SBIR-STTR Award

DCOR complements the DoD Centralized Artifacts Repository (DCAR) by leveraging the Kubernetes (k8s) Operator Framework to prove complete lifecycle management of the hardened containers provided by DCAR. The k8s Operator Framework allows for automated deployment and operation of cyber resilient, highly available, containerized services. DOCR will include automated processes for cyber security compliance / validation of operators in a CI/CD pipeline similar to DCAR. While DCAR provides the hardened containers, DCOR will provide hardened operators that ensure that deployed services are secure, reliable, and highly available.

The Kubernetes (k8s) community has developed the Kubernetes Operator Framework as a means to automate and manage the full lifecycle of containerized services. A Kubernetes Operator manages (automates) how a service is deployed, monitored, scaled, secured, upgraded, and responds to failure conditions. The Operator translates previously “tribal knowledge” into a codified, reusable set of Infrastructure as Code components. The Operator automates the best practice process of deploying and maintaining secure and stable services. The k8s community, has developed several open source projects such as the Operator Lifecyle Manager (OLM), Operator SDK, and the Operator Registry that form the foundation of the commercial Kubernetes Operator Framework. The Operator Framework is now being widely used by commercial / non-governmental organizations as the primary mechanism to automate service deployment in Kubernetes. Several commercial and open source PaaS offerings (Red Hat Open Shift, OKD, Rancher, etc.) now include the operator framework. Many open source and commercial software vendors are now providing Operators for their services (Enterprise DB, Elastic Search, etc.). This demonstrates widespread commercial viability, long term community and commercial adoption, and reduced technical risk. Despite the utility and popularity of the Kubernetes Operator Framework, there are impediments to direct use within the Air Force. Consider that there are many publicly available Docker / OCI Containers at sites like Docker Hub. However, the Air Force determined that these containers cannot be trusted, from a security, stability, and quality standpoint. Thus, the Air Force / DoD built the DoD Centralized Artifact Repository based on a set of popular open source projects to provide reusable vetted, hardened containers to the broader DoD / Air Force. Similarly, commercial industry has a public operator repository called OperatorHub, located at “operatorhub.io”. However, like the containers at DockerHub these operators are not vetted, and consumers need direct internet access to pull Operators from this public repository. To leverage the power of Operators in mission systems, the Air Force will require a DoD controlled repository that 1) contains security hardened, vetted Operators, 2) provides cyber security evidence in support of a Continuous ATO, and 3) can be deployed on non-internet accessible networks. Thus, SOLUTE proposes the development of the DoD Centralized Operator Registry (DCOR), which is analogous to DCAR but for vetted, secure Kubernetes Operators. The development of DCOR will significantly accelerate the Air Force’s ability to leverage Kubernetes Operators an enable more rapid delivery of secure, scalable, and high-quality next generation mission systems. DCOR perfectly complements, leverages, and integrates with DCAR and aligns with the recently published DoD CIO DevSecOps Initiative Reference Design.