Skip to content

Shared Responsibility Model

Shared Responsibility

To provide a secure, reliable, and efficient managed service, it is essential to have a clear understanding of which responsibilities are handled by our team and which are handled by you, the customer. The Contain Platform operates on a shared responsibility model, which is a standard practice in cloud and managed services.

We share the responsibility with you for managing the components required to host your application workloads. How we divide these responsibilities depends on the infrastructure provider and our agreement. In some cases, we manage everything except your application workload. In others, we operate clusters and services on infrastructure that you manage. Regardless of the model, you are ultimately responsible for using the provided services and components securely, in line with your cluster's accepted risk profile. For example, your risk profile might allow over-provisioning resources in a development environment but not in production.

In short: we manage the platform and its managed-services, and you manage your applications running on the platform.

This division of responsibility allows your team to focus on building and delivering value through your applications, while we handle the significant operational burden of managing a complex, production-grade Kubernetes environment.

Shared ResponsibilityApplicationPlatformInfrastructureCodeImagesConfigurationApp SecurityData OwnershipInstrumentationResourcesDeploymentControl PlaneWorker NodesComponentsSecurityServicesGuardrailsCustomer DatacentersPublic CloudContain DatacentersCustomer IaaSAir-GappedCloud ServicesCloud IaaSContain IaaSLegendCustomerContainHyperscalerCustomer + ContainAll
Hold "Alt" / "Option" to enable pan & zoom

Our Responsibility (Managing the Platform)

We are responsible for the entire lifecycle, security, and operation of the Contain Platform itself. This includes the Kubernetes clusters and all the core services that support them.

Our key responsibilities include:

  • Underlying Infrastructure: We manage the physical servers, networking, and storage in our datacenters or the cloud provider environment.
  • Kubernetes Control Plane: We manage the health, availability, security, and upgrades of the Kubernetes API server, scheduler, etcd, and other control plane components.
  • Worker Nodes: We manage the virtual or physical machines that your applications run on. This includes patching the operating system, managing the container runtime, and ensuring node health and scaling.
  • Core Components: We manage the full stack of curated components that make up our Contain Base service. This includes essential services for networking (CNI), storage (CSI), ingress, DNS, certificate management, security policy, and observability agents.
  • Platform Security: We are responsible for the security of the platform, ensuring it is configured according to industry best practices, hardened against threats, and meets compliance standards.
  • Guardrails: We develop and maintain guardrails to help you create and run your applications as securely as possible.
  • Managed Services: We deploy and operate all of the managed services offered as part of the Contain Platform.

Your Responsibility (Managing Your Applications)

You are responsible for the applications and workloads that you build and deploy onto the platform. This gives you full control over your application's logic, configuration, and internal security.

Your key responsibilities include:

  • Application Code & Images: You own your application's source code, its container images, and all of their third-party dependencies.
  • Application Configuration: You define your application's desired state using Kubernetes manifests (e.g., Deployments, Services, ConfigMaps) and manage this configuration via your GitOps repository.
  • Application Security: You are responsible for the security of the inner workings of your own code. This includes scanning your container images for vulnerabilities, managing application-level secrets, and defining the appropriate RBAC (Role-Based Access Control) rules for your application's users and service accounts. The Contain Platform provides services that may help you with some of these aspects but it doesn't inherently ensure that your application is secure in itself.
  • Data: You own your application data and are responsible for its security, backup, and recovery strategy. This doesn't mean we don't have responsibilities. We are responsible for making sure the services you use (backup, databases, etc.) are working and running.
  • Resource Management: You manage the resource requests and limits (CPU and memory) for your applications to ensure they run efficiently and have the resources they need.
  • Application Observability (if enabled): You are responsible for instrumenting your applications to expose metrics, logs, and traces, which can then be consumed by our central observability platform.