{"id":"runtime-operations-require-integrated-networking-and-resource-governance","text":"Running workloads require two independently governed infrastructure stacks simultaneously: the networking/observability stack (OVN-Kubernetes + Multus + eBPF flow collection + dual-stack addressing) provides connectivity and visibility, while the resource governance stack (autoscaling + scheduling + quotas + storage placement) controls capacity and placement — both operating within the identity and quota governance model","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["networking-and-observability-integrated-stack","autoscaling-placement-within-governance"],"outlist":[],"label":"depth-5 — two d4 conclusions covering complementary runtime concerns (networking vs resources) combine to define the complete runtime infrastructure contract"}],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"runtime-operations-require-integrated-networking-and-resource-governance","truth_value":"IN","reason":"SL justification valid","antecedents":["networking-and-observability-integrated-stack","autoscaling-placement-within-governance"],"label":"depth-5 — two d4 conclusions covering complementary runtime concerns (networking vs resources) combine to define the complete runtime infrastructure contract"},{"node":"networking-and-observability-integrated-stack","truth_value":"IN","reason":"SL justification valid","antecedents":["complete-networking-discovery-data-and-addressing","observability-follows-platform-enablement-pattern"],"label":"Networking and network observability are architecturally coupled — observability consumes the CNI stack it monitors, and both require explicit enablement beyond defaults."},{"node":"complete-networking-discovery-data-and-addressing","truth_value":"IN","reason":"SL justification valid","antecedents":["cluster-networking-spans-discovery-and-data-plane","network-architecture-layered-with-dual-stack-constraints"],"label":"Both depth-2 nodes share multi-CNI architecture as foundation but capture orthogonal concerns (discovery+data vs addressing+constraints); combining reveals that addressing constraints propagate back to restrict data plane options"},{"node":"cluster-networking-spans-discovery-and-data-plane","truth_value":"IN","reason":"SL justification valid","antecedents":["dns-service-discovery-architecture","multi-cni-network-architecture"],"label":"depth-2 — discovery and data plane are independently architected but jointly required for connectivity"},{"node":"dns-service-discovery-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["dns-operator-deploys-coredns-daemonset","dns-cluster-ip-10th-address-service-cidr","dns-cluster-local-invalid-forwarding-zone","ocp-dns-naming-convention"],"label":"DNS architecture is fully deterministic from the service CIDR — the IP, naming, and forwarding constraints form a closed system"},{"node":"dns-operator-deploys-coredns-daemonset","truth_value":"IN","reason":"premise"},{"node":"dns-cluster-ip-10th-address-service-cidr","truth_value":"IN","reason":"premise"},{"node":"dns-cluster-local-invalid-forwarding-zone","truth_value":"IN","reason":"premise"},{"node":"ocp-dns-naming-convention","truth_value":"IN","reason":"premise"},{"node":"multi-cni-network-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-default-cni-shifted-to-ovn-kubernetes","ocp-multus-cni-multiple-interfaces","multus-cni-enables-multiple-network-attachments","pods-reference-nads-via-annotation"],"label":"Primary + meta-plugin + secondary plugin layering defines the network model"},{"node":"ocp-default-cni-shifted-to-ovn-kubernetes","truth_value":"IN","reason":"premise"},{"node":"ocp-multus-cni-multiple-interfaces","truth_value":"IN","reason":"premise"},{"node":"multus-cni-enables-multiple-network-attachments","truth_value":"IN","reason":"premise"},{"node":"pods-reference-nads-via-annotation","truth_value":"IN","reason":"premise"},{"node":"network-architecture-layered-with-dual-stack-constraints","truth_value":"IN","reason":"SL justification valid","antecedents":["multi-cni-network-architecture","dual-stack-networking-with-constraints"],"label":"The CNI layering model and dual-stack addressing are orthogonal features that interact at constraint boundaries"},{"node":"multi-cni-network-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-default-cni-shifted-to-ovn-kubernetes","ocp-multus-cni-multiple-interfaces","multus-cni-enables-multiple-network-attachments","pods-reference-nads-via-annotation"],"label":"Primary + meta-plugin + secondary plugin layering defines the network model"},{"node":"ocp-default-cni-shifted-to-ovn-kubernetes","truth_value":"IN","reason":"premise"},{"node":"ocp-multus-cni-multiple-interfaces","truth_value":"IN","reason":"premise"},{"node":"multus-cni-enables-multiple-network-attachments","truth_value":"IN","reason":"premise"},{"node":"pods-reference-nads-via-annotation","truth_value":"IN","reason":"premise"},{"node":"dual-stack-networking-with-constraints","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-supports-dual-stack-ipv4-ipv6","ovn-kubernetes-single-service-network-block","udn-default-mtu-1400","ocp-virt-no-single-stack-ipv6"],"label":"Dual-stack support exists but with per-component constraints"},{"node":"ocp-supports-dual-stack-ipv4-ipv6","truth_value":"IN","reason":"premise"},{"node":"ovn-kubernetes-single-service-network-block","truth_value":"IN","reason":"premise"},{"node":"udn-default-mtu-1400","truth_value":"IN","reason":"premise"},{"node":"ocp-virt-no-single-stack-ipv6","truth_value":"IN","reason":"premise"},{"node":"observability-follows-platform-enablement-pattern","truth_value":"IN","reason":"SL justification valid","antecedents":["observability-requires-layered-enablement","explicit-multi-component-enablement-pattern"],"label":"depth-2 observability enablement + depth-2 multi-component pattern reveal observability as an instance of a platform-wide architectural pattern"},{"node":"observability-requires-layered-enablement","truth_value":"IN","reason":"SL justification valid","antecedents":["monitoring-stack-layered-architecture","monitoring-requires-explicit-enablement-beyond-platform"],"label":"Architecture is layered AND enablement is layered — two independent dimensions that compound operational complexity"},{"node":"monitoring-stack-layered-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-alertingrule-generates-prometheusrule","ocp-alertrelabelconfig-before-alertmanager","ocp-inhibit-rules-source-target-matching"],"label":"Three sequential processing stages form a coherent alert pipeline from rule firing to delivery"},{"node":"ocp-alertingrule-generates-prometheusrule","truth_value":"IN","reason":"premise"},{"node":"ocp-alertrelabelconfig-before-alertmanager","truth_value":"IN","reason":"premise"},{"node":"ocp-inhibit-rules-source-target-matching","truth_value":"IN","reason":"premise"},{"node":"monitoring-requires-explicit-enablement-beyond-platform","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-cluster-monitoring-default-user-workload-explicit","user-defined-monitoring-not-default","distributed-tracing-not-enabled-by-default"],"label":"Consistent pattern of opt-in for non-platform observability features"},{"node":"ocp-cluster-monitoring-default-user-workload-explicit","truth_value":"IN","reason":"premise"},{"node":"user-defined-monitoring-not-default","truth_value":"IN","reason":"premise"},{"node":"distributed-tracing-not-enabled-by-default","truth_value":"IN","reason":"premise"},{"node":"explicit-multi-component-enablement-pattern","truth_value":"IN","reason":"SL justification valid","antecedents":["service-mesh-multi-operator-architecture","monitoring-requires-explicit-enablement-beyond-platform"],"label":"depth-2 — both mesh and advanced observability share the explicit-enablement-beyond-defaults pattern"},{"node":"service-mesh-multi-operator-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["service-mesh-requires-multiple-operators","service-mesh-multi-tenant-default","service-mesh-3x-based-on-istio-sail","serverless-integrates-with-service-mesh"],"label":"Service Mesh architectural properties combine into a distinct multi-operator multi-tenant model"},{"node":"service-mesh-requires-multiple-operators","truth_value":"IN","reason":"premise"},{"node":"service-mesh-multi-tenant-default","truth_value":"IN","reason":"premise"},{"node":"service-mesh-3x-based-on-istio-sail","truth_value":"IN","reason":"premise"},{"node":"serverless-integrates-with-service-mesh","truth_value":"IN","reason":"premise"},{"node":"monitoring-requires-explicit-enablement-beyond-platform","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-cluster-monitoring-default-user-workload-explicit","user-defined-monitoring-not-default","distributed-tracing-not-enabled-by-default"],"label":"Consistent pattern of opt-in for non-platform observability features"},{"node":"ocp-cluster-monitoring-default-user-workload-explicit","truth_value":"IN","reason":"premise"},{"node":"user-defined-monitoring-not-default","truth_value":"IN","reason":"premise"},{"node":"distributed-tracing-not-enabled-by-default","truth_value":"IN","reason":"premise"},{"node":"autoscaling-placement-within-governance","truth_value":"IN","reason":"SL justification valid","antecedents":["autoscaling-and-placement-resource-management","governance-spans-identity-resources-and-namespaces"],"label":"Connects resource management (depth-3) with governance (depth-3) — autoscaling is not ungoverned"},{"node":"autoscaling-and-placement-resource-management","truth_value":"IN","reason":"SL justification valid","antecedents":["multi-level-autoscaling-architecture","workload-placement-requires-storage-and-scheduling"],"label":"Autoscaling determines how much capacity exists; scheduling determines where workloads land — combining reveals the full resource management picture."},{"node":"multi-level-autoscaling-architecture","truth_value":"IN","reason":"SL justification valid","antecedents":["keda-custom-metrics-autoscaling-model","autoscaler-requires-machine-autoscaler"],"label":"depth-1 KEDA model covers pod-level scaling; base autoscaler belief covers infrastructure-level; combining reveals a three-tier architecture where each tier scales independently but infrastructure scaling gates the capacity available to pod-level scaling"},{"node":"keda-custom-metrics-autoscaling-model","truth_value":"IN","reason":"SL justification valid","antecedents":["keda-custom-resources","keda-trigger-types","vpa-adjusts-requests-limits"],"label":"KEDA horizontal and VPA vertical autoscaling form a complete scaling model"},{"node":"keda-custom-resources","truth_value":"IN","reason":"premise"},{"node":"keda-trigger-types","truth_value":"IN","reason":"premise"},{"node":"vpa-adjusts-requests-limits","truth_value":"IN","reason":"premise"},{"node":"autoscaler-requires-machine-autoscaler","truth_value":"IN","reason":"premise"},{"node":"workload-placement-requires-storage-and-scheduling","truth_value":"IN","reason":"SL justification valid","antecedents":["scheduling-constraints-multi-dimensional","storage-lifecycle-from-provisioning-to-reclaim"],"label":"Both depth-1 nodes represent independent constraint domains that must be jointly satisfied; a pod can match scheduling rules but fail on storage binding, or have storage available but be unschedulable — neither alone determines placement"},{"node":"scheduling-constraints-multi-dimensional","truth_value":"IN","reason":"SL justification valid","antecedents":["node-selector-operators","node-taint-effects-three","affinity-label-selector-operators","scheduling-gates-set-at-creation-only","scheduler-default-node-selector-intersection","topology-manager-single-numa-strictest"],"label":"depth-1 grouping — scheduling is multi-dimensional constraint satisfaction, not simple matching"},{"node":"node-selector-operators","truth_value":"IN","reason":"premise"},{"node":"node-taint-effects-three","truth_value":"IN","reason":"premise"},{"node":"affinity-label-selector-operators","truth_value":"IN","reason":"premise"},{"node":"scheduling-gates-set-at-creation-only","truth_value":"IN","reason":"premise"},{"node":"scheduler-default-node-selector-intersection","truth_value":"IN","reason":"premise"},{"node":"topology-manager-single-numa-strictest","truth_value":"IN","reason":"premise"},{"node":"storage-lifecycle-from-provisioning-to-reclaim","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-storage-uses-csi-plugin-architecture","pvc-three-phases","unbound-pvc-waits-indefinitely","storageclass-default-reclaimpolicy-delete"],"label":"depth-1 grouping — storage resources follow a complete lifecycle with specific phase transitions and cleanup semantics"},{"node":"ocp-storage-uses-csi-plugin-architecture","truth_value":"IN","reason":"premise"},{"node":"pvc-three-phases","truth_value":"IN","reason":"premise"},{"node":"unbound-pvc-waits-indefinitely","truth_value":"IN","reason":"premise"},{"node":"storageclass-default-reclaimpolicy-delete","truth_value":"IN","reason":"premise"},{"node":"governance-spans-identity-resources-and-namespaces","truth_value":"IN","reason":"SL justification valid","antecedents":["authorization-and-resource-governance-model","openshift-identity-lifecycle-chain","project-self-provisioning-governance"],"label":"Depth-3 — the three governance layers (identity, resource, namespace) interact: project self-provisioning is constrained by both identity chain and resource quotas"},{"node":"authorization-and-resource-governance-model","truth_value":"IN","reason":"SL justification valid","antecedents":["openshift-extends-k8s-authorization-model","quota-forces-complete-resource-declarations"],"label":"Authorization gates who can act; quotas gate how much — both enforce strictness"},{"node":"openshift-extends-k8s-authorization-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-authorization-api-groups","openshift-has-own-authorization-api","scc-api-group-security-openshift","default-clusterroles-list"],"label":"Parallel authorization APIs reflect OpenShift's extension of Kubernetes security model"},{"node":"ocp-two-authorization-api-groups","truth_value":"IN","reason":"premise"},{"node":"openshift-has-own-authorization-api","truth_value":"IN","reason":"premise"},{"node":"scc-api-group-security-openshift","truth_value":"IN","reason":"premise"},{"node":"default-clusterroles-list","truth_value":"IN","reason":"premise"},{"node":"quota-forces-complete-resource-declarations","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-quota-forces-explicit-resource-specs","ocp-extended-resources-no-overcommit"],"label":"Quotas enforce exhaustive resource declarations with no implicit defaults"},{"node":"ocp-quota-forces-explicit-resource-specs","truth_value":"IN","reason":"premise"},{"node":"ocp-extended-resources-no-overcommit","truth_value":"IN","reason":"premise"},{"node":"openshift-identity-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","oauth-requires-integratedoauth-type","user-api-group-user-openshift-io","useridentitymapping-maps-user-to-identity","oauthclientauthorization-delete-revokes"],"label":"Five resources form a directed chain from authentication config to session lifecycle"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"oauth-requires-integratedoauth-type","truth_value":"IN","reason":"premise"},{"node":"user-api-group-user-openshift-io","truth_value":"IN","reason":"premise"},{"node":"useridentitymapping-maps-user-to-identity","truth_value":"IN","reason":"premise"},{"node":"oauthclientauthorization-delete-revokes","truth_value":"IN","reason":"premise"},{"node":"project-self-provisioning-governance","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-admin-can-disable-self-provisioning","ocp-disable-self-provisioning-two-steps","project-request-template-in-openshift-config-ns","project-request-message-shown-when-denied"],"label":"Four beliefs describe the complete self-provisioning governance lifecycle"},{"node":"ocp-admin-can-disable-self-provisioning","truth_value":"IN","reason":"premise"},{"node":"ocp-disable-self-provisioning-two-steps","truth_value":"IN","reason":"premise"},{"node":"project-request-template-in-openshift-config-ns","truth_value":"IN","reason":"premise"},{"node":"project-request-message-shown-when-denied","truth_value":"IN","reason":"premise"}]}}