From 536129afb4af7d0ad26acac6711607dfcf559a9e Mon Sep 17 00:00:00 2001 From: Valentin Knabel Date: Thu, 7 Aug 2025 09:07:43 +0200 Subject: [PATCH 1/4] docs: technologies Mirror PR of metal-stack/docs#302 Co-authored-by: Simon Mayer --- .../Security/04-communication-matrix.md | 225 +++++++++++------- .../technologies-and-protocols.md | 6 - 2 files changed, 141 insertions(+), 90 deletions(-) delete mode 100644 docs/docs/05-For CISOs/technologies-and-protocols.md diff --git a/docs/docs/05-For CISOs/Security/04-communication-matrix.md b/docs/docs/05-For CISOs/Security/04-communication-matrix.md index efcbe5d..0a496f8 100644 --- a/docs/docs/05-For CISOs/Security/04-communication-matrix.md +++ b/docs/docs/05-For CISOs/Security/04-communication-matrix.md @@ -20,62 +20,101 @@ This matrix describes the communication between components in the metal-stack an Description The following table might not be displayed in completeness. Scroll to the right to see all entries. ::: -| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | -| :--: | :--------------------: | :--------------------: | :------: | :--------------------: | :------------------: | :---: | :-: | :-: | :--: | :---: | :----------------------------: | :----------------------------------------------: | -| 1.1 | metalctl | Internet | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | -| 1.2 | metalctl | Internet | HTTPS | OIDC Provider | unknown | 443 | x | x | x | | Authentication & Authorization | Optional. Needs to be configured. | -| 1.3 | metalctl | Internet | HTTPS | GitHub | Internet | 443 | x | x | | | Updater | Used for updates and version checks. | -| 2.1 | metal-api | Metal Control Plane | TCP | metal-db | Metal Control Plane | 28015 | | | x | x | RethinkDB | Database access. | -| 2.2 | metal-api | Metal Control Plane | TCP | masterdata-api | Metal Control Plane | 8443 | | | x | x | Postgres | Database access. | -| 2.3 | metal-api | Metal Control Plane | HTTP | ipam | Metal Control Plane | 9090 | | | | x | Address Management | Used to manage IP addresses. | -| 2.4 | metal-api | Metal Control Plane | TLS | nsq | Metal Control Plane | 4150 | x | x | x | x | Machine Operation | Used for machine operations and notifications. | -| 2.5 | metal-api | Metal Control Plane | HTTP | nsq lookupd | Metal Control Plane | 4161 | | | x | x | Machine Operation | Used for machine operations and notifications. | -| 2.6 | metal-api | Metal Control Plane | TCP | auditing timescaledb | Metal Control Plane | 5432 | | | x | x | Audit Logs | Logging of auditing events. Used for compliance. | -| 2.7 | metal-api | Metal Control Plane | HTTPS | headscale | Metal Control Plane | 50443 | x | x | x | x | Headscale API | Headscale is used for VPN networking. | -| 2.8 | metal-api | Metal Control Plane | HTTPS | S3-compatible Storage | unknown | 443 | ? | ? | ? | ? | Firmware | Optional. Needs to be configured. | -| 2.9 | metal-api | Metal Control Plane | HTTPS | OIDC Provider | unknown | 443 | ? | ? | ? | ? | Authentication & Authorization | Optional. Needs to be configured. | -| 3.1 | metal-apiserver | Metal Control Plane | TCP | valkey | Metal Control Plane | 6379 | | | x | x | Background Jobs | Used for background job processing and caching. | -| 3.2 | metal-apiserver | Metal Control Plane | TCP | metal-db | Metal Control Plane | 28015 | x | x | x | x | RethinkDB | Database access. | -| 3.3 | metal-apiserver | Metal Control Plane | TCP | masterdata-api | Metal Control Plane | 8080 | | | x | x | Postgres | Database access. | -| 3.4 | metal-apiserver | Metal Control Plane | HTTP | ipam | Metal Control Plane | 9090 | | | | x | Address Management | Used to manage IP addresses. | -| 3.5 | metal-apiserver | Metal Control Plane | TCP | auditing timescaledb | Metal Control Plane | 5432 | | | x | x | Audit Logs | Logging of auditing events. Used for compliance. | -| 3.6 | metal-apiserver | Metal Control Plane | HTTPS | headscale | Metal Control Plane | 50443 | x | x | x | x | Headscale API | Headscale is used for VPN networking. | -| 3.7 | metal-apiserver | Metal Control Plane | HTTPS | OIDC Provider | unknown | 443 | x | x | x | ? | Authentication & Authorization | Optional. Needs to be configured. | -| 4.1 | masterdata-api | Metal Control Plane | TCP | masterdata-db | Metal Control Plane | 5432 | | | x | x | Postgres database access | Database access. | -| 5.1 | ipam | Metal Control Plane | TCP | ipam-db | Metal Control Plane | 5432 | | | x | x | Postgres database access | Database access. | -| 6.1 | backup-restore-sidecar | Metal Control Plane | HTTPS | S3-compatible Storage | unknown | 443 | ? | ? | ? | ? | Backup & Restore | Optional. Needs to be configured. | -| 6.2 | backup-restore-sidecar | Metal Control Plane | HTTPS | Google API | Internet | 443 | x | x | x | | Backup & Restore | Optional. Needs to be configured. | -| 6.3 | backup-restore-sidecar | Metal Control Plane | TCP | Postgres | Metal Control Plane | 5432 | | | x | x | Backup & Restore | Optional. Needs to be configured. | -| 6.4 | backup-restore-sidecar | Metal Control Plane | TCP | RethinkDB | Metal Control Plane | 28015 | | | x | x | Backup & Restore | Optional. Needs to be configured. | -| 6.5 | backup-restore-sidecar | Metal Control Plane | TCP | ETCD | Metal Control Plane | 2380 | | | x | x | Backup & Restore | Optional. Needs to be configured. | -| 6.6 | backup-restore-sidecar | Metal Control Plane | TCP | Redis | Metal Control Plane | 6379 | | | x | x | Backup & Restore | Optional. Needs to be configured. | -| 6.7 | backup-restore-sidecar | Metal Control Plane | TCP | keydb | Metal Control Plane | 6379 | | | x | x | Backup & Restore | Optional. Needs to be configured. | -| 7.1 | metal-console | Partition Management | HTTP | metal-api | Metal Control Plane | 8080 | | | x | x | API Requests | Used for management operations. | -| 7.2 | metal-console | Partition Management | HTTPS | metal-bmc | Partition Management | 3333 | x | x | x | x | Machine Management | Used for management operations. | -| 8.1 | ssh | unknown | TCP | metal-console | Partition Management | 10001 | x | x | x | ? | Machine Access (SSH) | Used to access the metal-console via SSH. | -| 9.1 | pixiecore | Partition Management | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | -| 10.1 | metal-bmc | Partition Management | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | -| 10.2 | metal-bmc | Partition Management | TLS | nsq | Partition Management | 4150 | x | x | x | x | Machine Operation | Used for machine operations and notifications. | -| 10.2 | metal-bmc | Partition Management | IPMI | machine BMC | Machine | 623 | | | x | x | Machine Operation | Used for BMC management. | -| 11.1 | metal-cache-image-sync | Partition Management | HTTPS | S3-compatible Storage | unknown | 443 | ? | ? | ? | | Image Caching and Sync | Optional. Needs to be configured. | -| 11.2 | metal-cache-image-sync | Partition Management | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | -| 12.1 | metal-core | Partition Switch Plane | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | -| 12.2 | metal-core | Partition Switch Plane | TCP | SONiC ConfigDB Redis | Switch | 6379 | | | | x | API Requests | Used for management operations. | -| 13.1 | metal-hammer | Machine | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | -| 13.2 | metal-hammer | Machine | HTTPS | pixiecore | Partition Management | 443 | x | x | | x | Machine Management | Used for machine management. | -| 13.3 | metal-hammer | Machine | HTTPS | Prometheus | unknown | 443 | x | x | x | x | Monitoring | Actively pushes metrics to Prometheus. | -| 13.4 | metal-hammer | Machine | HTTP | HAProxy | Metal Control Plane | 9001 | | x | | x | Image Caching and Pulling | Used to pull images via HAProxy. | -| 13.5 | metal-hammer | Machine | HTTPS | Container Registry | internet | 443 | x | x | ? | | Image and Pulling | Used to pull images from the registry. | -| 14.1 | machine firmware | Machine | HTTPS | pixiecore | Partition Management | 443 | x | x | | x | Machine Management | Used to provision machines. | -| 14.2 | machine firmware | Machine | TFTP | pixiecore | Partition Management | 69 | | | | x | Machine OS Provisioning | Used to provision machine firmware. | -| 15.1 | machine OS | Machine | DHCP | DHCP Server | Machine | 67/68 | | | | x | Machine OS Provisioning | Used to obtain an IP address. | -| 15.2 | machine OS | Machine | DNS | DNS Server | Machine | 53 | | | | x | Machine OS Resolution | Used to resolve hostnames. | -| 15.3 | machine OS | Machine | NTP | NTP Server | Machine | 123 | | | | x | Machine OS Time Sync | Used to synchronize time with the NTP server. | -| 16.1 | metal-metrics-exporter | Metal Control Plane | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | Monitoring | Scrapes metrics from metal-api. | -| 17.1 | prometheus | Metal Control Plane | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | Monitoring | Scrapes metrics from metal-api. | -| 17.2 | prometheus | Metal Control Plane | HTTPS | metal-metrics-exporter | Metal Control Plane | 9080 | | | | x | Monitoring | Scrapes metrics from metal-metrics-exporter. | -| 17.3 | prometheus | Metal Control Plane | HTTPS | metal-apiserver | Metal Control Plane | 443 | x | x | x | x | Monitoring | Scrapes metrics from metal-apiserver. | -| 17.4 | prometheus | Metal Control Plane | HTTPS | masterdata-api | Metal Control Plane | 2113 | x | x | x | x | Monitoring | Scrapes metrics from masterdata-api. | +| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | +| ---- | ---------------------- | -------------------- | :------: | ---------------------- | -------------------- | :---: | :-: | :-: | :--: | :---: | ------------------------------ | ------------------------------------------------ | +| 1.1 | metalctl | Internet | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | +| 1.2 | metalctl | Internet | HTTPS | OIDC Provider | unknown | 443 | x | x | x | | Authentication & Authorization | Optional. Needs to be configured. | +| 1.3 | metalctl | Internet | HTTPS | GitHub | Internet | 443 | x | x | | | Updater | Used for updates and version checks. | +| 2.1 | metal-api | Metal Control Plane | TCP | metal-db | Metal Control Plane | 28015 | | | x | x | RethinkDB | Database access. | +| 2.2 | metal-api | Metal Control Plane | TCP | masterdata-api | Metal Control Plane | 8443 | | | x | x | Postgres | Database access. | +| 2.3 | metal-api | Metal Control Plane | HTTP | ipam | Metal Control Plane | 9090 | | | | x | Address Management | Used to manage IP addresses. | +| 2.4 | metal-api | Metal Control Plane | TLS | nsq | Metal Control Plane | 4150 | x | x | x | x | Machine Operation | Used for machine operations and notifications. | +| 2.5 | metal-api | Metal Control Plane | HTTP | nsq lookupd | Metal Control Plane | 4161 | | | x | x | Machine Operation | Used for machine operations and notifications. | +| 2.6 | metal-api | Metal Control Plane | TCP | auditing timescaledb | Metal Control Plane | 5432 | | | x | x | Audit Logs | Logging of auditing events. Used for compliance. | +| 2.7 | metal-api | Metal Control Plane | HTTPS | headscale | Metal Control Plane | 50443 | x | x | x | x | Headscale API | Headscale is used for VPN networking. | +| 2.8 | metal-api | Metal Control Plane | HTTPS | S3-compatible Storage | unknown | 443 | ? | ? | ? | ? | Firmware | Optional. Needs to be configured. | +| 2.9 | metal-api | Metal Control Plane | HTTPS | OIDC Provider | unknown | 443 | ? | ? | ? | ? | Authentication & Authorization | Optional. Needs to be configured. | +| 3.1 | metal-apiserver | Metal Control Plane | TCP | valkey | Metal Control Plane | 6379 | | | x | x | Background Jobs | Used for background job processing and caching. | +| 3.2 | metal-apiserver | Metal Control Plane | TCP | metal-db | Metal Control Plane | 28015 | x | x | x | x | RethinkDB | Database access. | +| 3.3 | metal-apiserver | Metal Control Plane | TCP | masterdata-api | Metal Control Plane | 8080 | | | x | x | Postgres | Database access. | +| 3.4 | metal-apiserver | Metal Control Plane | HTTP | ipam | Metal Control Plane | 9090 | | | | x | Address Management | Used to manage IP addresses. | +| 3.5 | metal-apiserver | Metal Control Plane | TCP | auditing timescaledb | Metal Control Plane | 5432 | | | x | x | Audit Logs | Logging of auditing events. Used for compliance. | +| 3.6 | metal-apiserver | Metal Control Plane | HTTPS | headscale | Metal Control Plane | 50443 | x | x | x | x | Headscale API | Headscale is used for VPN networking. | +| 3.7 | metal-apiserver | Metal Control Plane | HTTPS | OIDC Provider | unknown | 443 | x | x | x | ? | Authentication & Authorization | Optional. Needs to be configured. | +| 4.1 | masterdata-api | Metal Control Plane | TCP | masterdata-db | Metal Control Plane | 5432 | | | x | x | Postgres database access | Database access. | +| 5.1 | ipam | Metal Control Plane | TCP | ipam-db | Metal Control Plane | 5432 | | | x | x | Postgres database access | Database access. | +| 6.1 | backup-restore-sidecar | Metal Control Plane | HTTPS | S3-compatible Storage | unknown | 443 | ? | ? | ? | ? | Backup & Restore | Optional. Needs to be configured. | +| 6.2 | backup-restore-sidecar | Metal Control Plane | HTTPS | Google API | Internet | 443 | x | x | x | | Backup & Restore | Optional. Needs to be configured. | +| 6.3 | backup-restore-sidecar | Metal Control Plane | TCP | Postgres | Metal Control Plane | 5432 | | | x | x | Backup & Restore | Optional. Needs to be configured. | +| 6.4 | backup-restore-sidecar | Metal Control Plane | TCP | RethinkDB | Metal Control Plane | 28015 | | | x | x | Backup & Restore | Optional. Needs to be configured. | +| 6.5 | backup-restore-sidecar | Metal Control Plane | TCP | ETCD | Metal Control Plane | 2380 | | | x | x | Backup & Restore | Optional. Needs to be configured. | +| 6.6 | backup-restore-sidecar | Metal Control Plane | TCP | Redis | Metal Control Plane | 6379 | | | x | x | Backup & Restore | Optional. Needs to be configured. | +| 6.7 | backup-restore-sidecar | Metal Control Plane | TCP | keydb | Metal Control Plane | 6379 | | | x | x | Backup & Restore | Optional. Needs to be configured. | +| 7.1 | metal-console | Partition Management | HTTP | metal-api | Metal Control Plane | 8080 | | | x | x | API Requests | Used for management operations. | +| 7.2 | metal-console | Partition Management | HTTPS | metal-bmc | Partition Management | 3333 | x | x | x | x | Machine Management | Used for management operations. | +| 8.1 | ssh | unknown | TCP | metal-console | Partition Management | 10001 | x | x | x | ? | Machine Access (SSH) | Used to access the metal-console via SSH. | +| 9.1 | pixiecore | Partition Management | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | +| 10.1 | metal-bmc | Partition Management | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | +| 10.2 | metal-bmc | Partition Management | TLS | nsq | Partition Management | 4150 | x | x | x | x | Machine Operation | Used for machine operations and notifications. | +| 10.2 | metal-bmc | Partition Management | IPMI | machine BMC | Machine | 623 | | | x | x | Machine Operation | Used for BMC management. | +| 11.1 | metal-cache-image-sync | Partition Management | HTTPS | S3-compatible Storage | unknown | 443 | ? | ? | ? | | Image Caching and Sync | Optional. Needs to be configured. | +| 11.2 | metal-cache-image-sync | Partition Management | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | +| 12.1 | metal-hammer | Machine | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | +| 12.2 | metal-hammer | Machine | HTTPS | pixiecore | Partition Management | 443 | x | x | | x | Machine Management | Used for machine management. | +| 12.3 | metal-hammer | Machine | HTTPS | Prometheus | unknown | 443 | x | x | x | x | Monitoring | Actively pushes metrics to Prometheus. | +| 12.4 | metal-hammer | Machine | HTTP | HAProxy | Metal Control Plane | 9001 | | x | | x | Image Caching and Pulling | Used to pull images via HAProxy. | +| 12.5 | metal-hammer | Machine | HTTPS | Container Registry | internet | 443 | x | x | ? | | Image and Pulling | Used to pull images from the registry. | +| 13.1 | machine firmware | Machine | HTTPS | pixiecore | Partition Management | 443 | x | x | | x | Machine Management | Used to provision machines with iPXE. | +| 13.2 | machine firmware | Machine | TFTP | pixiecore | Partition Management | 69 | | | | x | Machine OS Provisioning | Used to provision machine firmware. | +| 14.1 | machine OS | Machine | DHCP | DHCP Server | Machine | 67/68 | | | | x | Machine OS Provisioning | Used to obtain an IP address. | +| 14.2 | machine OS | Machine | DNS | DNS Server | Machine | 53 | | | | x | Machine OS Resolution | Used to resolve hostnames. | +| 14.3 | machine OS | Machine | NTP | NTP Server | Machine | 123 | | | | x | Machine OS Time Sync | Used to synchronize time with the NTP server. | +| 15.1 | metal-metrics-exporter | Metal Control Plane | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | Monitoring | Scrapes metrics from metal-api. | +| 16.1 | prometheus | Metal Control Plane | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | Monitoring | Scrapes metrics from metal-api. | +| 16.2 | prometheus | Metal Control Plane | HTTPS | metal-metrics-exporter | Metal Control Plane | 9080 | | | | x | Monitoring | Scrapes metrics from metal-metrics-exporter. | +| 16.3 | prometheus | Metal Control Plane | HTTPS | metal-apiserver | Metal Control Plane | 443 | x | x | x | x | Monitoring | Scrapes metrics from metal-apiserver. | +| 16.4 | prometheus | Metal Control Plane | HTTPS | masterdata-api | Metal Control Plane | 2113 | x | x | x | x | Monitoring | Scrapes metrics from masterdata-api. | + +### Used Technologies + +| Technology | Parties | Notes | +| --------------------------------- | ---------- | -------------------------------------------------------------------------------- | +| iPXE | Machines | Used for network-based bootstrapping of machines. | +| DHCP | All | Used for obtaining IP addresses and boot configurations. | +| TFTP | Machines | Used for transferring boot files to machines. | +| HTTP | Multiple | Communication in trusted networks. | +| HTTPS | Multiple | Cross-network communication. | +| DNS | Multiple | Used for resolving hostnames to IP addresses. | +| Kubernetes | Cluster | Metal-stack components running in pods. Optional, but recommended. | +| Container Network Interface (CNI) | Kubernetes | Provides networking capabilities for pods in a cluster. Required for Kubernetes. | + +## With SONiC + +While metal-stack does not directly depend on SONiC, it is the only actively maintained implementation of our networking stack. Therefore, the following communication is required by metal-stack components to interact with SONiC. +Please note that every networking setup has its own requirements and configurations, so the following table might not be complete for your setup. + +| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | +| ---- | ---------- | ----------------- | :------: | -------------------- | ------------------- | :---: | :-: | :-: | :--: | :---: | ------------- | --------------------------------------------- | +| S1.1 | metal-core | Leaf Switches | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | +| S1.2 | metal-core | Leaf Switches | TCP | SONiC ConfigDB Redis | Switch | 6379 | | | | x | API Requests | Used for management operations. | +| S2.1 | DHCP Relay | Leaf Switches | TCP/UDP | DHCP Server | Management Server | 67/68 | | | | x | DHCP Requests | Used to forward DHCP requests. | +| S3.1 | ssh client | unknown | SSH | ssh daemon | Management Server | 22 | x | x | x | | SSH Access | Used to access the management server via SSH. | +| S3.2 | ssh client | Management Server | SSH | ssh daemon | Switch | 22 | x | x | x | x | SSH Access | Used to access the SONiC switch via SSH. | +| S4.1 | FRRouting | Firewall | BGP | FRRouting | Switches | 179 | | | | x | Routing | Used for dynamic routing. | +| S4.2 | FRRouting | Machine | BGP | FRRouting | Firewall | 179 | | | | x | Routing | Used for dynamic routing. | + +### Used Technologies + +| Technology | Parties | Notes | +| ---------- | --------------------------- | --------------------------------------------------------------------------- | +| VRF | Switches, Firewalls | Isolation of network segments, e.g. for management and data traffic. | +| VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | +| VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | +| EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | +| BGP | Multiple | Routing protocol for dynamic routing and network management. | +| ssh | Management Server, Switches | Secure shell access for management and configuration. | +| LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | +| ICMP | Multiple | Used for network diagnostics and reachability testing. | ## With Gardener @@ -85,21 +124,27 @@ When using metal-stack in conjunction with Gardener, the following communication The following table might not be displayed in completeness. Scroll to the right to see all entries. ::: -| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | -| :--: | :---------------------------------------: | :----------: | :------: | :------------: | :-----------------: | :--: | :-: | :-: | :--: | :---: | :----------: | :-----------------------------------------: | -| G1.1 | metal-ccm | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | -| G1.2 | metal-ccm | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | API Requests | Used for management operations. | -| G2.1 | firewall-controller-manager | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for firewall management. | -| G2.2 | firewall-controller-manager | Seed Cluster | HTTPS | kube-apiserver | Seed Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | -| G2.3 | firewall-controller-manager | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | -| G3.1 | firewall-controller | Firewall | HTTPS | kube-apiserver | Seed Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | -| G3.2 | firewall-controller | Firewall | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | -| G3.3 | firewall-controller | Firewall | HTTPS | Controller URL | Internet | 443 | x | x | | | Self-Update | Controller URL and version provided by FCM. | -| G4.1 | machine-controller-manager-provider-metal | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | -| G5.1 | gardener-extension-provider-metal | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | -| G5.2 | gardener-extension-provider-metal | Seed Cluster | HTTPS | kube-apiserver | Garden Cluster | 443 | x | x | x | | API Requests | Used for management operations. | -| G5.3 | gardener-extension-provider-metal | Seed Cluster | HTTPS | kube-apiserver | Seed Cluster | 443 | x | x | x | | API Requests | Used for management operations. | -| G5.4 | gardener-extension-provider-metal | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | | API Requests | Used for management operations. | +| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | +| ---- | ----------------------------------------- | ------------ | :------: | -------------- | ------------------- | :--: | :-: | :-: | :--: | :---: | ------------ | ------------------------------------------- | +| G1.1 | metal-ccm | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for management operations. | +| G1.2 | metal-ccm | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | API Requests | Used for management operations. | +| G2.1 | firewall-controller-manager | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | x | API Requests | Used for firewall management. | +| G2.2 | firewall-controller-manager | Seed Cluster | HTTPS | kube-apiserver | Seed Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | +| G2.3 | firewall-controller-manager | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | +| G3.1 | firewall-controller | Firewall | HTTPS | kube-apiserver | Seed Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | +| G3.2 | firewall-controller | Firewall | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | API Requests | Used for firewall management. | +| G3.3 | firewall-controller | Firewall | HTTPS | Controller URL | Internet | 443 | x | x | | | Self-Update | Controller URL and version provided by FCM. | +| G4.1 | machine-controller-manager-provider-metal | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | +| G5.1 | gardener-extension-provider-metal | Seed Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | +| G5.2 | gardener-extension-provider-metal | Seed Cluster | HTTPS | kube-apiserver | Garden Cluster | 443 | x | x | x | | API Requests | Used for management operations. | +| G5.3 | gardener-extension-provider-metal | Seed Cluster | HTTPS | kube-apiserver | Seed Cluster | 443 | x | x | x | | API Requests | Used for management operations. | +| G5.4 | gardener-extension-provider-metal | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | | API Requests | Used for management operations. | + +### Used Technologies + +| Technology | Parties | Notes | +| ---------- | -------------------------------- | ------------------------------------------------------ | +| Gardener | Contains of multiple components. | Has various connections. Mostly other Kubernetes pods. | ## With Cluster API @@ -109,11 +154,17 @@ By using the Cluster API provider for metal-stack, the following communictations The following table might not be displayed in completeness. Scroll to the right to see all entries. ::: -| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | -| :--: | :------------------------------: | :----------------: | :------: | :------------: | :-----------------: | :--: | :-: | :-: | :--: | :---: | :----------: | :-----------------------------: | -| C1.1 | metal-ccm | Workload Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | -| C1.2 | metal-ccm | Workload Cluster | HTTPS | kube-apiserver | Workload Cluster | 443 | x | x | x | x | API Requests | Used for management operations. | -| C2.1 | cluster-api-provider-metal-stack | Management Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | +| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | +| ---- | -------------------------------- | ------------------ | :------: | -------------- | ------------------- | :--: | :-: | :-: | :--: | :---: | ------------ | ------------------------------- | +| C1.1 | metal-ccm | Workload Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | +| C1.2 | metal-ccm | Workload Cluster | HTTPS | kube-apiserver | Workload Cluster | 443 | x | x | x | x | API Requests | Used for management operations. | +| C2.1 | cluster-api-provider-metal-stack | Management Cluster | HTTPS | metal-api | Metal Control Plane | 443 | x | x | x | | API Requests | Used for management operations. | + +### Used Technologies + +| Technology | Parties | Notes | +| ----------- | --------------------------------------------------------- | ------------------------------- | +| Cluster API | Contains of multiple components and additional providers. | Connects to the kube-apiserver. | ## With Lightbits @@ -123,11 +174,17 @@ In order to use Lightbits as a storage solution, the following communications ar The following table might not be displayed in completeness. Scroll to the right to see all entries. ::: -| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | -| :--: | :---------------: | :-----------: | :------: | :------------: | :---------------: | :--: | :-: | :-: | :--: | :---: | :--------: | :-----------------------------: | -| L1.1 | duros-controller | Seed Cluster | HTTPS | duros-api | Lightbits Cluster | 443 | x | x | x | x | Storage | Used for management operations. | -| L1.2 | duros-controller | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | Kubernetes | Used for management operations. | -| L2.1 | lb-csi-controller | Shoot Cluster | HTTPS | duros-api | Lightbits Cluster | 443 | x | x | x | | Storage | Used for management operations. | -| L2.2 | lb-csi-controller | Shoot Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | Kubernetes | Used for management operations. | -| L3.1 | lb-csi-node | Shoot Cluster | TCP | duros-api | Lightbits Cluster | 4420 | x | x | x | | Storage | Used for management operations. | -| L3.2 | lb-csi-node | Shoot Cluster | TCP | duros-api | Lightbits Cluster | 8009 | x | x | x | | Storage | Used for management operations. | +| No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | +| ---- | ----------------- | ------------- | :------: | -------------- | ----------------- | :--: | :-: | :-: | :--: | :---: | ---------- | ------------------------------- | +| L1.1 | duros-controller | Seed Cluster | HTTPS | duros-api | Lightbits Cluster | 443 | x | x | x | x | Storage | Used for management operations. | +| L1.2 | duros-controller | Seed Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | Kubernetes | Used for management operations. | +| L2.1 | lb-csi-controller | Shoot Cluster | HTTPS | duros-api | Lightbits Cluster | 443 | x | x | x | | Storage | Used for management operations. | +| L2.2 | lb-csi-controller | Shoot Cluster | HTTPS | kube-apiserver | Shoot Cluster | 443 | x | x | x | x | Kubernetes | Used for management operations. | +| L3.1 | lb-csi-node | Shoot Cluster | TCP | duros-api | Lightbits Cluster | 4420 | x | x | x | | Storage | Used for management operations. | +| L3.2 | lb-csi-node | Shoot Cluster | TCP | duros-api | Lightbits Cluster | 8009 | x | x | x | | Storage | Used for management operations. | + +### Used Technologies + +| Technology | Parties | Notes | +| ---------- | ------- | --------------------------- | +| Lightbits | Storage | Used for storage solutions. | diff --git a/docs/docs/05-For CISOs/technologies-and-protocols.md b/docs/docs/05-For CISOs/technologies-and-protocols.md deleted file mode 100644 index 8019e09..0000000 --- a/docs/docs/05-For CISOs/technologies-and-protocols.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -slug: /technologies-and-protocols -title: Technologies and Protocols -draft: true ---- -# Technologies and Protocols From c9430b830daef21429c7949c9a8b05be7b0c40d4 Mon Sep 17 00:00:00 2001 From: Valentin Knabel Date: Thu, 7 Aug 2025 09:19:27 +0200 Subject: [PATCH 2/4] docs: review FRR on Switches --- docs/docs/05-For CISOs/Security/04-communication-matrix.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/docs/05-For CISOs/Security/04-communication-matrix.md b/docs/docs/05-For CISOs/Security/04-communication-matrix.md index 0a496f8..9fe7718 100644 --- a/docs/docs/05-For CISOs/Security/04-communication-matrix.md +++ b/docs/docs/05-For CISOs/Security/04-communication-matrix.md @@ -102,6 +102,7 @@ Please note that every networking setup has its own requirements and configurati | S3.2 | ssh client | Management Server | SSH | ssh daemon | Switch | 22 | x | x | x | x | SSH Access | Used to access the SONiC switch via SSH. | | S4.1 | FRRouting | Firewall | BGP | FRRouting | Switches | 179 | | | | x | Routing | Used for dynamic routing. | | S4.2 | FRRouting | Machine | BGP | FRRouting | Firewall | 179 | | | | x | Routing | Used for dynamic routing. | +| S4.3 | FRRouting | Switches | BGP | FRRouting | Switches | 179 | | | | x | Routing | Used for dynamic routing. | ### Used Technologies From 9df6519526c2317970b5fa2f1c33526a07e81eaa Mon Sep 17 00:00:00 2001 From: Valentin Knabel Date: Thu, 7 Aug 2025 12:56:26 +0200 Subject: [PATCH 3/4] docs: review --- .../Security/04-communication-matrix.md | 47 ++++++++++--------- 1 file changed, 26 insertions(+), 21 deletions(-) diff --git a/docs/docs/05-For CISOs/Security/04-communication-matrix.md b/docs/docs/05-For CISOs/Security/04-communication-matrix.md index 9fe7718..56ff8ec 100644 --- a/docs/docs/05-For CISOs/Security/04-communication-matrix.md +++ b/docs/docs/05-For CISOs/Security/04-communication-matrix.md @@ -16,6 +16,8 @@ This matrix describes the communication between components in the metal-stack an ## Plain metal-stack +While metal-stack can be used in different environments and setups, the following communication is required by metal-stack components in a standard setup. This includes all components running on the control plane, partition management and machines. + :::info Description The following table might not be displayed in completeness. Scroll to the right to see all entries. ::: @@ -79,8 +81,9 @@ Description The following table might not be displayed in completeness. Scroll t | Technology | Parties | Notes | | --------------------------------- | ---------- | -------------------------------------------------------------------------------- | -| iPXE | Machines | Used for network-based bootstrapping of machines. | | DHCP | All | Used for obtaining IP addresses and boot configurations. | +| NTP | All | Used for synchronizing time across all components. | +| iPXE | Machines | Used for network-based bootstrapping of machines. | | TFTP | Machines | Used for transferring boot files to machines. | | HTTP | Multiple | Communication in trusted networks. | | HTTPS | Multiple | Cross-network communication. | @@ -91,7 +94,7 @@ Description The following table might not be displayed in completeness. Scroll t ## With SONiC While metal-stack does not directly depend on SONiC, it is the only actively maintained implementation of our networking stack. Therefore, the following communication is required by metal-stack components to interact with SONiC. -Please note that every networking setup has its own requirements and configurations, so the following table might not be complete for your setup. +Please note that every [networking setup](../../03-Concepts/03-Network/01-theory.md) has its own requirements and configurations, so the following table might not be complete for your setup. | No. | Component | Source Zone | Protocol | Destination | Destination Zone | Port | C | I | Auth | Trust | Purpose | Notes | | ---- | ---------- | ----------------- | :------: | -------------------- | ------------------- | :---: | :-: | :-: | :--: | :---: | ------------- | --------------------------------------------- | @@ -103,23 +106,25 @@ Please note that every networking setup has its own requirements and configurati | S4.1 | FRRouting | Firewall | BGP | FRRouting | Switches | 179 | | | | x | Routing | Used for dynamic routing. | | S4.2 | FRRouting | Machine | BGP | FRRouting | Firewall | 179 | | | | x | Routing | Used for dynamic routing. | | S4.3 | FRRouting | Switches | BGP | FRRouting | Switches | 179 | | | | x | Routing | Used for dynamic routing. | +| S5.1 | tailscale | Firewall | HTTPS | Headscale | Metal Control Plane | 443 | x | x | x | x | VPN Access | Used for Wireguard VPN access via Headscale. | ### Used Technologies -| Technology | Parties | Notes | -| ---------- | --------------------------- | --------------------------------------------------------------------------- | -| VRF | Switches, Firewalls | Isolation of network segments, e.g. for management and data traffic. | -| VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | -| VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | -| EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| BGP | Multiple | Routing protocol for dynamic routing and network management. | -| ssh | Management Server, Switches | Secure shell access for management and configuration. | -| LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | -| ICMP | Multiple | Used for network diagnostics and reachability testing. | +| Technology | Parties | Notes | +| ---------- | --------------------------- | ------------------------------------------------------------------------------------------------ | +| VRF | Switches, Firewalls | Isolation of network segments, e.g. for management and data traffic. | +| VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | +| VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | +| EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | +| VPN | Firewalls | Management access [without open SSH ports](../../08-For Developers/01-proposals/MEP9/README.md). | +| BGP | Multiple | Routing protocol for dynamic routing and network management. | +| SSH | Management Server, Switches | Secure shell access for management and configuration. | +| LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | +| ICMP | Multiple | Used for network diagnostics and reachability testing. | ## With Gardener -When using metal-stack in conjunction with Gardener, the following communications will additionally be used by metal-stack components. +When using metal-stack in [conjunction with Gardener](../../03-Concepts/04-Kubernetes/01-gardener.md), the following communication is required by metal-stack components. :::info The following table might not be displayed in completeness. Scroll to the right to see all entries. @@ -143,13 +148,13 @@ The following table might not be displayed in completeness. Scroll to the right ### Used Technologies -| Technology | Parties | Notes | -| ---------- | -------------------------------- | ------------------------------------------------------ | -| Gardener | Contains of multiple components. | Has various connections. Mostly other Kubernetes pods. | +| Technology | Parties | Notes | +| ---------- | -------------------------------- | ---------------------------------------------- | +| Gardener | Contains of multiple components. | Cluster management system for many Kubernetes. | ## With Cluster API -By using the Cluster API provider for metal-stack, the following communictations are required by metal-stack components. +By using the [Cluster API provider for metal-stack](../../03-Concepts/04-Kubernetes/02-cluster-api.md), the following communictations are required by metal-stack components. :::info The following table might not be displayed in completeness. Scroll to the right to see all entries. @@ -163,13 +168,13 @@ The following table might not be displayed in completeness. Scroll to the right ### Used Technologies -| Technology | Parties | Notes | -| ----------- | --------------------------------------------------------- | ------------------------------- | -| Cluster API | Contains of multiple components and additional providers. | Connects to the kube-apiserver. | +| Technology | Parties | Notes | +| ----------- | --------------------------------------------------------- | --------------------------------------------------------- | +| Cluster API | Contains of multiple components and additional providers. | Cluster management system for single Kubernetes clusters. | ## With Lightbits -In order to use Lightbits as a storage solution, the following communications are required by metal-stack components. +In order to use [Lightbits as a storage solution](../../03-Concepts/04-Kubernetes/07-storage.md), the following communications are required by metal-stack components. :::info The following table might not be displayed in completeness. Scroll to the right to see all entries. From a27dbb893d49495f3259798a6011e6db5d7a62be Mon Sep 17 00:00:00 2001 From: Valentin Knabel Date: Thu, 7 Aug 2025 14:57:11 +0200 Subject: [PATCH 4/4] docs: link to contributing mep9 --- .../Security/04-communication-matrix.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/docs/docs/05-For CISOs/Security/04-communication-matrix.md b/docs/docs/05-For CISOs/Security/04-communication-matrix.md index 56ff8ec..946b13b 100644 --- a/docs/docs/05-For CISOs/Security/04-communication-matrix.md +++ b/docs/docs/05-For CISOs/Security/04-communication-matrix.md @@ -110,17 +110,17 @@ Please note that every [networking setup](../../03-Concepts/03-Network/01-theory ### Used Technologies -| Technology | Parties | Notes | -| ---------- | --------------------------- | ------------------------------------------------------------------------------------------------ | -| VRF | Switches, Firewalls | Isolation of network segments, e.g. for management and data traffic. | -| VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | -| VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | -| EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | -| VPN | Firewalls | Management access [without open SSH ports](../../08-For Developers/01-proposals/MEP9/README.md). | -| BGP | Multiple | Routing protocol for dynamic routing and network management. | -| SSH | Management Server, Switches | Secure shell access for management and configuration. | -| LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | -| ICMP | Multiple | Used for network diagnostics and reachability testing. | +| Technology | Parties | Notes | +| ---------- | --------------------------- | ---------------------------------------------------------------------------------------------- | +| VRF | Switches, Firewalls | Isolation of network segments, e.g. for management and data traffic. | +| VLAN | Switches, Firewalls | Layer 2 traffic segmentation. | +| VXLAN | Switches, Firewalls | Encapsulate Layer 2 frames in Layer 3 packets for network virtualization. | +| EVPN | Switches, Firewalls | Overlay network technology for scalable and flexible network architectures. | +| VPN | Firewalls | Management access [without open SSH ports](../../../contributing/01-Proposals/MEP9/README.md). | +| BGP | Multiple | Routing protocol for dynamic routing and network management. | +| SSH | Management Server, Switches | Secure shell access for management and configuration. | +| LLDP | Switches, Machines | Link Layer Discovery Protocol for network device discovery. | +| ICMP | Multiple | Used for network diagnostics and reachability testing. | ## With Gardener