brevdev · theFong · Aug 5, 2025 · Aug 5, 2025 · Aug 5, 2025 · Aug 5, 2025
@@ -1,6 +1,6 @@
 # 🔒 Security Requirements
 
-This document outlines the security requirements and best practices for implementing cloud integrations with the Brev Compute SDK.
+This document outlines the security requirements and best practices for implementing cloud integrations with the Brev Compute SDK. If the cloud provider has a different security model, please indicate in the providers SECURITY.md file.
 
 ## 🌐 Network Security Requirements
 

@@ -0,0 +1,103 @@
+# FluidStack Provider
+
+FluidStack is an AI cloud platform designed for high-stakes AI workloads, offering bare-metal and virtualized instances with comprehensive security and compliance features.
+
+## Provider Information
+
+- **Provider Name**: `fluidstack`
+- **API Documentation**: https://docs.fluidstack.io/api/infrastructure/
+- **Base URL**: `https://api.fluidstack.io/v1alpha1`
+- **Authentication**: Bearer token (API key)
+
+## Supported Features
+
+### ✅ Instance Management
+- **Create Instance**: `POST /instances` - Create new instances with project scoping
+- **Get Instance**: `GET /instances/{id}` - Retrieve instance details
+- **List Instances**: `GET /instances` - List all instances in project
+- **Terminate Instance**: `DELETE /instances/{id}` - Delete instances
+- **Start Instance**: `POST /instances/{id}/start` - Start stopped instances
+- **Stop Instance**: `POST /instances/{id}/stop` - Stop running instances
+
+### ✅ Instance Types
+- **List Instance Types**: `GET /instance-types` - Get available instance configurations
+- **GPU Support**: NVIDIA GPU instances for AI/ML workloads
+- **Bare Metal & Virtualized**: Both deployment options available
+
+### ✅ Project Management
+- **Create Project**: `POST /projects` - Create isolated project environments
+- **List Projects**: `GET /projects` - List all projects
+- **Get Project**: `GET /projects/{id}` - Get project details
+- **Delete Project**: `DELETE /projects/{id}` - Remove projects
+- **Project Scoping**: All resources are scoped to projects via `X-PROJECT-ID` header
+
+### ✅ Security Features
+- **Disk Encryption**: Hardware-level self-encrypting drives (SEDs) for data at rest
+- **Transit Encryption**: SSL/TLS encryption for all network traffic
+- **Network Isolation**: Project-level isolation using VXLAN and eBPF
+- **Compliance**: HIPAA, GDPR, ISO27001, SOC 2 TYPE I certified
+
+### ✅ Additional Features
+- **Tagging**: Support for resource tagging and organization
+- **Filesystem Management**: Block and file storage management
+- **Kubernetes Clusters**: Managed Kubernetes cluster support
+- **Slurm Clusters**: Managed Slurm batch orchestration
+
+## Unsupported Features
+
+### ❌ Firewall Rules
+- **Individual Instance Firewalls**: No API endpoints for per-instance firewall rules
+- **Security Groups**: Uses project-level isolation instead of security groups
+- **Network ACLs**: No granular network access control lists
+
+### ❌ Storage Operations
+- **Volume Resizing**: No API support for resizing instance volumes
+- **Snapshot Management**: Volume snapshot operations not available
+- **Volume Attachment**: Dynamic volume attach/detach not supported
+
+### ❌ Advanced Networking
+- **VPC Management**: No virtual private cloud configuration
+- **Load Balancers**: No managed load balancer services
+- **Custom Networks**: Limited to project-level network isolation
+
+## Implementation Notes
+
+### Authentication
+```go
+client := NewFluidStackClient("your-api-key")
+```
+
+### Project Scoping
+All instance operations require a project context:
+```go
+// All API calls include X-PROJECT-ID header
+// Projects provide isolation boundary for resources
+```
+
+### Security Model
+- **Project-Level Isolation**: Resources are isolated at the project level
+- **Default Network Behavior**: Instances can egress to internet, communicate within project
+- **Encryption**: Automatic encryption at rest and in transit
+
+## API Capabilities
+
+FluidStack provides a comprehensive Infrastructure API with the following endpoint categories:
+
+- **Projects**: Full CRUD operations for project management
+- **Instances**: Complete instance lifecycle management
+- **Instance Types**: Hardware configuration discovery
+- **Filesystems**: Storage management operations
+- **Kubernetes**: Managed Kubernetes cluster operations
+- **Slurm**: Managed Slurm cluster operations
+- **Capacity**: Real-time capacity checking
+
+## Compliance & Security
+
+FluidStack meets enterprise security requirements with:
+- Hardware-level disk encryption using self-encrypting drives
+- SSL/TLS encryption for all network traffic
+- Tier-3 data centers with biometric access controls
+- Multiple compliance certifications (HIPAA, GDPR, ISO27001, SOC 2)
+- Project-level network isolation using VXLAN and eBPF
+
+For detailed security information, see [SECURITY.md](./SECURITY.md).
@@ -0,0 +1,121 @@
+# FluidStack Security Compliance
+
+This document outlines FluidStack's security capabilities and compliance with Brev's security requirements.
+
+## ✅ FULLY COMPLIANT
+
+### Disk Encryption
+- **Encryption at Rest**: Hardware-level self-encrypting drives (SEDs)
+- **Implementation**: Automatic encryption without performance overhead
+- **Coverage**: All data stored on FluidStack infrastructure
+- **Standard**: Industry-standard encryption algorithms
+
+### Transit Encryption
+- **Protocol**: SSL/TLS encryption for all network traffic
+- **Coverage**: All API communications and data transfer
+- **Implementation**: Automatic encryption for all connections
+
+### Network Isolation
+- **Project-Level Isolation**: Dedicated L3 networks per project
+- **Technology**: VXLAN and eBPF for network segmentation
+- **Isolation Scope**: Hardware, network, and storage levels
+- **Multi-Tenancy**: Single-tenant by default, no shared clusters
+
+### Physical Security
+- **Data Centers**: Tier-3 facilities with 24/7 surveillance
+- **Access Controls**: Biometric access controls and mantrap entry systems
+- **Monitoring**: Continuous monitoring with CCTV coverage
+- **Personnel**: Restricted access to authorized personnel only
+
+### Compliance Certifications
+- **HIPAA**: Health Insurance Portability and Accountability Act
+- **GDPR**: General Data Protection Regulation
+- **ISO27001**: Information Security Management System
+- **SOC 2 TYPE I**: Service Organization Control 2
+
+## ⚠️ PARTIAL COMPLIANCE
+
+### Network Security Model
+- **✅ Outbound Traffic**: Instances can egress to public internet (compliant)
+- **✅ Project Isolation**: Strong isolation between projects (compliant)
+- **❓ Inbound Traffic**: "Deny all inbound by default" behavior not explicitly documented
+- **❓ Instance-Level Firewalls**: No API endpoints for individual instance firewall rules
+
+### Firewall Management
+- **Limitation**: Security managed at project/cluster level, not per-instance
+- **API Gap**: No dedicated firewall rule management endpoints in Infrastructure API
+- **Workaround**: Project-level isolation provides security boundary
+- **Impact**: May not provide granular instance-level firewall control
+
+## ❌ LIMITATIONS
+
+### Granular Network Control
+- **Missing Feature**: Individual instance firewall rule management
+- **Alternative**: Project-level network isolation
+- **API Support**: No explicit firewall rule endpoints found
+- **Security Model**: Relies on project boundaries for isolation
+
+### Network Security APIs
+- **Firewall Rules**: No API endpoints for creating/managing firewall rules
+- **Security Groups**: No security group concept or API
+- **Network ACLs**: No network access control list management
+
+## Security Implementation Notes
+
+### Default Security Posture
+```
+✅ Data encrypted at rest (hardware-level SEDs)
+✅ Data encrypted in transit (SSL/TLS)
+✅ Project-level network isolation (VXLAN/eBPF)
+✅ Physical security (Tier-3 data centers)
+❓ Instance-level firewall rules (not documented)
+❓ "Deny all inbound" default behavior (needs verification)
+```
+
+### Recommended Security Practices
+
+1. **Project Organization**: Use separate projects for different security zones
+2. **Network Design**: Leverage project-level isolation for security boundaries
+3. **Access Control**: Implement application-level security controls
+4. **Monitoring**: Use FluidStack's audit logging and monitoring features
+
+### Security Verification Required
+
+Before production deployment, verify:
+
+1. **Default Inbound Policy**: Confirm if inbound traffic is denied by default
+2. **Firewall APIs**: Check for any undocumented firewall management endpoints
+3. **Network Behavior**: Test actual network isolation and traffic patterns
+4. **Security Controls**: Validate project-level isolation effectiveness
+
+## Risk Assessment
+
+### Low Risk
+- **Data Encryption**: Excellent hardware-level encryption
+- **Physical Security**: Strong data center security controls
+- **Compliance**: Multiple enterprise certifications
+- **Network Isolation**: Strong project-level isolation
+
+### Medium Risk
+- **Firewall Management**: Limited granular network control
+- **API Limitations**: No explicit firewall rule management
+- **Documentation Gaps**: Some security behaviors not explicitly documented
+
+### Mitigation Strategies
+
+1. **Application Security**: Implement security controls at the application layer
+2. **Project Design**: Use project boundaries as security zones
+3. **Network Architecture**: Design applications to work within project isolation model
+4. **Monitoring**: Implement comprehensive logging and monitoring
+
+## Conclusion
+
+FluidStack provides **excellent foundational security** with hardware-level encryption, strong network isolation, and comprehensive compliance certifications. However, it may not provide the granular instance-level firewall management that some security models require.
+
+**Recommendation**: FluidStack is suitable for workloads that can leverage project-level security isolation. For applications requiring fine-grained instance-level firewall controls, additional verification and testing is recommended.
+
+## References
+
+- [FluidStack Security Documentation](https://www.fluidstack.io/resources/security)
+- [FluidStack Infrastructure API](https://docs.fluidstack.io/api/infrastructure/)
+- [FluidStack Networking Overview](https://docs.fluidstack.io/fluidstack/networking/overview/)
@@ -0,0 +1,18 @@
+package v1
+
+import (
+	"context"
+
+	"github.com/brevdev/cloud/pkg/v1"
+)
+
+func (c *FluidStackClient) GetCapabilities(_ context.Context) (v1.Capabilities, error) {
+	capabilities := v1.Capabilities{
+		v1.CapabilityCreateInstance,
+		v1.CapabilityTerminateInstance,
+		v1.CapabilityStopStartInstance,
+		v1.CapabilityTags,
+	}
+
+	return capabilities, nil
+}
@@ -0,0 +1,99 @@
+package v1
+
+import (
+	"context"
+	"crypto/sha256"
+	"fmt"
+
+	"github.com/brevdev/cloud/pkg/v1"
+)
+
+const CloudProviderID = "fluidstack"
+
+// FluidStackCredential implements the CloudCredential interface for FluidStack
+type FluidStackCredential struct {
+	RefID  string
+	APIKey string
+}
+
+var _ v1.CloudCredential = &FluidStackCredential{}
+
+func NewFluidStackCredential(refID, apiKey string) *FluidStackCredential {
+	return &FluidStackCredential{
+		RefID:  refID,
+		APIKey: apiKey,
+	}
+}
+
+// GetReferenceID returns the reference ID for this credential
+func (c *FluidStackCredential) GetReferenceID() string {
+	return c.RefID
+}
+
+// GetAPIType returns the API type for FluidStack
+func (c *FluidStackCredential) GetAPIType() v1.APIType {
+	return v1.APITypeGlobal
+}
+
+// GetCloudProviderID returns the cloud provider ID for FluidStack
+func (c *FluidStackCredential) GetCloudProviderID() v1.CloudProviderID {
+	return CloudProviderID
+}
+
+// GetTenantID returns the tenant ID for FluidStack
+func (c *FluidStackCredential) GetTenantID() (string, error) {
+	return fmt.Sprintf("%s-%x", CloudProviderID, sha256.Sum256([]byte(c.APIKey))), nil
+}
+
+// GetCapabilities returns the capabilities for FluidStack
+func (c *FluidStackCredential) GetCapabilities(ctx context.Context) (v1.Capabilities, error) {
+	client, err := c.MakeClient(ctx, "")
+	if err != nil {
+		return nil, err
+	}
+	return client.GetCapabilities(ctx)
+}
+
+// MakeClient creates a new FluidStack client from this credential
+func (c *FluidStackCredential) MakeClient(_ context.Context, _ string) (v1.CloudClient, error) {
+	return NewFluidStackClient(c.RefID, c.APIKey), nil
+}
+
+// FluidStackClient implements the CloudClient interface for FluidStack
+// It embeds NotImplCloudClient to handle unsupported features
+type FluidStackClient struct {
+	v1.NotImplCloudClient
+	refID   string
+	apiKey  string
+	baseURL string
+}
+
+var _ v1.CloudClient = &FluidStackClient{}
+
+func NewFluidStackClient(refID, apiKey string) *FluidStackClient {
+	return &FluidStackClient{
+		refID:   refID,
+		apiKey:  apiKey,
+		baseURL: "https://api.fluidstack.io/v1alpha1",
+	}
+}
+
+// GetAPIType returns the API type for FluidStack
+func (c *FluidStackClient) GetAPIType() v1.APIType {
+	return v1.APITypeGlobal
+}
+
+// GetCloudProviderID returns the cloud provider ID for FluidStack
+func (c *FluidStackClient) GetCloudProviderID() v1.CloudProviderID {
+	return CloudProviderID
+}
+
+// MakeClient creates a new client instance
+func (c *FluidStackClient) MakeClient(_ context.Context, _ string) (v1.CloudClient, error) {
+	return c, nil
+}
+
+// GetReferenceID returns the reference ID for this client
+func (c *FluidStackClient) GetReferenceID() string {
+	return c.refID
+}
@@ -0,0 +1,35 @@
+package v1
+
+import (
+	"context"
+
+	"github.com/brevdev/cloud/pkg/v1"
+)
+
+func (c *FluidStackClient) CreateInstance(_ context.Context, _ v1.CreateInstanceAttrs) (*v1.Instance, error) {
+	return nil, v1.ErrNotImplemented
+}
+
+func (c *FluidStackClient) GetInstance(_ context.Context, _ v1.CloudProviderInstanceID) (*v1.Instance, error) {
+	return nil, v1.ErrNotImplemented
+}
+
+func (c *FluidStackClient) TerminateInstance(_ context.Context, _ v1.CloudProviderInstanceID) error {
+	return v1.ErrNotImplemented
+}
+
+func (c *FluidStackClient) ListInstances(_ context.Context, _ v1.ListInstancesArgs) ([]v1.Instance, error) {
+	return nil, v1.ErrNotImplemented
+}
+
+func (c *FluidStackClient) RebootInstance(_ context.Context, _ v1.CloudProviderInstanceID) error {
+	return v1.ErrNotImplemented
+}
+
+func (c *FluidStackClient) MergeInstanceForUpdate(currInst v1.Instance, _ v1.Instance) v1.Instance {
+	return currInst
+}
+
+func (c *FluidStackClient) MergeInstanceTypeForUpdate(currIt v1.InstanceType, _ v1.InstanceType) v1.InstanceType {
+	return currIt
+}