Core Features
Networking, identity, logging, monitoring, runtime security, backup, and policy — what each layer does and why.
Overview
What is UDS Core?
Section titled “What is UDS Core?”UDS Core is a curated collection of platform capabilities packaged as a single deployable Zarf package. It establishes a secure, compliant baseline for cloud-native systems, particularly those operating in highly regulated or air-gapped environments.
At its heart, UDS Core answers a fundamental question for teams building on Kubernetes: what secure platform layer do I need before I deploy my application? UDS Core is that layer.
How UDS Core is structured
Section titled “How UDS Core is structured”UDS Core is organized into functional layers — discrete Zarf packages grouped by capability.
| Layer | What it provides |
|---|---|
core-base | Required. Istio, UDS Operator, Pepr Policy Engine |
core-identity-authorization | Keycloak + Authservice (SSO) |
core-metrics-server | Kubernetes Metrics Server |
core-runtime-security | Falco |
core-logging | Vector + Loki |
core-monitoring | Prometheus + Grafana + Alertmanager + Blackbox Exporter |
core-backup-restore | Velero |
The UDS Operator
Section titled “The UDS Operator”The UDS Operator is the control plane for UDS Core. The key integration point is the UDS Package custom resource (CR) — teams create a Package CR declaring networking intent, SSO requirements, and monitoring needs. The operator reconciles the CR and creates all necessary platform resources automatically.
It watches for Package, Exemption, and ClusterConfig custom resources. When a Package CR is created or updated, the operator:
- Generates Istio
VirtualServiceandAuthorizationPolicyresources to control traffic - Creates Kubernetes
NetworkPolicyresources to enforce network boundaries - Configures Keycloak clients for SSO-protected services
- Sets up an Authservice SSO flow to protect mission applications that don’t natively implement OIDC
- Creates
ServiceMonitor,PodMonitor, and blackbox probe resources for Prometheus to scrape application metrics
This automation means platform teams don’t need to write low-level Istio or Kubernetes networking configuration for each application, nor manually configure SSO for each app — the Package CR drives all of it from a single declaration.
The Policy Engine
Section titled “The Policy Engine”The UDS Policy Engine (built on Pepr) runs as admission webhooks alongside the operator. It enforces a security baseline across all workloads — preventing privileged containers, enforcing non-root execution, restricting volume types, and more. Policies run as both mutations (automatically correcting safe defaults) and validations (blocking unsafe configurations). For the full list of enforced policies, see the Policy Engine reference.
When a workload legitimately needs an exemption, teams create an Exemption CR to declare the exemption explicitly, keeping the audit trail clear.
Platform
Environments, cluster flavors, and how UDS Core adapts to different deployment targets.
Configuration & Packaging
Bundles, CRDs, and the packaging model that makes UDS Core composable.
How-to Guides
Step-by-step instructions for configuring and operating UDS Core in your environment.