Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add standard for provider networks #572

Open
wants to merge 32 commits into
base: main
Choose a base branch
from
Open

Add standard for provider networks #572

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
32 commits
Select commit Hold shift + click to select a range
f7ae92e
Test and implementation note for Cert achievement.
garloff Oct 13, 2024
bab0f96
Use naming similar to other impl and test notes.
garloff Oct 13, 2024
507e901
Remove double blank lines.
garloff Oct 15, 2024
e60168d
Remove title (as it already comes from the header)
garloff Oct 15, 2024
483015a
Fix links.
garloff Oct 15, 2024
1a40b45
Apply suggestions from code review
garloff Oct 15, 2024
de3f3cb
Fix link to blog article
garloff Oct 15, 2024
2267a49
Update Standards/scs-0004-w1-achieving-certification-implementation.md
fkr Mar 25, 2025
f352a14
Add draft for unified networking standard
kgube Apr 19, 2024
50831d1
Start refocusing networking standard draft towards provider networks
kgube Apr 25, 2024
203a60f
Expand design considerations section
kgube Apr 29, 2024
9c26114
Add motivation and expand on port security
kgube Apr 30, 2024
bafabf6
Update Design Considerations and Decision
kgube May 2, 2024
f848b52
Update and extend Design Considerations section
kgube May 6, 2024
f862660
Extend considered options section
kgube May 8, 2024
5b36a3e
Add glossary and discussion of API extensions
kgube Jun 5, 2024
5fbb433
Rename provider network document
kgube Jun 5, 2024
b62ae12
Add stub for conformance tests section
kgube Jun 5, 2024
c7b98f5
Update some descriptions
kgube Jun 10, 2024
15ad9dd
Fix linting issues
kgube Jun 10, 2024
f4a3aec
Update introduction and add internet access to considered options
kgube Jul 16, 2024
3b8f7d4
Update standard to only apply to public IP allocation
kgube Jul 24, 2024
324954a
Add reference to ovn-bgp-agent
kgube Aug 27, 2024
ce7dbc3
Change "Network API" to "Networking API"
kgube Sep 13, 2024
b74a880
Fix some typos and wordings
kgube Sep 13, 2024
5c26c52
Use "Networking RBAC" to refer to the RBAC feature of the API
kgube Sep 13, 2024
a005f62
Add requirement for auto-allocation support.
kgube Sep 18, 2024
6bcff46
Add reference for RBAC policy change
kgube Nov 11, 2024
fc87e59
Update standard to require "external" IPs instead of public IPs
kgube Nov 11, 2024
751a4e7
Add implementation note for networking rbac restriction
kgube Nov 21, 2024
94c62c9
fix couple minor nits.
fkr Mar 24, 2025
3ea6dde
rename to prepare for merge
fkr Mar 25, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 133 additions & 0 deletions Standards/scs-0004-w1-achieving-certification-implementation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
---
title: "Implementation hints for achieving SCS-compatible certification"
type: Supplement
track: Global
status: Draft
supplements:
- scs-0004-v1-achieving-certification.md
---

## Process overview

The *SCS-compatible* Certification for Operators is a technical certification:
The operator needs to fulfill technical requirements, such as providing certain
APIs and guaranteeing certain platform behavior in order to be certifiable.

These requirements are meant to provide guarantees to their customers, allowing
them to rely on certain features to be available and on certain system behavior
that lets their applications run in a reliable way.

The SCS certification process typically consists of a few simple steps:

1. Running the SCS compliance test suite and adjusting the infrastructure until it passes.
2. Any additional declarations (for non-testable aspects) are written and passed to the SCS certification body.
3. The operator must be a member ("shaper" or "advisor" level) of the Forum SCS-Standards in the
OSB Alliance (a non-profit) and pay the respective membership fees. Alternatively fees can
be paid without becoming a member.
4. The cloud can be listed on the SCS pages as *SCS-compatible* with a compatibility status that is
updated on a daily basis. SCS then tests the infrastructure on a daily basis.

The precise rules that govern how certificates are issued or withdrawn are defined in the
[SCS standard 0004](scs-0004-v1-achieving-certification.md).

## Self-testing and technical adjustments

In order for a cloud service offering to obtain a certificate, it has to
conform to all mandatory requirements of all standards of the respective scope, which will be tested at
regular intervals, and the results of these tests will be made available
publicly.

The best approach to get your cloud into compliance is by installing the
test suite locally. Have a look at the
[blog article](https://scs.community/2024/10/14/cert-adapt-example/).

A description of how *SCS-compatible IaaS* compliance can be achieved on OpenStack environments that
do not use the SCS reference implementation is written up in the blog article
[Cost of making an OpenStack Cluster SCS compliant](https://scs.community/2024/05/13/cost-of-making-an-openstack-cluster-scs-compliant/).

## Declarations

For the SCS-compatible IaaS v5 standard, the providers must — if they implement availability zones
at all (which is optional) — guarantee certain levels of independence for these. This can not
be fully tested by an automated test. The process thus envisions that providers must create some
documentation on the physical infrastructure and how it maps to availability zones and declare that
this documentation reflects the truth. SCS will review the docs and judge whether they meet the
criteria. In case of doubt, audits can be performed.

## Forum SCS-Standards @ OSBA

The SCS brand belongs to the Open Source Business Alliance e.V. (OSBA), an non-profit organization and
association for the Open Source Industry in Germany. After the completion of the funded SCS project
in the OSBA on 2024-12-31, the OSBA sets up the Forum SCS-Standards
which performs the work to evolve the SCS standards, develops the tests and perform the certification
process and thus becomes the SCS certification body.

Members of the OSBA can become also member of the Forum SCS-Standards for an additional membership
fee, providing the financial resources for the Forum SCS-Standards to do its work. Membership in the
OSBA is open to any organization that supports the goals of the OSBA.
Alternatively, a certification fee can be paid without any membership.

## Getting listed and tested

When all tests are passing, all needed declarations are done, fees for the certification or the
membership in the Forum SCS-Standards at the OSBA have been paid, the infrastructure service
can become officially certified.

The SCS team will add the cloud to the [list of certified clouds](https://docs.scs.community/standards/certification/overview)
on the SCS docs page. This can be used to prove to customers that the cloud is SCS compliant.
Note that for public clouds, there will be a nightly job that tests the cloud for compliance, which will be
triggered by SCS infrastructure (zuul). For this, access to a tenant on the cloud needs
to be provided free of charge. (This only requires very low quota, one VM is created for a minute
in one of the tests.)

For clouds not being accessible from the outside, a VPN tunnel or a local monitoring
job (with result upload) can be used.

Please let us know if you want us to create an official SCS-certified badge that
can be used in your marketing material beyond pointing to our list.

### Optional Health Monitor

Note that for almost all certified clouds in the list of certified clouds, we also
have a health monitor running (currently still
[openstack-health-monitor](https://docs.scs.community/docs/operating-scs/guides/openstack-health-monitor/Debian12-Install)
but soon the new [health-monitor](https://scs.community/tech/2024/09/06/vp12-scs-health-monitor-tech-preview/)),
which exposes information on the performance and error rate of each cloud.
This provides some transparency on the state of the clouds by constantly running
scenario tests against them and is tremendously helpful for both the cloud operations
teams and their customers. Strictly speaking, it is *not* a requirement for the
*SCS-compatible* certification, just best practice. It will be part of an
*SCS-sovereign* certification though, where transparency on operational aspects
will be required.

## Staying compliant

Once your cloud is listed in the
[list of certified clouds](https://docs.scs.community/standards/certification/overview)
which is fed by the
[compliance manager](https://compliance.sovereignit.cloud/page/table), it
will enjoy the nightly tests. These might fail for a number of reasons:

* There is a new version of the SCS standards in effect and you need to adjust things.
* Your cloud was unreachable or otherwise had intermittent issues.
* You have done changes to your cloud that break *SCS-compatible* compliance.
* The test automation engine (zuul) is in trouble.
* The tests have a bug.

In either case, this need proper analysis to determine what should be done.
<!--In the list of certified clouds, the tests are performed by github actions.
These are executed from the
[github SCS standards repository](https://github.com/SovereignCloudStack/standards).
By looking at the logs from the github actions, you can typically see why the failure
happened. You could of course also do a local test again to see if the issue can
be reproduced.-->
In the compliance manager (executing tests via zuul), we will add links to the log
files directly on the table, so it will be even easier to find the relevant log files.
It is a good idea to reproduce the failures by running the test suite locally,
as it may be easier to focus on just the one failing aspect of your infrastructure.

Your cloud will show up as failing in the compliance manager after tests start
failing; this is not the same as a revoked certification, though. For clouds that have been
compliant before, it is highly recommended to work with the SCS certification body
upon such failures to determine a way back into compliance that avoids certification
revocation.
20 changes: 20 additions & 0 deletions Standards/scs-0125-v1-provider-network-standard-implementation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
title: "Provider Network Standard: Implementation Notes"
type: Supplement
track: IaaS
status: Proposal
supplements:
- scs-xxxx-v1-provider-network-standard.md
---

### Policy adjustment for restricting Networking RBAC

Per default, OpenStack's Networking API allows all user, regardless of role to change the accessibility of networking resources (e.g. networks, routers, security groups) to other projects.
Such shared resources are, without knowledge of the respective project IDs, indistinguishable from resources shared by the CSP, allowing malicious users to present networking resources to other client as coming from the provider.
The Provider Network Standard states that CSPs SHOULD restrict this functionality to administrators, which requires the following change to the `policy.yaml` file of the Neutron API[^rbac]:

```yaml
"create_rbac_policy": "rule:admin_only"
```

[^rbac]: <https://docs.openstack.org/neutron/2024.1/admin/config-rbac.html#preventing-regular-users-from-sharing-objects-with-each-other>
Loading