In our blog article from last week we explained what exactly Haven is. In summary, Haven is the standard for platform independent Cloud hosting for municipalities. Haven enables municipalities to run applications without modifying their IT infrastructure, regardless of whether they work locally, in the Cloud or hybrid. This promotes collaboration between municipalities, lowers costs, increases security and scalability, and reduces vendor dependency by using open-source technologies such as Kubernetes. This allows applications to be developed, shared and managed more efficiently. You can therefore see Haven as an abstraction layer that results in a, for municipalities, common starting point.
But, as a municipality, how do you ensure that you set up a Haven compliant environment? Haven prescribes a specific configuration of Kubernetes that should be implemented on the existing technical infrastructure, for example in the Cloud or an on-premises platform.
This prescribed configuration ensures that every Haven environment is functionally the same, regardless of the underlying technical infrastructure.
Within Common Ground (a Dutch initiative aimed at modernising government digital infrastructure and promoting interaction and scalability), a tool has been created that allows you to scan and validate Kubernetes clusters for compliance with certain security and infrastructure standards specified in the Haven standard. This is the Port Compliancy Checker. Using this checker requires some basic knowledge of Kubernetes and its command-line tools. The check currently consists of 16 mandatory and 2 suggested checks. Within the 16 mandatory checks there are 7 main sections; Fundamental, Infrastructure, Cluster, External, Deployment and Validation. Each section has its checks and reasons why the Kubernetes Cluster must comply with them.
Fundamental
Among Fundamental, the checker requires the Kubernetes cluster to be the latest major version or a minor version that is 3 months older than the latest major. In addition, the Kubernetes cluster must have cluster admin privileges in order for the checker to work correctly.
Infrastructure
Under Infrastructure, the checker specifies that the Kubernetes cluster must run in multiple availability zones. In addition, the Kubernetes cluster must consist of at least 3 master nodes and 3 worker nodes. The Kubernetes cluster must have at least SELinux, Grsecurity, AppArmor, LKRG, Talos or Flatcar enabled. Lastly, the Kubernetes cluster must be built in a private network topology.
Cluster
Among Cluster, the checker prescribes that the Kubernetes cluster, as in the Fundamental section, is the latest major version of Kubernetes or a minor version that is 3 months older than the latest major. In addition, Role-Based Access Control must be enabled within the Kubernetes cluster and basic authentication disabled. Finally, there must be support for ReadWriteMany persistent volumes within the Kubernetes cluster.
Extern
Under Extern, the checker dictates that the Kubernetes cluster conforms to the standard Kubernetes APIs.
Deployment
At Deployment, the checker specifies that an automated HTTPS certificate facility is available, log aggregation is running on the Kubernetes cluster and monitoring is present on the cluster.
Validation
Finally, the checker requires under Validation that the CLI interface of the Kubernetes cluster is validated using Secure Hash Algorithms (SHA).
As soon as a municipality approaches Fundaments to enquire about a Haven- compliant environment, the municipality's needs will first be examined together. From this, a technical intake session will follow and a design of the Haven compliant environment will eventually be made. To ensure that the environment is actually Haven compliant, the Haven Compliancy Checker is carried out.
Want to know more about what Haven can do for your municipality? Contact us by calling 088 4227 227 or emailing info@fundaments.nl.
