Management Plane Model

Purpose

This model defines where administrative endpoints live, how administrators authenticate, and which networks can reach management services.

Management Reachability

flowchart LR
  Admin[Admin Operator] -->|SSH / Git / HTTPS| MgmtEndpoints[Management Endpoints]
  PolicyNote["No inbound path from Internet"]

  subgraph Home["Home Network Boundary"]
    AdminLAN[Admin LAN] --> MgmtEndpoints
    VPN[Admin via VPN] --> MgmtEndpoints
  end

  MgmtEndpoints --> ControlPlane[Control Plane Services]
  MgmtEndpoints --> Nodes[Cluster Nodes]

  Internet((Internet)) -.-> PolicyNote

Access Rules

Management endpoints are never exposed to the public internet.
Only admin devices on Admin LAN or VPN can reach management endpoints.
Administrative access requires MFA and membership in privileged IdP groups.

Authentication Requirements

SSH: Keys or short-lived certificates only; passwords are forbidden.
Git/HTTPS: SSO with MFA enforced; audit logging enabled.
Break-Glass: Emergency accounts are stored in a secure vault and rotated after use.

Keyboard shortcuts

Homelab Project

Management Plane Model

Purpose

Management Reachability

Access Rules

Authentication Requirements