Supported Design Patterns¶
Supported design patterns define technical and security requirements for integrating customer applications with the Game Warden platform. These patterns guide customers on architectural expectations, security compliance, and operational considerations to streamline onboarding and deployment.
Architecture¶
| Specification | Details |
|---|---|
| Containerized applications | Applications must be containerized and comply with Open Container Initiative (OCI) standards. |
| Database seeding services or scripts | Provide database seeding services or scripts for Game Warden to execute, especially at IL4 where production database write access is restricted. |
| Complete applications | Applications must be fully functional before starting the onboarding process. |
| Specification | Details |
|---|---|
| Built-in database migration | Your organization should handle your own data and schema migrations. |
| Microservice architecture | Single service per container is preferred to promote reliability. |
| Dummy data for testing | Provide dummy data or data scrubbing methods for Staging (STG) environment testing. |
| End-to-end automated testing | Implement automated testing to validate application functionality. |
| Structured logs | Use structured logging to simplify observability and troubleshooting. |
| Configuration documentation | Provide documentation for configuration variables and APIs. |
| Simple Helm charts | Prefer Helm charts designed for Helminator, supported by detailed Authorization Boundary Diagrams. |
| Logs to stdout | Log to stdout for seamless collection and analysis with observability tools. |
| Detailed diagrams | Submit comprehensive Authorization Boundary Diagrams showing ports, protocols, and system architecture. |
| Specification | Details |
|---|---|
| Single points of failure | Must function reliably; Game Warden will assist with resilience improvements. |
| Monolithic applications | Accepted but increase operational complexity. |
| S3-hosted frontends | Supported with conversion to NGX containers as needed. |
| Own Helm charts or Kustomize manifests | Supported but Helm (via Helminator) is preferred. Knowledge of Kubernetes is required. |
| Mobile applications | Supported. |
| Specification | Details |
|---|---|
| Moving high Impact Level (IL) data to lower ILs | Prohibited to prevent data spillage. |
| External connections outside NIPRNet | Not supported; feature under future consideration. |
| IL4/IL5 access without Appgate SDP | Must use Appgate SDP or approved VPN when not on NIPRNet. |
Security¶
| Specification | Details |
|---|---|
| Data classification adherence | Only approved classifications (CUI, PII, IL2, IL4, IL5, ITAR) are allowed. Contact Game Warden for IL6, SAP, or SCI data. |
| Keycloak integration | All applications must use Game Warden's Keycloak for access control. |
| ATO compliance | Applications must meet Authority to Operate (ATO) standards and address security vulnerabilities promptly. |
| Integration with DoD-approved authentication | Only Game Warden and Platform One authentication services are supported. |
| Government-issued access credentials | Common Access Card (CAC), External Certification Authority (ECA), or Personal Identity Verification (PIV) credentials are required for IL4+ access. |
| Regular updates | Applications must be maintained and updated to mitigate known vulnerabilities to ensure alignment with the Acceptance Baseline Criteria. |
| Authorization Boundary Diagram | Provide a detailed diagram showing components, data flow, ports, protocols, and external connections. |
| Active DoD contract | Required for IL4+ deployment. |
| Specification | Details |
|---|---|
| Case-by-case external data transit | Requires Game Warden review and government approval. |
| Pre-scan with Anchore open source tools | Recommended before submitting images. |
| Data classification tagging | Use data tags (e.g., CUI) to aid in proper handling. |
| Known base containers | We recommend using Game Warden-provided or commonly supported base images, such as Universal Base Images (UBIs), which streamline security review and troubleshooting. |
| Specification | Details |
|---|---|
| Data pull operations | Allowed when initiated within the Game Warden boundary. |
| NIPRNet external connections | Permitted with NIPRNet IP whitelisting. |
| Iron Bank-based containers | Acceptable if they meet Iron Bank baseline standards. |
| Specification | Details |
|---|---|
| Hosting classified data | Prohibited on Game Warden; deployment to classified networks requires ODIN. |
| Data movement from higher to lower ILs | Strictly prohibited. |
| No Game Warden SSO for IL4/IL5 | Mandatory to use Game Warden SSO. |
| Non-accredited external connections | External IL4/IL5 connections must be to accredited systems. |
| Unvetted commercial data streaming | Requires pre-approval discussion with Game Warden. |
General¶
| Specification | Details |
|---|---|
| DoD contract for IL4/IL5 | An active DoD contract is required to deploy to the IL4 and IL5 Staging (STG) and Production (PRD) environments. |
| U.S. Citizenship | Required for engineers involved in deployment. |
.mil domain association |
Applications must deploy under afwerx.dso.mil. |
| Specification | Details |
|---|---|
| Knowledge of Kubernetes and microservices | Facilitates collaboration and troubleshooting. |
| Allow Game Warden to host/mirror code | Preferred; planned feature on the roadmap. |
| Proactive application testing | Recommended prior to deployment. |
| Specification | Details |
|---|---|
| IL2 deployment without DoD contract | Supported. |
| Use of AWS GovCloud East | Supported with future plans to expand to GovCloud West. |
| Specification | Details |
|---|---|
| No DoD contract for IL4+ | Cannot deploy beyond IL2 without an active DoD contract. |
Roadmap¶
Have ideas for new features or improvements in Game Warden? We want to hear from you!
Visit our Game Warden Roadmap to see upcoming features, suggest enhancements, and vote on requests from the community.