1. Proposed title of this feature request
Include communications flow matrix in product documentation.
2. What is the nature and description of the request?
Telco partners are asking for several documents in order to answer security related questions from their prospect / customers i.e. the large Telco Service Providers, national regulators and other national agencies.
One of the documents that telco partners require is a “communications flow matrix” listing all (external to a node) communication flows between components.
This information is required for several purposes including:
- Communications between nodes may be highly restricted with only known traffic allowed and telco partners and their customers need to know which traffic flows are required and for what purpose in order to enable those flows within their network(s).
- Telco partners and their customers require a complete understanding of all (external to a node) flows between all components, including whether those traffic flows are secure (encrypted) in order to (non exhaustive list):
- Provide this information to national regulatory and security agencies as part of obtaining the necessary authorizations and compliances required prior to deployment.
- Perform their own threat analysis and risk assessment as part of authorizing a particular deployment.
For each release of:
- Red Hat OpenShift Container Platform (including all Red Hat provided Operators)
- Red Hat OpenShift Data Foundation
- Red Hat Advanced Cluster Management (including ZTP and GitOps workflows)
- Red Hat Quay
A communications matrix listing the required ports and protocols used is required that includes:
- Scope
- e.g. OpenShift node type/role (Master/Worker/Storage), SNO vs multi-node cluster, etc. if applicable.
- Required for installation but closed post-installation
- etc.
- Source component
- Destination component
- Service (e.g. crio)
- L4 Protocol (e.g. TCP/UDP/etc)
- L4 Destination Port
- L7 protocol (e.g. HTTPS/DNS/SSH/etc.) including whether it is encrypted and the form of encryption (e.g. version of TLS)
- Source/Dest pairs
- Destination Network
Currently we are having to produce an unofficial communications matrix by hand (example of communications matrix for a Single Node OpenShift) which is time consuming and error prone.
A Similar communications matrices are already produced for:
- Red Hat OpenStack Platform: https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html-single/firewall_rules_for_red_hat_openstack_platform/index#network-flow-matrix
- Red Hat Satellite: https://access.redhat.com/solutions/5627751
3. Why does the customer need this? (List the business requirements here)
The RAN is a very security sensitive part of the network and telco partners expect to receive several documents from Red Hat covering security and privacy aspects. For example, in some jurisdictions the Radio Access Network (RAN) is categorized as “critical national infrastructure” and these documents are required in order for the telco partner and their customer to receive the appropriate RAN deployment authorizations and approvals from national regulatory and security agencies.
Usually Telco partners are doing a lot of testing on their stack and they expect the same from their stack provider, i.e. Red Hat.
4. List any affected packages or components.
- Red Hat OpenShift Container Platform (including all Red Hat provided Operators)
- Red Hat OpenShift Data Foundation
- Red Hat Advanced Cluster Management (including ZTP and GitOps workflows)
- Red Hat Quay
- is cloned by
-
OCPPLAN-9417 Create communications flow matrix for every release
- New
- relates to
-
RFE-2751 OpenShift Hardening Guide
- Accepted
- mentioned in
-
Page Loading...