Platform Provides
- Networking & mTLS
- Identity & SSO
- Logging
- Monitoring
- Runtime Security
- Backup & Restore
- Policy & Compliance
Platform vs Application Layer
UDS Core provides a shared platform layer (networking, identity, observability, security, and backup) so application teams can focus on mission logic rather than infrastructure plumbing. This page clarifies the ownership boundary between the two layers. See the interactive architecture diagram for a visual overview.
Capability ownership
Section titled “Capability ownership”Application Teams Own
- Workload packaging
PackageCR declarations- Application configuration
- Data management & migrations
- Scaling & resource requests
How the two layers interact
Section titled “How the two layers interact”The Package CR is the contract between layers:
- App teams declare what they need: ingress routes, SSO clients, monitoring endpoints, network policy exceptions
- The platform fulfills how: Istio routing, Keycloak clients, UDS policies are all handled automatically
When an app needs a policy exception, the team creates an Exemption CR, keeping exceptions explicit, auditable, and separate from the Package CR.
See Core CRDs for details on both CRs.
Why this separation matters
Section titled “Why this separation matters”Consistency
Same security, networking, and observability baseline for every application.
Compliance
Platform-wide controls enforced uniformly, simplifying authorization.
Speed
Teams declare intent, not infrastructure details. Ship faster.
Upgradability
Platform and app workloads upgrade independently.