| Data | Highest Impact Level (C/I/A) | Source | Destination | Protocol | Encryption | Authentication | Network route |
|---|---|---|---|---|---|---|---|
| Example: customer details | Confidentiality | customer | Ingress controller | BCTL responsibility | Not by default - BCTL responsibility | Not by default - BCTL responsibility | public |
| Developer K8s API calls | Answer 01 | kubectl | API server | HTTPS | yes | Answer 02 | public |
| Customer details | Confidentiality | Ingress controller | Booking pod | BCTL responsibility | Not by default - BCTL responsibility | Answer 03 | cluster-internal |
| Customer details | Confidentiality | Booking pod | PostgreSQL Pod | Answer 04 | Answer 05 | Not by default - BCTL responsibility | cluster-internal |
| Customer details | Confidentiality | PostgreSQL Pod | Persistent storage | AWS responsibility | AWS responsibility | AWS responsibility | Answer 06 |
| Compliance info | Answer 07 | Booking pod | Compliance pod | BCTL responsibility | Not by default - BCTL responsibility | Not by default - BCTL responsibility | Answer 08 |
| Compliance info | Answer 09 | Compliance pod | Government-owned S3 bucket | HTTPS, AWS issued public cert | yes | Answer 10 | Answer 11 |
| Invoicing info | Confidentiality | Invoicing pod | customer | Answer 12 | Answer 13 | Answer 14 | Answer 15 |
| Poll for new pods | Answer 16 | Kubelet | API server | gRPC over TLS | yes | Certificate authentication - self-signed CA | cluster-internal |
| Poll for services / endpoints | Answer 17 | Answer 18 | API server | gRPC over TLS | yes | Certificate authentication - self-signed CA | cluster-internal |
| Get container image | Answer 19 | Container runtime | Answer 20 | gRPC over TLS | yes | Certificate authentication - self-signed CA | cluster-internal |
| Read/write state info | Answer 21 | API server | Answer 22 | Answer 23 | yes | Certificate authentication - self-signed CA | cluster-internal |
| Poll for current / desired state | Answer 24 | Controllers | Answer 25 | gRPC over TLS | yes | Certificate authentication - self-signed CA | cluster-internal |
| Poll for new pods / schedule pods | Answer 26 | Answer 27 | API server | gRPC over TLS | yes | Certificate authentication - self-signed CA | cluster-internal |
These are the selections available to complete for each of the columns:
- Customer details
- Compliance info
- Invoicing info
- Developer K8s API calls
- Example: customer details
- Poll for new pods
- Poll for services / endpoints
- Get container image
- Read/write state info
- Poll for current / desired state
- Poll for new pods / schedule pods
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- API Server
- Booking Pod
- Compliance Pod
- Container runtime
- Controllers
- Customer
- etcd
- Government-owned S3 bucket
- Image repository
- Ingress Controller
- Invoicing Pod
- Kube proxy
- kubectl
- Kubelet
- Persistent Storage (EBS)
- PostgreSQL Pod
- Scheduler
- API Server
- Booking Pod
- Compliance Pod
- Container runtime
- Controllers
- Customer
- etcd
- Government-owned S3 bucket
- Image repository
- Ingress Controller
- Invoicing Pod
- Kube proxy
- Kubelet
- Persistent storage
- Persistent Storage (EBS)
- PostgreSQL Pod
- S3 bucket
- Scheduler
- BCTL responsibility
- gRPC over TLS
- HTTPS
- HTTPS, AWS issued public cert
- HTTPS, publicly issued cert
- HTTPS, self-signed cert
- iSCSI
- TCP
- AWS responsibility
- Not by default - BCTL responsibility
- Shared responsibility
- yes
- AWS responsibility
- Certificate authentication - AWS issued public cert
- Certificate authentication - self-signed CA
- Not by default - BCTL responsibility
- Shared responsibility
- AWS-backbone network
- cluster-internal
- Open egress
- public
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- AWS responsibility
- Certificate authentication - AWS issued public cert
- Certificate authentication - self-signed CA
- Not by default - BCTL responsibility
- Shared responsibility
- AWS responsibility
- Certificate authentication - AWS issued public cert
- Certificate authentication - self-signed CA
- Not by default - BCTL responsibility
- Shared responsibility
- BCTL responsibility
- gRPC over TLS
- HTTPS
- HTTPS, AWS issued public cert
- HTTPS, publicly issued cert
- HTTPS, self-signed cert
- iSCSI
- TCP
- AWS responsibility
- Not by default - BCTL responsibility
- Shared responsibility
- yes
- AWS-backbone network
- cluster-internal
- Open egress
- public
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- AWS-backbone network
- cluster-internal
- Open egress
- public
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- AWS responsibility
- Certificate authentication - AWS issued public cert
- Certificate authentication - self-signed CA
- Not by default - BCTL responsibility
- Shared responsibility
- AWS-backbone network
- cluster-internal
- Open egress
- public
- BCTL responsibility
- gRPC over TLS
- HTTPS
- HTTPS, AWS issued public cert
- HTTPS, publicly issued cert
- HTTPS, self-signed cert
- iSCSI
- TCP
- AWS responsibility
- Not by default - BCTL responsibility
- Shared responsibility
- yes
- AWS responsibility
- Certificate authentication - AWS issued public cert
- Certificate authentication - self-signed CA
- Not by default - BCTL responsibility
- Shared responsibility
- AWS-backbone network
- cluster-internal
- Open egress
- public
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- API Server
- Booking Pod
- Compliance Pod
- Container runtime
- Controllers
- Customer
- etcd
- Government-owned S3 bucket
- Image repository
- Ingress Controller
- Invoicing Pod
- Kube proxy
- kubectl
- Kubelet
- Persistent Storage (EBS)
- PostgreSQL Pod
- Scheduler
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- API Server
- Booking Pod
- Compliance Pod
- Container runtime
- Controllers
- Customer
- etcd
- Government-owned S3 bucket
- Image repository
- Ingress Controller
- Invoicing Pod
- Kube proxy
- Kubelet
- Persistent storage
- Persistent Storage (EBS)
- PostgreSQL Pod
- S3 bucket
- Scheduler
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- API Server
- Booking Pod
- Compliance Pod
- Container runtime
- Controllers
- Customer
- etcd
- Government-owned S3 bucket
- Image repository
- Ingress Controller
- Invoicing Pod
- Kube proxy
- Kubelet
- Persistent storage
- Persistent Storage (EBS)
- PostgreSQL Pod
- S3 bucket
- Scheduler
- BCTL responsibility
- gRPC over TLS
- HTTPS
- HTTPS, AWS issued public cert
- HTTPS, publicly issued cert
- HTTPS, self-signed cert
- iSCSI
- TCP
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- API Server
- Booking Pod
- Compliance Pod
- Container runtime
- Controllers
- Customer
- etcd
- Government-owned S3 bucket
- Image repository
- Ingress Controller
- Invoicing Pod
- Kube proxy
- Kubelet
- Persistent storage
- Persistent Storage (EBS)
- PostgreSQL Pod
- S3 bucket
- Scheduler
- Confidentiality
- Availability
- Integrity
- Integrity & Availability
- API Server
- Booking Pod
- Compliance Pod
- Container runtime
- Controllers
- Customer
- etcd
- Government-owned S3 bucket
- Image repository
- Ingress Controller
- Invoicing Pod
- Kube proxy
- kubectl
- Kubelet
- Persistent Storage (EBS)
- PostgreSQL Pod
- Scheduler