RAISE 2.0 — System Security Plan
Secure Runtime Environment (SRE) • FIPS 199: Moderate-Moderate-Moderate

1. System Information

System Name
Secure Runtime Environment (SRE)
Acronym
SRE
Version
2.0
eMASS ID
Date
2026-03-11
FIPS 199 Categorization
MODERATE — MODERATE — MODERATE (Confidentiality — Integrity — Availability)
System Type
IS Enclave — Kubernetes DevSecOps Platform
Operational Status
Operational
Authorization Type
ATO + RAISE 2.0 RPOC Designation
Description
A government-compliant, open-source Kubernetes platform providing a hardened runtime for deploying containerized applications. Built on RKE2 (DISA STIG-certified), Rocky Linux 9.7 (FIPS 140-2 enabled), and the CNCF ecosystem. Targets ATO, CMMC 2.0 Level 2, FedRAMP Moderate, NIST 800-53 Rev 5, and DISA STIGs. Provides zero-trust networking (Istio mTLS STRICT), policy-as-code (Kyverno), full observability (Prometheus/Grafana/Loki/Tempo), secrets management (OpenBao + ESO), supply chain security (Harbor + Trivy + Cosign), and GitOps-driven deployment (Flux CD).
Authorization Boundary
The SRE authorization boundary encompasses the entire Kubernetes cluster including all control plane and worker nodes, the RKE2 distribution, all platform services deployed via Flux CD, the Istio service mesh, and all tenant workloads running within the cluster. External dependencies (DNS, NTP, upstream OS package repos) are outside the boundary. The cluster runs on Proxmox VE hypervisor infrastructure which is documented separately.

2. Information System Owner & Key Personnel

3. System Environment

3.1 Hardware Inventory

HostnameRoleIP AddressOSCPURAMStorage
sre-cp-1Control Plane (server)192.168.2.10Rocky Linux 9.74 vCPU16 GB100 GB
sre-worker-1Worker (agent)192.168.2.11Rocky Linux 9.74 vCPU16 GB100 GB
sre-worker-2Worker (agent)192.168.2.12Rocky Linux 9.74 vCPU16 GB100 GB

3.2 Software Inventory

ComponentVersionPurposeLayer
Rocky Linux9.7Base operating system (DISA STIG hardened, FIPS enabled, SELinux enforcing)OS
RKE2v1.34.4DISA STIG-certified Kubernetes distribution (FIPS 140-2, CIS Benchmark)Cluster
Flux CDv2.8.1GitOps engine — continuous reconciliation of cluster state from GitPlatform
Istio1.25.2Service mesh — mTLS STRICT, AuthorizationPolicy, traffic managementCore
Kyverno3.3.7Policy engine — admission control, image verification, Pod Security StandardsCore
cert-manager1.14.4Certificate lifecycle management — internal CA, Let's Encrypt integrationCore
kube-prometheus-stack72.6.2Monitoring — Prometheus, Grafana, AlertManagerCore
Grafana Loki6.29.0Log aggregation and queryingCore
Grafana Alloy0.12.2Log/trace/metric collection agent (replaces Promtail)Core
Grafana Tempo1.18.2Distributed tracing storage and queryingCore
OpenBao0.9.0Secrets management (Vault-compatible, HA Raft storage, auto-unseal)Core
External Secrets Operator0.9.13Sync secrets from OpenBao to Kubernetes SecretsCore
NeuVector2.8.6Runtime security — container scanning, network DLP/WAF, behavioral monitoringCore
Velero11.3.2Backup and disaster recovery (S3 backend, scheduled backups)Core
MetalLB0.14.9Bare-metal LoadBalancer implementation (L2 mode, IP pool 192.168.2.200-210)Core
OAuth2 Proxy7.6.0SSO gateway — Istio ext-authz integration with Keycloak OIDCCore
Harbor1.16.3Container registry — Trivy scanning, Cosign verification, replicationAddon
Keycloak24.8.1Identity & SSO — OIDC/SAML, MFA, RBAC group mappingAddon

4. Authorization Boundary

The following diagram depicts the SRE authorization boundary, encompassing all cluster nodes, platform services, and tenant workloads. External systems (DNS, NTP, upstream repos, Proxmox hypervisor) are outside the boundary.

┌─────────────────────────────────────────────────────────────────────────────────────┐ │ SRE AUTHORIZATION BOUNDARY │ │ │ │ ┌───────────────────┐ ┌───────────────────┐ ┌───────────────────┐ │ │ │ sre-cp-1 │ │ sre-worker-1 │ │ sre-worker-2 │ │ │ │ 192.168.2.10 │ │ 192.168.2.11 │ │ 192.168.2.12 │ │ │ │ Rocky 9.7 STIG │ │ Rocky 9.7 STIG │ │ Rocky 9.7 STIG │ │ │ │ RKE2 Server │ │ RKE2 Agent │ │ RKE2 Agent │ │ │ │ SELinux Enforc. │ │ SELinux Enforc. │ │ SELinux Enforc. │ │ │ │ FIPS 140-2 │ │ FIPS 140-2 │ │ FIPS 140-2 │ │ │ └───────┬───────────┘ └───────┬───────────┘ └───────┬───────────┘ │ │ │ │ │ │ │ └──────────────────────┼──────────────────────┘ │ │ │ │ │ ┌──────────────────────────────┴──────────────────────────────────────┐ │ │ │ KUBERNETES CLUSTER (RKE2 v1.34.4) │ │ │ │ │ │ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ │ │ PLATFORM SERVICES (Flux CD GitOps) │ │ │ │ │ │ │ │ │ │ │ │ Istio 1.25.2 (mTLS STRICT) ──── Kyverno 3.3.7 (Policy) │ │ │ │ │ │ cert-manager 1.14.4 ──── Prometheus/Grafana 72.6.2 │ │ │ │ │ │ Loki 6.29.0 + Alloy 0.12.2 ──── Tempo 1.18.2 │ │ │ │ │ │ OpenBao 0.9.0 + ESO 0.9.13 ──── NeuVector 2.8.6 │ │ │ │ │ │ Harbor 1.16.3 ──── Keycloak 24.8.1 ──── MetalLB 0.14.9 │ │ │ │ │ │ OAuth2 Proxy ──── Velero 11.3.2 │ │ │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ │ │ │ │ │ │ ┌─────────────────────────────────────────────────────────────┐ │ │ │ │ │ TENANT WORKLOADS │ │ │ │ │ │ team-alpha / team-beta / ... │ │ │ │ │ │ (ResourceQuota, LimitRange, NetworkPolicy, Istio sidecar) │ │ │ │ │ └─────────────────────────────────────────────────────────────┘ │ │ │ └─────────────────────────────────────────────────────────────────────┘ │ │ │ │ ┌────────────────────┐ │ │ │ MetalLB LB Pool │ 192.168.2.200 ── Istio Gateway (443/80) │ │ │ 192.168.2.200-210 │ 192.168.2.201 ── Harbor Registry │ │ └────────────────────┘ │ └─────────────────────────────┬───────────────────────────────────────────────────────┘ │ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─ EXTERNAL (Outside Boundary) │ ┌──────────────┴──────────────┐ │ Proxmox VE Hypervisor │ │ DNS / NTP / Upstream Repos │ │ End User Browsers │ └─────────────────────────────┘

5. Security Controls (NIST 800-53 Rev 5 — Moderate Baseline)