TVK Product FAQ
This section provides details on TVK's development methodology, deployment details, security, life cycle management, services integration, quality assurance, support and performance
Security and Compliance
Life Cycle Management
TrilioVault uses only fully supported Kubernetes APIs and features. TVK has been developed to best practices, avoiding the use of Kubernetes alpha APIs and using hard-coded Kubernetes API versions.
Best practices for TrilioVault for Kubernetes software development include:
- 1.Deployable by a single Helm or Operator artifact.
- 2.Product editions are licensed as an item and are tied together by a Helm or Operator artifacts.
- 3.Supports consecutive Red Hat OpenShift Container Platform minor versions.
- 4.Software images are consistently maintained across offerings.
- 5.Binaries based on Red Hat UBI.
- 6.All Images are Red Hat Certified.
- 7.TVK has been integrated with Red Hat publishing per content guidelines.
- 8.TVK supports Operator based install.
- 9.TVK Operators are OLM (Operator Lifecycle Manager) enabled.
- 10.All TVK Custom Resource Definitions (CRDs) include application version.
- 11.All Operators provide a status. __
In order to be defined as Production Grade, all Red Hat apps must pass QA requirements for documentation, system requirements, best practices for resource usage, data integrity testing and cluster behaviors (scaling, recovery, dependancies)
- 2.All persistent volumes storage access modes. RWO – ReadWriteOnce.
- 3.Trilio maintains Data integrity during pod or node failures.
- 4.TrilioVault for Kubernetes uses fully qualified hostnames to provide external access.
- 5.Trilio does NOT use custom ingress annotations for external access.
- 6.Trilio does NOT use Nodeports to provide external access.
- 7.TrilioVault supports advanced scheduling to ensure maximum resiliency.
- 8.To provide resiliency when unexpected failures occur , TVK supports graceful recovery when failure occurs
- 9.Monitoring provides application health and react to events.
- 10.Trilio data protection has the ability to run in multiple failure zones in a single cluster.
- 11.Deployments can scale horizontally with manual scaling
- 12.Scalability can be achieved by deploying multiple instances in a single cluster without conflict.
- 1.All images have been scanned using Red Hat Certification VA Scanner and Linter (IBM Approved scanning tools).
- 2.TVK follows a principle of least privilege and pod isolation
- 3.TVK uses an approved SCC definition
- 5.All components of a workload are tracked, including Helm release, Namespace, Labels and Annotations, so if something is created maliciously this can be readily detected.
- 6.Workloads do not use the default service account
- 7.TVK Only exposes required ports/services from each container
- 8.TVK limits traffic between pods.
- 9.Containers do not communicate with the host.
- 10.All data is encrypted in transit using TLS 1.2 within the customer network between Pods.
- 11.Encryption for data at rest can be managed by the backup repository used by customer (NFS/S3). TVK doesn't encrypt at rest, this is left to the NFS or S3 repository
- 12.All Secrets are stored in an approved service
- 13.Logs are clear of all sensitive information and does not expose any sensitive data.
- 14.Helm release is clear of sensitive information and do not expose any sensitive data.
- 15.Kubernetes Resources (other than a secret) do not store sensitive information
- 16.Default credentials to be immediately updated by the customer are not supplied by Trilio.
- 17.All communication between containers and services uses TLS auth in order to restrict anonymous access.
- 18.TVK Uses an IBM approved certificate manager -Certificate type is X.509 and follows best practices for Public Key Infrastructure.
- 1.In Place Upgrade
TVK Upgrade paths follow best practices for:
- 1.Provide non-disruptive patching for image updates.
- 2.Upgrade ensures no loss of vital data.
- 3.Upgrade path is documented in Release Notes.
- 4.Upgrade path tested.
- 1.Backup points documented externally for clients
- 2.Recovery / restore is documented externally for clients
- 3.Backup and recovery of application and data is well tested for each major release
Trilio completes comprehensive testing. Broad tests are designed and performed for the product. A wide range of testing methodologies are used to ensure the quality of the product, including:
- 1.Unit testing
- 2.Integration testing
- 3.System testing
- 4.Availability testing
- 5.Install testing
- 6.Performance testing
- 7.Beta customer testing
Other QA items:
- 1.TVK documentation includes steps for customer to validate successful install. Customer-driven post-install tests allow for the customer to validate that your product was installed successfully and is running correctly.
- 3.TVK has been tested on all Red Hat OCP versions that the product has declared support.
- 2.TVK licenses are available in the package source. All product licenses deployed by a workload are available with the source (Helm, Operators, or CASE).
- 4.TVK licenses align appropriately for Docker images and package source. License files in the Docker images align with the license files put in the packaged source for your product.
- 5.TVK displays all relevant licenses for acceptance based on the deployment scenario for the workload.
Trilio uses the latest UBI minimal images as the starting point for all product images. UBI minimal images are substantially smaller than the regular UBI images and are a better starting point for product images.
- 1.Trilio reduces the number of unused files and image layers in all images.
- 2.Trilio uses only one runtime framework (Node.js, Python, Golang) in a container.
- 3.TVK uses only curl or wget to fetch packages from remote URLs.