | de `__. | | | | | Hardening: CIS | | | | | Password Policy | | | | | Guide | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.003 | All servers | | | /../ref_model/c | | part of Cloud | | | hapters/chapter | | Infrastructure | | | 07.md#791-syste | | **must** | | | m-hardening>`__ | | support a root | | | | | of trust and | | | | | secure boot. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.004 | The Operating | | | /../ref_model/c | | Systems of all | | | hapters/chapter | | the servers | | | 07.md#791-syste | | part of Cloud | | | m-hardening>`__ | | Infrastructure | | | | | **must** be | | | | | hardened by | | | | | removing or | | | | | disabling | | | | | unnecessary | | | | | services, | | | | | applications | | | | | and network | | | | | protocols, | | | | | configuring | | | | | operating | | | | | system user | | | | | authentication, | | | | | configuring | | | | | resource | | | | | controls, | | | | | installing and | | | | | configuring | | | | | additional | | | | | security | | | | | controls where | | | | | needed, and | | | | | testing the | | | | | security of the | | | | | Operating | | | | | System. (NIST | | | | | SP 800-123) | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.005 | The Platform | | | /../ref_model/c | | **must** | | | hapters/chapter | | support | | | 07.md#791-syste | | Operating | | | m-hardening>`__ | | System level | | | | | access control | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.006 | The Platform | | | /../ref_model/c | | **must** | | | hapters/chapter | | support Secure | | | 07.md#791-syste | | logging. | | | m-hardening>`__ | | Logging with | | | | | root account | | | | | must be | | | | | prohibited when | | | | | root privileges | | | | | are not | | | | | required. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.007 | All servers | | | /../ref_model/c | | part of Cloud | | | hapters/chapter | | Infrastructure | | | 07.md#791-syste | | **must** be | | | m-hardening>`__ | | Time | | | | | synchronized | | | | | with | | | | | authenticated | | | | | Time service. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.008 | All servers | | | /../ref_model/c | | part of Cloud | | | hapters/chapter | | Infrastructure | | | 07.md#791-syste | | **must** be | | | m-hardening>`__ | | regularly | | | | | updated to | | | | | address | | | | | security | | | | | v | | | | | ulnerabilities. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.009 | The Platform | | | /../ref_model/c | | **must** | | | hapters/chapter | | support | | | 07.md#791-syste | | Software | | | m-hardening>`__ | | integrity | | | | | protection and | | | | | verification | | | | | and **must** | | | | | scan source | | | | | code and | | | | | manifests. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.010 | The Cloud | | | /../ref_model/c | | Infrastructure | | | hapters/chapter | | **must** | | | 07.md#791-syste | | support | | | m-hardening>`__ | | encrypted | | | | | storage, for | | | | | example, block, | | | | | object and file | | | | | storage, with | | | | | access to | | | | | encryption keys | | | | | restricted | | | | | based on a need | | | | | to know. | | | | | `Controlled | | | | | Access Based on | | | | | the Need to | | | | | Know `__ | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.011 | The Cloud | | | /../ref_model/c | | Infrastructure | | | hapters/chapter | | **should** | | | 07.md#791-syste | | support Read | | | m-hardening>`__ | | and Write only | | | | | storage | | | | | partitions | | | | | (write only | | | | | permission to | | | | | one or more | | | | | authorized | | | | | actors). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.012 | The Operator | | | /../ref_model/c | | **must** ensure | | | hapters/chapter | | that only | | | 07.md#791-syste | | authorized | | | m-hardening>`__ | | actors have | | | | | physical access | | | | | to the | | | | | underlying | | | | | infrastructure. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.013 | The Platform | | | /../ref_model/c | | **must** ensure | | | hapters/chapter | | that only | | | 07.md#791-syste | | authorized | | | m-hardening>`__ | | actors have | | | | | logical access | | | | | to the | | | | | underlying | | | | | infrastructure. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.014 | All servers | | | /../ref_model/c | | part of Cloud | | | hapters/chapter | | Infrastructure | | | 07.md#791-syste | | **should** | | | m-hardening>`__ | | support | | | | | measured boot | | | | | and an | | | | | attestation | | | | | server that | | | | | monitors the | | | | | measurements of | | | | | the servers. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.1 <../.. | sec.gen.015 | Any change to | | | /../ref_model/c | | the Platform | | | hapters/chapter | | must be logged | | | 07.md#791-syste | | as a security | | | m-hardening>`__ | | event, and the | | | | | logged event | | | | | must include | | | | | the identity of | | | | | the entity | | | | | making the | | | | | change, the | | | | | change, the | | | | | date and the | | | | | time of the | | | | | change. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.001 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | support | | | ters/chapter07. | | authenticated | | | md#792-platform | | and secure | | | -and-access>`__ | | access to API, | | | | | GUI and command | | | | | line | | | | | interfaces. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.002 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | support Traffic | | | ters/chapter07. | | Filtering for | | | md#792-platform | | workloads (for | | | -and-access>`__ | | example, Fire | | | | | Wall). | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.003 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | support Secure | | | ters/chapter07. | | and encrypted | | | md#792-platform | | communications, | | | -and-access>`__ | | and | | | | | confidentiality | | | | | and integrity | | | | | of network | | | | | traffic. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.004 | The Cloud | | | 7.9.2 <../../.. | | Infrastructure | | | /ref_model/chap | | **must** | | | ters/chapter07. | | support | | | md#792-platform | | authentication, | | | -and-access>`__ | | integrity and | | | | | confidentiality | | | | | on all network | | | | | channels. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.005 | The Cloud | | | 7.9.2 <../../.. | | Infrastructure | | | /ref_model/chap | | **must** | | | ters/chapter07. | | segregate the | | | md#792-platform | | underlay and | | | -and-access>`__ | | overlay | | | | | networks. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.006 | The Cloud | | | 7.9.2 <../../.. | | Infrastructure | | | /ref_model/chap | | must be able to | | | ters/chapter07. | | utilize the | | | md#792-platform | | Cloud | | | -and-access>`__ | | Infrastructure | | | | | Manager | | | | | identity | | | | | lifecycle | | | | | management | | | | | capabilities. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.007 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | implement | | | ters/chapter07. | | controls | | | md#792-platform | | enforcing | | | -and-access>`__ | | separation of | | | | | duties and | | | | | privileges, | | | | | least privilege | | | | | use and least | | | | | common | | | | | mechanism | | | | | (Role-Based | | | | | Access | | | | | Control). | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.008 | The Platform | | | 7.9.2 <../../.. | | **must** be | | | /ref_model/chap | | able to assign | | | ters/chapter07. | | the Entities | | | md#792-platform | | that comprise | | | -and-access>`__ | | the tenant | | | | | networks to | | | | | different trust | | | | | domains. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.009 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | support | | | ters/chapter07. | | creation of | | | md#792-platform | | Trust | | | -and-access>`__ | | Relationships | | | | | between trust | | | | | domains. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.010 | For two or more | | | 7.9.2 <../../.. | | domains without | | | /ref_model/chap | | existing trust | | | ters/chapter07. | | relationships, | | | md#792-platform | | the Platform | | | -and-access>`__ | | **must not** | | | | | allow the | | | | | effect of an | | | | | attack on one | | | | | domain to | | | | | impact the | | | | | other domains | | | | | either directly | | | | | or indirectly. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.011 | The Platform | | | 7.9.2 <../../.. | | **must not** | | | /ref_model/chap | | reuse the same | | | ters/chapter07. | | authentication | | | md#792-platform | | credential | | | -and-access>`__ | | (e.g., | | | | | key-pair) on | | | | | different | | | | | Platform | | | | | components | | | | | (e.g., on | | | | | different | | | | | hosts, or | | | | | different | | | | | services). | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.012 | The Platform | (e.g., in | | 7.9.2 <../../.. | | **must** | OpenStack | | /ref_model/chap | | protect all | Barbican). | | ters/chapter07. | | secrets by | | | md#792-platform | | using strong | | | -and-access>`__ | | encryption | | | | | techniques, and | | | | | storing the | | | | | protected | | | | | secrets | | | | | externally from | | | | | the component | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.013 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | provide secrets | | | ters/chapter07. | | dynamically as | | | md#792-platform | | and when | | | -and-access>`__ | | needed. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.014 | The Platform | | | 7.9.2 <../../.. | | **should** use | | | /ref_model/chap | | Linux Security | | | ters/chapter07. | | Modules such as | | | md#792-platform | | SELinux to | | | -and-access>`__ | | control access | | | | | to resources. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.015 | The Platform | | | 7.9.2 <../../.. | | **must not** | | | /ref_model/chap | | contain back | | | ters/chapter07. | | door entries | | | md#792-platform | | (unpublished | | | -and-access>`__ | | access points, | | | | | APIs, etc.). | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.016 | Login access to | | | 7.9.2 <../../.. | | the platform's | | | /ref_model/chap | | components | | | ters/chapter07. | | **must** be | | | md#792-platform | | through | | | -and-access>`__ | | encrypted | | | | | protocols such | | | | | as SSH v2 or | | | | | TLS v1.2 or | | | | | higher. Note: | | | | | Hardened jump | | | | | servers | | | | | isolated from | | | | | external | | | | | networks are | | | | | recommended | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.017 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | provide the | | | ters/chapter07. | | capability of | | | md#792-platform | | using digital | | | -and-access>`__ | | certificates | | | | | that comply | | | | | with X.509 | | | | | standards | | | | | issued by a | | | | | trusted | | | | | Certification | | | | | Authority. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.018 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | provide the | | | ters/chapter07. | | capability of | | | md#792-platform | | allowing | | | -and-access>`__ | | certificate | | | | | renewal and | | | | | revocation. | | +-----------------+-------------+-----------------+-----------------+ | ` | sec.sys.019 | The Platform | | | 7.9.2 <../../.. | | **must** | | | /ref_model/chap | | provide the | | | ters/chapter07. | | capability of | | | md#792-platform | | testing the | | | -and-access>`__ | | validity of a | | | | | digital | | | | | certificate (CA | | | | | signature, | | | | | validity | | | | | period, non | | | | | revocation, | | | | | identity). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.001 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | support | | | er07.md#793-con | | Confidentiality | | | fidentiality-an | | and Integrity | | | d-integrity>`__ | | of data at rest | | | | | and in-transit. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.002 | The Platform | | | ../../ref_model | | **should** | | | /chapters/chapt | | support | | | er07.md#793-con | | self-encrypting | | | fidentiality-an | | storage | | | d-integrity>`__ | | devices. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.003 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | support | | | er07.md#793-con | | Confidentiality | | | fidentiality-an | | and Integrity | | | d-integrity>`__ | | of data related | | | | | metadata. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.004 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | support | | | er07.md#793-con | | Confidentiality | | | fidentiality-an | | of processes | | | d-integrity>`__ | | and restrict | | | | | information | | | | | sharing with | | | | | only the | | | | | process owner | | | | | (e.g., tenant). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.005 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | support | | | er07.md#793-con | | Confidentiality | | | fidentiality-an | | and Integrity | | | d-integrity>`__ | | of | | | | | process-related | | | | | metadata and | | | | | restrict | | | | | information | | | | | sharing with | | | | | only the | | | | | process owner | | | | | (e.g., tenant). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.006 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | support | | | er07.md#793-con | | Confidentiality | | | fidentiality-an | | and Integrity | | | d-integrity>`__ | | of workload | | | | | resource | | | | | utilization | | | | | (RAM, CPU, | | | | | Storage, | | | | | Network I/O, | | | | | cache, hardware | | | | | offload) and | | | | | restrict | | | | | information | | | | | sharing with | | | | | only the | | | | | workload owner | | | | | (e.g., tenant). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.007 | The Platform | | | ../../ref_model | | **must not** | | | /chapters/chapt | | allow Memory | | | er07.md#793-con | | Inspection by | | | fidentiality-an | | any actor other | | | d-integrity>`__ | | than the | | | | | authorized | | | | | actors for the | | | | | Entity to which | | | | | Memory is | | | | | assigned (e.g., | | | | | tenants owning | | | | | the workload), | | | | | for Lawful | | | | | Inspection, and | | | | | by secure | | | | | monitoring | | | | | services. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.3 <../ | sec.ci.008 | The Cloud | | | ../../ref_model | | Infrastructure | | | /chapters/chapt | | **must** | | | er07.md#793-con | | support tenant | | | fidentiality-an | | networks | | | d-integrity>`__ | | segregation. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.4 <../../ | sec.wl.001 | The Platform | | | ../ref_model/ch | | **must** | | | apters/chapter0 | | support | | | 7.md#794-worklo | | Workload | | | ad-security>`__ | | placement | | | | | policy. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.4 <../../ | sec.wl.002 | The Cloud | | | ../ref_model/ch | | Infrastructure | | | apters/chapter0 | | **must** | | | 7.md#794-worklo | | provide methods | | | ad-security>`__ | | to ensure the | | | | | platform’s | | | | | trust status | | | | | and integrity | | | | | (e.g. remote | | | | | attestation, | | | | | Trusted | | | | | Platform | | | | | Module). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.4 <../../ | sec.wl.003 | The Platform | | | ../ref_model/ch | | **must** | | | apters/chapter0 | | support secure | | | 7.md#794-worklo | | provisioning of | | | ad-security>`__ | | workloads. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.4 <../../ | sec.wl.004 | The Platform | | | ../ref_model/ch | | **must** | | | apters/chapter0 | | support | | | 7.md#794-worklo | | Location | | | ad-security>`__ | | assertion (for | | | | | mandated | | | | | in-country or | | | | | location | | | | | requirements). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.4 <../../ | sec.wl.005 | The Platform | | | ../ref_model/ch | | **must** | | | apters/chapter0 | | support the | | | 7.md#794-worklo | | separation of | | | ad-security>`__ | | production and | | | | | non-production | | | | | Workloads. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.4 <../../ | sec.wl.006 | The Platform | | | ../ref_model/ch | | **must** | | | apters/chapter0 | | support the | | | 7.md#794-worklo | | separation of | | | ad-security>`__ | | Workloads based | | | | | on their | | | | | categorisation | | | | | (for example, | | | | | payment card | | | | | information, | | | | | healthcare, | | | | | etc.). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.4 <../../ | sec.wl.007 | The Operator | | | ../ref_model/ch | | **should** | | | apters/chapter0 | | implement | | | 7.md#794-worklo | | processes and | | | ad-security>`__ | | tools to verify | | | | | VNF | | | | | authenticity | | | | | and integrity. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.5 <../ | sec.img.001 | Images from | | | ../../ref_model | | untrusted | | | /chapters/chapt | | sources **must | | | er07.md#795-ima | | not** be used. | | | ge-security>`__ | | | | +-----------------+-------------+-----------------+-----------------+ | `7.9.5 <../ | sec.img.002 | Images **must** | | | ../../ref_model | | be scanned to | | | /chapters/chapt | | be maintained | | | er07.md#795-ima | | free from known | | | ge-security>`__ | | v | | | | | ulnerabilities. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.5 <../ | sec.img.003 | Images **must | | | ../../ref_model | | not** be | | | /chapters/chapt | | configured to | | | er07.md#795-ima | | run with | | | ge-security>`__ | | privileges | | | | | higher than the | | | | | privileges of | | | | | the actor | | | | | authorized to | | | | | run them. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.5 <../ | sec.img.004 | Images **must** | | | ../../ref_model | | only be | | | /chapters/chapt | | accessible to | | | er07.md#795-ima | | authorized | | | ge-security>`__ | | actors. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.5 <../ | sec.img.005 | Image | | | ../../ref_model | | Registries | | | /chapters/chapt | | **must** only | | | er07.md#795-ima | | be accessible | | | ge-security>`__ | | to authorized | | | | | actors. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.5 <../ | sec.img.006 | Image | | | ../../ref_model | | Registries | | | /chapters/chapt | | **must** only | | | er07.md#795-ima | | be accessible | | | ge-security>`__ | | over secure | | | | | networks that | | | | | enforce | | | | | authentication, | | | | | integrity and | | | | | c | | | | | onfidentiality. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.5 <../ | sec.img.007 | Image | | | ../../ref_model | | registries | | | /chapters/chapt | | **must** be | | | er07.md#795-ima | | clear of | | | ge-security>`__ | | vulnerable and | | | | | stale (out of | | | | | date) versions. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.001 | The Platform | | | ./../../ref_mod | | **must** | | | el/chapters/cha | | support Secure | | | pter07.md#796-s | | Provisioning, | | | ecurity-lcm>`__ | | Availability, | | | | | and | | | | | Deprovisioning | | | | | (Secure | | | | | Clean-Up) of | | | | | workload | | | | | resources where | | | | | Secure Clean-Up | | | | | includes | | | | | tear-down, | | | | | defense against | | | | | virus or other | | | | | attacks. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.002 | Cloud | | | ./../../ref_mod | | operations | | | el/chapters/cha | | staff and | | | pter07.md#796-s | | systems | | | ecurity-lcm>`__ | | **must** use | | | | | management | | | | | protocols | | | | | limiting | | | | | security risk | | | | | such as SNMPv3, | | | | | SSH v2, ICMP, | | | | | NTP, syslog and | | | | | TLS v1.2 or | | | | | higher. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.003 | The Cloud | | | ./../../ref_mod | | Operator | | | el/chapters/cha | | **must** | | | pter07.md#796-s | | implement and | | | ecurity-lcm>`__ | | strictly follow | | | | | change | | | | | management | | | | | processes for | | | | | Cloud | | | | | Infrastructure, | | | | | Cloud | | | | | Infrastructure | | | | | Manager and | | | | | other | | | | | components of | | | | | the cloud, and | | | | | Platform change | | | | | control on | | | | | hardware. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.004 | The Cloud | | | ./../../ref_mod | | Operator | | | el/chapters/cha | | **should** | | | pter07.md#796-s | | support | | | ecurity-lcm>`__ | | automated | | | | | templated | | | | | approved | | | | | changes. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.005 | Platform | | | ./../../ref_mod | | **must** | | | el/chapters/cha | | provide logs | | | pter07.md#796-s | | and these logs | | | ecurity-lcm>`__ | | must be | | | | | regularly | | | | | monitored for | | | | | anomalous | | | | | behavior. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.006 | The Platform | | | ./../../ref_mod | | **must** verify | | | el/chapters/cha | | the integrity | | | pter07.md#796-s | | of all Resource | | | ecurity-lcm>`__ | | management | | | | | requests. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.007 | The Platform | | | ./../../ref_mod | | **must** be | | | el/chapters/cha | | able to update | | | pter07.md#796-s | | newly | | | ecurity-lcm>`__ | | instantiated, | | | | | suspended, | | | | | hibernated, | | | | | migrated and | | | | | restarted | | | | | images with | | | | | current time | | | | | information. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.008 | The Platform | | | ./../../ref_mod | | **must** be | | | el/chapters/cha | | able to update | | | pter07.md#796-s | | newly | | | ecurity-lcm>`__ | | instantiated, | | | | | suspended, | | | | | hibernated, | | | | | migrated and | | | | | restarted | | | | | images with | | | | | relevant DNS | | | | | information. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.009 | The Platform | | | ./../../ref_mod | | **must** be | | | el/chapters/cha | | able to update | | | pter07.md#796-s | | the tag of | | | ecurity-lcm>`__ | | newly | | | | | instantiated, | | | | | suspended, | | | | | hibernated, | | | | | migrated and | | | | | restarted | | | | | images with | | | | | relevant | | | | | geolocation | | | | | (geographical) | | | | | information. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.010 | The Platform | | | ./../../ref_mod | | **must** log | | | el/chapters/cha | | all changes to | | | pter07.md#796-s | | geolocation | | | ecurity-lcm>`__ | | along with the | | | | | mechanisms and | | | | | sources of | | | | | location | | | | | information | | | | | (i.e. GPS, IP | | | | | block, and | | | | | timing). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.011 | The Platform | | | ./../../ref_mod | | **must** | | | el/chapters/cha | | implement | | | pter07.md#796-s | | Security life | | | ecurity-lcm>`__ | | cycle | | | | | management | | | | | processes | | | | | including the | | | | | proactive | | | | | update and | | | | | patching of all | | | | | deployed Cloud | | | | | Infrastructure | | | | | software. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.6 <. | sec.lcm.012 | The Platform | | | ./../../ref_mod | | **must** log | | | el/chapters/cha | | any access | | | pter07.md#796-s | | privilege | | | ecurity-lcm>`__ | | escalation. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.001 | Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | provide logs | | | er07.md#797-mon | | and these logs | | | itoring-and-sec | | must be | | | urity-audit>`__ | | regularly | | | | | monitored for | | | | | events of | | | | | interest. The | | | | | logs **must** | | | | | contain the | | | | | following | | | | | fields: event | | | | | type, | | | | | date/time, | | | | | protocol, | | | | | service or | | | | | program used | | | | | for access, | | | | | s | | | | | uccess/failure, | | | | | login ID or | | | | | process ID, IP | | | | | address and | | | | | ports (source | | | | | and | | | | | destination) | | | | | involved. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.002 | Security logs | | | ../../ref_model | | **must** be | | | /chapters/chapt | | time | | | er07.md#797-mon | | synchronised. | | | itoring-and-sec | | | | | urity-audit>`__ | | | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.003 | The Platform | | | ../../ref_model | | **must** log | | | /chapters/chapt | | all changes to | | | er07.md#797-mon | | time server | | | itoring-and-sec | | source, time, | | | urity-audit>`__ | | date and time | | | | | zones. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.004 | The Platform | | | ../../ref_model | | **must** secure | | | /chapters/chapt | | and protect | | | er07.md#797-mon | | Audit logs | | | itoring-and-sec | | (containing | | | urity-audit>`__ | | sensitive | | | | | information) | | | | | both in-transit | | | | | and at rest. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.005 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit various | | | itoring-and-sec | | behaviours of | | | urity-audit>`__ | | connection and | | | | | login attempts | | | | | to detect | | | | | access attacks | | | | | and potential | | | | | access attempts | | | | | and take | | | | | corrective | | | | | actions | | | | | accordingly. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.006 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit | | | itoring-and-sec | | operations by | | | urity-audit>`__ | | authorized | | | | | account access | | | | | after login to | | | | | detect | | | | | malicious | | | | | operational | | | | | activity and | | | | | take corrective | | | | | actions | | | | | accordingly. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.007 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit security | | | itoring-and-sec | | parameter | | | urity-audit>`__ | | configurations | | | | | for compliance | | | | | with defined | | | | | security | | | | | policies. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.008 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit | | | itoring-and-sec | | externally | | | urity-audit>`__ | | exposed | | | | | interfaces for | | | | | illegal access | | | | | (attacks) and | | | | | take corrective | | | | | security | | | | | hardening | | | | | measures. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.009 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit service | | | itoring-and-sec | | handling for | | | urity-audit>`__ | | various attacks | | | | | (malformed | | | | | messages, | | | | | signalling | | | | | flooding and | | | | | replaying, | | | | | etc.) and take | | | | | corrective | | | | | actions | | | | | accordingly. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.010 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit running | | | itoring-and-sec | | processes to | | | urity-audit>`__ | | detect | | | | | unexpected or | | | | | unauthorized | | | | | processes and | | | | | take corrective | | | | | actions | | | | | accordingly. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.011 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit logs from | | | itoring-and-sec | | infrastructure | | | urity-audit>`__ | | elements and | | | | | workloads to | | | | | detected | | | | | anomalies in | | | | | the system | | | | | components and | | | | | take corrective | | | | | actions | | | | | accordingly. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.012 | The Platform | | | ../../ref_model | | **must** | | | /chapters/chapt | | Monitor and | | | er07.md#797-mon | | Audit Traffic | | | itoring-and-sec | | patterns and | | | urity-audit>`__ | | volumes to | | | | | prevent malware | | | | | download | | | | | attempts. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.013 | The monitoring | | | ../../ref_model | | system **must | | | /chapters/chapt | | not** affect | | | er07.md#797-mon | | the security | | | itoring-and-sec | | (integrity and | | | urity-audit>`__ | | c | | | | | onfidentiality) | | | | | of the | | | | | infrastructure, | | | | | workloads, or | | | | | the user data | | | | | (through back | | | | | door entries). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.014 | The Monitoring | | | ../../ref_model | | systems | | | /chapters/chapt | | **should not** | | | er07.md#797-mon | | impact IAAS, | | | itoring-and-sec | | PAAS, and SAAS | | | urity-audit>`__ | | SLAs including | | | | | availability | | | | | SLAs. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.015 | The Platform | | | ../../ref_model | | **must** ensure | | | /chapters/chapt | | that the | | | er07.md#797-mon | | Monitoring | | | itoring-and-sec | | systems are | | | urity-audit>`__ | | never starved | | | | | of resources | | | | | and **must** | | | | | activate alarms | | | | | when resource | | | | | utilisation | | | | | exceeds a | | | | | configurable | | | | | threshold. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.016 | The Platform | | | ../../ref_model | | Monitoring | | | /chapters/chapt | | components | | | er07.md#797-mon | | **should** | | | itoring-and-sec | | follow security | | | urity-audit>`__ | | best practices | | | | | for auditing, | | | | | including | | | | | secure logging | | | | | and tracing. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.017 | The Platform | | | ../../ref_model | | **must** audit | | | /chapters/chapt | | systems for any | | | er07.md#797-mon | | missing | | | itoring-and-sec | | security | | | urity-audit>`__ | | patches and | | | | | take | | | | | appropriate | | | | | actions. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.018 | The Platform, | | | ../../ref_model | | starting from | | | /chapters/chapt | | initialization, | | | er07.md#797-mon | | **must** | | | itoring-and-sec | | collect and | | | urity-audit>`__ | | analyze logs to | | | | | identify | | | | | security | | | | | events, and | | | | | store these | | | | | events in an | | | | | external | | | | | system. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.019 | The Platform’s | | | ../../ref_model | | components | | | /chapters/chapt | | **must not** | | | er07.md#797-mon | | include an | | | itoring-and-sec | | authentication | | | urity-audit>`__ | | credential, | | | | | e.g., password, | | | | | in any logs, | | | | | even if | | | | | encrypted. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.020 | The Platform’s | | | ../../ref_model | | logging system | | | /chapters/chapt | | **must** | | | er07.md#797-mon | | support the | | | itoring-and-sec | | storage of | | | urity-audit>`__ | | security audit | | | | | logs for a | | | | | configurable | | | | | period of time. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.7 <../ | sec.mon.021 | The Platform | | | ../../ref_model | | **must** store | | | /chapters/chapt | | security events | | | er07.md#797-mon | | locally if the | | | itoring-and-sec | | external | | | urity-audit>`__ | | logging system | | | | | is unavailable | | | | | and shall | | | | | periodically | | | | | attempt to send | | | | | these to the | | | | | external | | | | | logging system | | | | | until | | | | | successful. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.001 | The Cloud | | | <../../../ref_m | | Operator | | | odel/chapters/c | | **should** | | | hapter07.md#798 | | comply with | | | -compliance-wit | | Center for | | | h-standards>`__ | | Internet | | | | | Security CIS | | | | | Controls | | | | | (`h | | | | | ttps://www.cise | | | | | curity.org/ `__) | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.002 | The Cloud | | | <../../../ref_m | | Operator, | | | odel/chapters/c | | Platform and | | | hapter07.md#798 | | Workloads | | | -compliance-wit | | **should** | | | h-standards>`__ | | follow the | | | | | guidance in the | | | | | CSA Security | | | | | Guidance for | | | | | Critical Areas | | | | | of Focus in | | | | | Cloud Computing | | | | | (latest | | | | | version) | | | | | `https://clouds | | | | | ecurityalliance | | | | | .org/ `__ | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.003 | The Platform | | | <../../../ref_m | | and Workloads | | | odel/chapters/c | | **should** | | | hapter07.md#798 | | follow the | | | -compliance-wit | | guidance in the | | | h-standards>`__ | | OWASP Cheat | | | | | Sheet Series | | | | | (OCSS) | | | | | `https://githu | | | | | b.com/OWASP/Che | | | | | atSheetSeries < | | | | | https://github. | | | | | com/OWASP/Cheat | | | | | SheetSeries>`__ | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.004 | The Cloud | | | <../../../ref_m | | Operator, | | | odel/chapters/c | | Platform and | | | hapter07.md#798 | | Workloads | | | -compliance-wit | | **should** | | | h-standards>`__ | | ensure that | | | | | their code is | | | | | not vulnerable | | | | | to the OWASP | | | | | Top Ten | | | | | Security Risks | | | | | `https:/ | | | | | /owasp.org/www- | | | | | project-top-ten | | | | | / `__ | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.005 | The Cloud | | | <../../../ref_m | | Operator, | | | odel/chapters/c | | Platform and | | | hapter07.md#798 | | Workloads | | | -compliance-wit | | **should** | | | h-standards>`__ | | strive to | | | | | improve their | | | | | maturity on the | | | | | OWASP Software | | | | | Maturity Model | | | | | (SAMM) | | | | | `h | | | | | ttps://owaspsam | | | | | m.org/blog/2019 | | | | | /12/20/version2 | | | | | -community-rele | | | | | ase/ `__ | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.006 | The Cloud | | | <../../../ref_m | | Operator, | | | odel/chapters/c | | Platform and | | | hapter07.md#798 | | Workloads | | | -compliance-wit | | **should** | | | h-standards>`__ | | utilize the | | | | | OWASP Web | | | | | Security | | | | | Testing Guide | | | | | `h | | | | | ttps://github.c | | | | | om/OWASP/wstg/t | | | | | ree/master/docu | | | | | ment `__ | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.007 | The Cloud | | | <../../../ref_m | | Operator, and | | | odel/chapters/c | | Platform | | | hapter07.md#798 | | **should** | | | -compliance-wit | | satisfy the | | | h-standards>`__ | | requirements | | | | | for Information | | | | | Management | | | | | Systems | | | | | specified in | | | | | ISO/IEC 27001 | | | | | `https:/ | | | | | /www.iso.org/ob | | | | | p/ui/#iso:std:i | | | | | so-iec:27001:ed | | | | | -2:v1:en `__. | | | | | ISO/IEC | | | | | 27002:2013 - | | | | | ISO/IEC 27001 | | | | | is the | | | | | international | | | | | Standard for | | | | | best-practice | | | | | information | | | | | security | | | | | management | | | | | systems | | | | | (ISMSs). | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.008 | The Cloud | | | <../../../ref_m | | Operator, and | | | odel/chapters/c | | Platform | | | hapter07.md#798 | | **should** | | | -compliance-wit | | implement the | | | h-standards>`__ | | Code of | | | | | practice for | | | | | Security | | | | | Controls | | | | | specified | | | | | ISO/IEC | | | | | 27002:2013 (or | | | | | latest) | | | | | `https: | | | | | //www.iso.org/o | | | | | bp/ui/#iso:std: | | | | | iso-iec:27002:e | | | | | d-2:v1:en `__ | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.009 | The Cloud | | | <../../../ref_m | | Operator, and | | | odel/chapters/c | | Platform | | | hapter07.md#798 | | **should** | | | -compliance-wit | | implement the | | | h-standards>`__ | | ISO/IEC | | | | | 27032:2012 (or | | | | | latest) | | | | | Guidelines for | | | | | Cybersecurity | | | | | techniques | | | | | `https:/ | | | | | /www.iso.org/ob | | | | | p/ui/#iso:std:i | | | | | so-iec:27032:ed | | | | | -1:v1:en `__. | | | | | ISO/IEC 27032 - | | | | | ISO/IEC 27032is | | | | | the | | | | | international | | | | | Standard | | | | | focusing | | | | | explicitly on | | | | | cybersecurity. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.010 | The Cloud | | | <../../../ref_m | | Operator | | | odel/chapters/c | | **should** | | | hapter07.md#798 | | conform to the | | | -compliance-wit | | ISO/IEC 27035 | | | h-standards>`__ | | standard for | | | | | incidence | | | | | management. | | | | | ISO/IEC 27035 - | | | | | ISO/IEC 27035 | | | | | is the | | | | | international | | | | | Standard for | | | | | incident | | | | | management. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.011 | The Cloud | | | <../../../ref_m | | Operator | | | odel/chapters/c | | **should** | | | hapter07.md#798 | | conform to the | | | -compliance-wit | | ISO/IEC 27031 | | | h-standards>`__ | | standard for | | | | | business | | | | | continuity. | | | | | ISO/IEC 27031 - | | | | | ISO/IEC 27031 | | | | | is the | | | | | international | | | | | Standard for | | | | | ICT readiness | | | | | for business | | | | | continuity. | | +-----------------+-------------+-----------------+-----------------+ | `7.9.8 | sec.std.012 | The Public | | | <../../../ref_m | | Cloud Operator | | | odel/chapters/c | | **must**, and | | | hapter07.md#798 | | the Private | | | -compliance-wit | | Cloud Operator | | | h-standards>`__ | | **may** be | | | | | certified to be | | | | | compliant with | | | | | the | | | | | International | | | | | Standard on | | | | | Awareness | | | | | Engagements | | | | | (ISAE) 3402 (in | | | | | the US: SSAE | | | | | 16). | | | | | International | | | | | Standard on | | | | | Awareness | | | | | Engagements | | | | | (ISAE) 3402. US | | | | | Equivalent: | | | | | SSAE16. | | +-----------------+-------------+-----------------+-----------------+ .. raw:: html

Table 2-6: Reference Model Requirements: Cloud Infrastructure Security Requirements

.. _23-kubernetes-architecture-requirements: 2.3 Kubernetes Architecture Requirements ---------------------------------------- The Reference Model (RM) defines the Cloud Infrastructure, which consists of the physical resources, virtualised resources and a software management system. In the virtualised world, the Cloud Infrastructure consists of the Guest Operating System, Hypervisor and, if needed, other software such as libvirt. The Cloud Infrastructure Management component is responsible for, among others, tenant management, resources management, inventory, scheduling, and access management. Now consider the containerisation equivalent, references to "Architecture" in this chapter refer to the Cloud Infrastructure Hardware (e.g. physical resources), Cloud Infrastructure Software (e.g. Hypervisor (optional), Container Runtime, virtual or container Orchestrator(s), Operating System), and infrastructure resources consumed by virtual machines or containers. The requirements in this section are to be delivered in addition to those in `section 2.2 <#2.2>`__, and have been created to support the Principles defined in `Chapter 1 of this Reference Architecture <./chapter01.md>`__. +-------------+-------------+-------------+-------------+-------------+ | Ref # | Category | S | Description | Sp | | | | ub-category | | ecification | | | | | | Reference | +=============+=============+=============+=============+=============+ | ``req.g | General | Cloud | The | `ra2 | | en.cnt.02`` | | nativeness | A | .ch.017 `__ | | | | | immutable | | | | | | infr | | | | | | astructure. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | Cloud | The | `ra2.k8s.00 | | en.cnt.03`` | | nativeness | A | 1 `__ | | | | | run | | | | | | conformant | | | | | | Kubernetes | | | | | | as defined | | | | | | by the | | | | | | `CNCF < | | | | | | https://git | | | | | | hub.com/cnc | | | | | | f/k8s-confo | | | | | | rmance>`__. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | Cloud | The | | | en.cnt.04`` | | nativeness | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | clearly | | | | | | defined | | | | | | abstraction | | | | | | layers. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | Cloud | The | | | en.cnt.05`` | | nativeness | A | | | | | | rchitecture | | | | | | **should** | | | | | | support | | | | | | co | | | | | | nfiguration | | | | | | of all | | | | | | components | | | | | | in an | | | | | | automated | | | | | | manner | | | | | | using | | | | | | openly | | | | | | published | | | | | | API | | | | | | d | | | | | | efinitions. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | Scalability | The | | | en.scl.01`` | | | A | | | | | | rchitecture | | | | | | **should** | | | | | | support | | | | | | policy | | | | | | driven | | | | | | horizontal | | | | | | a | | | | | | uto-scaling | | | | | | of | | | | | | workloads. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | Resiliency | The | `ra2.k8s.00 | | en.rsl.01`` | | | A | 4 `__ | | | | | support | | | | | | resilient | | | | | | Kubernetes | | | | | | components | | | | | | that are | | | | | | required | | | | | | for the | | | | | | continued | | | | | | a | | | | | | vailability | | | | | | of running | | | | | | workloads. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | Resiliency | The | `ra2 | | en.rsl.02`` | | | A | .k8s.002 `__\ \ | | | | | resilient | `ra2.k8s.00 | | | | | Kubernetes | 3 `__ | | | | | that are | | | | | | not subject | | | | | | to | | | | | | ``req.ge | | | | | | n.rsl.01``. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | A | The | `ra2.k8s | | en.avl.01`` | | vailability | A | .002 | | | | | provide | `__\ \ `ra2 | | | | | High | .k8s.003 `__\ \ | | | | | Kubernetes | `ra2.k8s.00 | | | | | components. | 4 `__ | +-------------+-------------+-------------+-------------+-------------+ | ``req.g | General | Openness | The | `ra2.cr | | en.ost.01`` | | | A | t.001 `_ | | | | | open-based | _\ \ `ra2.c | | | | | standards | rt.002 ` | | | | | | __\ \ `ra2. | | | | | | ntw.002 `__\ \ `r | | | | | | a2.ntw.006 | | | | | | `__\ \ | | | | | | `ra2.ntw.0 | | | | | | 07 `__ | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Compute | The | `ra2.k8s.00 | | nf.com.01`` | rastructure | | A | 4 `__ | | | | | provide | | | | | | compute | | | | | | resources | | | | | | for Pods. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Storage | The | `ra2.stg | | nf.stg.01`` | rastructure | | A | .004 `__ | | | | | ability for | | | | | | an operator | | | | | | to choose | | | | | | whether or | | | | | | not to | | | | | | deploy | | | | | | persistent | | | | | | storage for | | | | | | Pods. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | | | nf.ntw.01`` | rastructure | | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | network | | | | | | resiliency | | | | | | on the | | | | | | Kubernetes | | | | | | nodes. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | | | nf.ntw.02`` | rastructure | | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | fully | | | | | | redundant | | | | | | network | | | | | | c | | | | | | onnectivity | | | | | | to the | | | | | | Kubernetes | | | | | | nodes, | | | | | | leveraging | | | | | | multiple | | | | | | network | | | | | | c | | | | | | onnections. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | `r | | nf.ntw.03`` | rastructure | | networking | a2.ntw.001 | | | | | solution | `__\ \ | | | | | centrally | `ra2.ntw.0 | | | | | ad | 04 `__ | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | `ra2.ch. | | nf.ntw.04`` | rastructure | | A | 007 `__\ \ | | | | | dual stack | `ra2.k8s.01 | | | | | IPv4 and | 0 `__ | | | | | workloads. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | | | nf.ntw.05`` | rastructure | | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | c | | | | | | apabilities | | | | | | for | | | | | | integrating | | | | | | SDN | | | | | | c | | | | | | ontrollers. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | `r | | nf.ntw.06`` | rastructure | | A | a2.ntw.005 | | | | | rchitecture | `__\ \ | | | | | one | `ra2.ntw.0 | | | | | networking | 07 `__ | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | `ra2.ntw.0 | | nf.ntw.07`` | rastructure | | A | 05 `__ | | | | | ability for | | | | | | an operator | | | | | | to choose | | | | | | whether or | | | | | | not to | | | | | | deploy more | | | | | | than one | | | | | | networking | | | | | | solution. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | `ra2.ntw.0 | | nf.ntw.08`` | rastructure | | A | 02 `__ | | | | | default | | | | | | network | | | | | | which | | | | | | implements | | | | | | the | | | | | | Kubernetes | | | | | | network | | | | | | model. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | | | nf.ntw.09`` | rastructure | | networking | | | | | | solution | | | | | | **must | | | | | | not** | | | | | | interfere | | | | | | with or | | | | | | cause | | | | | | i | | | | | | nterference | | | | | | to any | | | | | | interface | | | | | | or network | | | | | | it does not | | | | | | own. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | | | nf.ntw.10`` | rastructure | | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | Cluster | | | | | | wide | | | | | | c | | | | | | oordination | | | | | | of IP | | | | | | address | | | | | | assignment. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | | | nf.ntw.13`` | rastructure | | platform | | | | | | **must** | | | | | | allow | | | | | | specifying | | | | | | multiple | | | | | | separate IP | | | | | | pools. | | | | | | Tenants are | | | | | | required to | | | | | | select at | | | | | | least one | | | | | | IP pool | | | | | | that is | | | | | | different | | | | | | from the | | | | | | control | | | | | | inf | | | | | | rastructure | | | | | | IP pool or | | | | | | other | | | | | | tenant IP | | | | | | pools. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Network | The | `ra2.ntw.0 | | nf.ntw.14`` | rastructure | | platform | 11 `__ | | | | | traffic | | | | | | (i.e. | | | | | | exposing | | | | | | the pod IP | | | | | | address | | | | | | directly to | | | | | | the | | | | | | outside), | | | | | | allowing | | | | | | source and | | | | | | destination | | | | | | IP | | | | | | addresses | | | | | | to be | | | | | | preserved | | | | | | in the | | | | | | traffic | | | | | | headers | | | | | | from | | | | | | workloads | | | | | | to external | | | | | | networks. | | | | | | This is | | | | | | needed e.g. | | | | | | for | | | | | | signaling | | | | | | ap | | | | | | plications, | | | | | | using SIP | | | | | | and | | | | | | Diameter | | | | | | protocols. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Virtual | The | ` | | nf.vir.01`` | rastructure | Inf | A | ra2.ch.005 | | | | rastructure | rchitecture | | | | | | capability | `__\ \ `ra2 | | | | | for | .ch.011 `__ | | | | | rastructure | | | | | | resources | | | | | | abstracted | | | | | | by Host | | | | | | Operating | | | | | | Systems | | | | | | that are | | | | | | running | | | | | | within a | | | | | | virtual | | | | | | machine. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | Inf | Physical | The | ra2.ch.008 | | nf.phy.01`` | rastructure | Inf | A | | | | | rastructure | rchitecture | | | | | | **must** | | | | | | support the | | | | | | capability | | | | | | for | | | | | | Containers | | | | | | to consume | | | | | | inf | | | | | | rastructure | | | | | | resources | | | | | | abstracted | | | | | | by Host | | | | | | Operating | | | | | | Systems | | | | | | that are | | | | | | running | | | | | | within a | | | | | | physical | | | | | | server. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.k | Kubernetes | General | The | | | cm.gen.01`` | Cluster | | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | policy | | | | | | driven | | | | | | horizontal | | | | | | a | | | | | | uto-scaling | | | | | | of | | | | | | Kubernetes | | | | | | Cluster. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.k | Kubernetes | General | The | `ra2.k8s.00 | | cm.gen.02`` | Cluster | | A | 4 `__ | | | | | enable | | | | | | workload | | | | | | resiliency. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | API | General | The | For | | nt.api.01`` | | | A | Networking: | | | | | rchitecture | \ | | | | | **must** | `ra2.ntw.00 | | | | | leverage | 1 `__\ | | | | | discover | \ `ra2.ntw | | | | | and | .008 ` | | | | | compute | __\ \ `ra2. | | | | | (virtual | app.006 `__\ Comp | | | | | and | ute/storage | | | | | storage. | not yet | | | | | | met. | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | API | General | The | `ra2.p | | nt.api.02`` | | | A | kg.001 `__ | | | | | Application | | | | | | package | | | | | | manager | | | | | | using the | | | | | | Kubernetes | | | | | | API, like | | | | | | Helm v3. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | API | General | The | | | nt.api.03`` | | | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | stable | | | | | | features in | | | | | | its APIs. | | +-------------+-------------+-------------+-------------+-------------+ | ``req.i | API | General | The | | | nt.api.04`` | | | A | | | | | | rchitecture | | | | | | **must** | | | | | | support | | | | | | limited | | | | | | backward | | | | | | co | | | | | | mpatibility | | | | | | in its | | | | | | APIs. | | | | | | Support for | | | | | | the whole | | | | | | API must | | | | | | not be | | | | | | dropped, | | | | | | but the | | | | | | schema or | | | | | | other | | | | | | details can | | | | | | change. | | +-------------+-------------+-------------+-------------+-------------+ .. raw:: html

Table 2-7: Kubernetes Architecture Requirements