Shared responsibility model

With Edge Appliance, Google Distributed Cloud Virtual for Bare Metal runs directly on the appliance, and you have been granted the cluster administrator role. Since workloads run directly on the bare metal, there are no performance losses due to virtualization.

Due to the lack of a security boundary between your workloads and the host OS, it's assumed that this model results in you having access to the host OS. As a result, your workloads could potentially change OS settings, such as enabling SSH. Additionally, you have access to any Google-managed applications on the appliance, with the potential to break those applications or their update mechanisms.

This is similar to the Shared Responsibility Model provided by Anthos products: Google provides secure binaries with secure defaults, and it's up to the customer to securely run and update them.

Component Google's responsibilities Customer's responsibilities
Hardware
  • Provide a tamper resistant device
  • Restrict physical device access
Firmware + OS
  • Provide a secure OS with frequent updates
  • Fix security vulnerabilities in a timely manner
  • Maintain an auto-update system
  • Device is shipped with secure OS settings (e.g. no SSH access)
  • Factory reset functionality for restoring secure settings
  • Monitor appliance's OS version (via the Google Cloud console and alerts)
  • Connect the appliance to the internet when it needs to be updated
  • Maintain secure default settings, and/or take responsibility for any setting changes
Workloads
  • Provide Google application binaries and updates
  • Provide secure Kubernetes distribution and container runtime
  • Maintain an auto-update system
  • Issues caused by modifying Google-provided applications, such as changing settings or killing processes. This includes modifying or blocking any auto-update systems
  • Monitor software versions via Google Cloud console and alerts
  • Provide internet connectivity when needed for updates