Glossary
Algorithm
A set of rules or instructions to solve a problem or perform a computation.
Attribute-Based Access Control (ABAC)
A policy-based access control model where access is determined by evaluating attributes (e.g., user, resource, environment).
Audit Logging
Tracking and recording system events and user activities for security analysis and compliance.
Automation
The use of technology to perform tasks with minimal human intervention.
Availability Zone (AZ)
An AZ is a partition within a Region that hosts one or more data halls.
AZs are physically and operationally independent from each other to prevent failures from propagating across them.
For example, in the US-EAST-05 Region, Availability Zone a is named US-EAST-05a.
Border Gateway Protocol (BGP)
A standardized exterior gateway protocol that exchanges routing information between different autonomous systems on the internet. BGP is the protocol used to make core routing decisions on the internet.
cloud-init
An industry standard method for cloud instance initialization. CoreWeave uses Cloud-Init to pass configuration data to Nodes at boot time.
Cloud Access Security Broker (CASB)
A security tool that provides visibility and control over data and threats in cloud services.
Cloud Compliance
Ensuring that cloud systems adhere to regulatory standards like SOC 2, HIPAA, ISO 27001, or FedRAMP.
Cloud-Native Application Protection Platform (CNAPP)
Unified security architecture that integrates CWPP, CSPM, and CI/CD pipeline protection.
Cloud Security
Practices and technologies designed to protect cloud-based infrastructure, data, and applications from threats and unauthorized access.
Cloud Security Posture Management (CSPM)
Tools that continuously monitor cloud configurations to identify security risks and misconfigurations.
Cloud Service Provider (CSP)
A company that offers cloud computing services, such as AWS, Azure, and Google Cloud.
Cloud Workload Protection Platform (CWPP)
A security solution that protects workloads across cloud and on-prem environments.
Cluster
A group of interconnected computers working together as a single system.
Cognitive Computing
Computer systems that simulate human thought processes.
Confidential Computing
Protecting data in use by performing computations in hardware-based Trusted Execution Environments (TEEs).
Control Plane
The Control Plane is a collection of resources that manages the state of the cluster as a whole. Its job is to regulate the cluster, making sure it's responsive, it's efficiently managing containerized applications, and it's stable.
CoreWeave Cloud Console
CoreWeave Kubernetes Service (CKS)
CoreWeave Kubernetes Service (CKS) is a managed Kubernetes service that provides a secure, scalable, and reliable platform for deploying containerized applications. CKS is built on CoreWeave's proprietary infrastructure and is designed to deliver high-performance computing resources to customers.
CoreWeave's Local Object Transfer Accelerator (LOTA)
CoreWeave's Local Object Transfer Accelerator (LOTA) is a container that lives on every GPU Node inside a client's cluster, performing intelligent acceleration behind the scenes. Conventional transfer accelerators speed up the data transfer rates of bucket contents over long distances.
LOTA's cache is a disk cache of CoreWeave AI Object Storage that keeps user data to local GPU nodes, increasing speeds even further while also significantly decreasing latency.
CPU
A Central Processing Unit (CPU) is the hardware within a computer that carries out the instructions of a computer program by performing basic arithmetic, logical, control, and input/output operations specified by the instructions.
Custom Resource (CR)
A Custom Resource is an instance of a CRD. It's the actual object created with the Kubernetes API.
See also: Custom Resources
Custom Resource Definition (CRD)
CRDs are an extension of the Kubernetes API that allows users to define custom resources and controllers. CRDs enable users to extend the functionality of Kubernetes by defining new resources and controllers that are not part of the core Kubernetes API.
A CRD is the blueprint for a type of CR.
See also: Custom Resources
Data Loss Prevention (DLP)
A strategy to prevent unauthorized sharing or leakage of sensitive data.
Data Loss Prevention (DLP)
A strategy to prevent unauthorized sharing or leakage of sensitive data.
Data Plane
The part of Kubernetes that deals with application and data traffic.
Data Processing Unit (DPU)
A programmable infrastructure-on-a-chip that combines an array of ARM-based CPU cores, acceleration engines, and a high-performance network interface. DPUs function as a "computer-in-front-of-a-computer" and are fully isolated from the host's CPU. DPUs provide network, storage, and encryption functions on Direct Metal Nodes, enabling CoreWeave to deliver scalable, flexible, and secure cloud services.
See What Is a DPU? at NVIDIA's Blog.
Day 0
The phase in the lifecycle of a CoreWeave Node where it is initially configured after powering on.
Day 1
The phase in the lifecycle of a CoreWeave Node where it is intensively validated before delivery to a customer.
Day 2+
The phase in the lifecycle of a CoreWeave Node once it has been delivered to a customer, and is continuously monitored and validated by CoreWeave.
DevSecOps
An approach that integrates security practices directly into DevOps workflows.
Dynamic Host Configuration Protocol (DHCP)
A network protocol that automatically assigns IP addresses and other network configuration settings to devices on a network.
Encryption at Rest
Protecting stored data using encryption mechanisms.
Encryption in Transit
Securing data as it travels across networks using protocols like TLS.
Ethernet Virtual Private Network (EVPN)
EVPN simplifies Control Planes for various Virtual Private Network (VPN) services by extending Ethernet (Layer 2) services over a broader network, typically an IP/MPLS network. EVPN supports multi-tenancy, allowing different customers' networks to share the same physical infrastructure while keeping their traffic separate and secure. EVPN is widely used in interconnect scenarios, and for integrating distributed regional and campus networks. EVPN brings the advantages of traffic balancing and flexible deployment from IP VPNs into the Ethernet domain.
EVPN Type 5
A Type 5 EVPN deals exclusively with IP route advertisement, differentiating it from other types (such as Type 2) that include MAC address advertisement.
EVPN-VXLAN integration
Ethernet VPN-Virtual Extensible LAN (EVPN-VXLAN) combines EVPN's Control Plane with VXLAN's Data Plane. Combined, these technologies create virtual Layer 2 networks that span Layer 3 boundaries in large-scale environments. This integration allows seamless communication between devices, regardless of their physical location or the underlying network infrastructure, while maintaining efficient traffic handling and scalability.
Federated Identity
An authentication method allowing users to log in across multiple systems using a single identity (via OIDC/SAML).
Geo
A Geo covers multiple Regions, facilitating global service distribution and disaster recovery.
At CoreWeave, the term Geo defines an entire continent, ensuring comprehensive coverage and reliability for global operations.
For example, all Regions in the United States are in the US Geo.
See also: Region, Availability Zone (AZ)
GPU
A Graphics Processing Unit (GPU) is a parallel processor that is designed to accelerate vector and matrix operations. GPUs are commonly used in high-performance computing and machine learning applications.
GPUDirect RDMA
GPUDirect RDMA is a technology that enables remote direct memory access (RDMA) transfers between GPUs and other devices without involving the operating system or CPU.
See also: Remote Direct Memory Access (RDMA)
Hard Disk Drive (HDD)
A hard disk drive (HDD) is a non-volatile data storage device. An HDD includes two main elements; a spinning circular magnetic platter and an actuator arm that moves across the platter to read and write data. HDDs are slower than NVMe drives, but are typically less expensive and have higher storage capacities.
Identity and Access Management (IAM)
A framework for managing user identities and access permissions across cloud services.
Identity provider (IdP)
An identity provider (IdP) is an entity that stores and serves user authentication information as an authentication service for users. IdPs can then be used to validate user identity to other services, such as Cloud applications.
i Preboot eXecution Environment (iPXE)
iPXE is the leading open source network boot firmware. It provides a full PXE implementation enhanced with additional features and flexibility for network booting. iPXE is commonly used in cloud environments with complex configurations and network installations to boot servers over the network. From the official FAQ:
Q: What does the "i" in "iPXE" stand for?
A: It doesn't.
InfiniBand
A high-performance network architecture that provides high throughput and low latency, commonly used in high-performance computing environments.
Infrastructure as Code (IaC) Security
Securing declarative infrastructure templates (such as Terraform and CloudFormation) from misconfigurations or vulnerabilities.
Input/output operations per second (IOPS)
IOPS (pronounced eye-ops) is an input/output performance measurement used to characterize computer storage devices.
Ingress/Egress Filtering
Controlling the flow of traffic into (ingress) and out of (egress) cloud environments.
Internet Protocol version 4 (IPv4)
IPv4 is the fourth version of the Internet Protocol (IP), and one of the core protocols of standards-based internetworking methods in the Internet and other packet-switched networks. IPv4 is the most widely used version of the Internet Protocol.
Internet Protocol version 6 (IPv6)
IPv6 is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet.
Key Management System (KMS)
A service that manages cryptographic keys used for data encryption and digital signatures.
Kubeconfig
A configuration file containing details like cluster API server addresses, contexts, and user credentials used by kubectl and other Kubernetes tools to authenticate and manage access to Kubernetes clusters. Kubeconfig files allow users to switch between different clusters and manage multiple environments securely.
Least Privilege
A security principle where users or systems are given only the minimum access required to perform their tasks.
MACsec
MACsec (Media Access Control Security) is an IEEE standard for securing Ethernet networks at the link layer. MACsec provides secure communication between network devices by encrypting and authenticating Ethernet frames. MACsec is commonly used to protect data in transit and prevent unauthorized access to network traffic. See also: IEEE 802.1AE
Medium Access Control (MAC) address
A MAC address is a unique identifier assigned to a Network Interface Controller (NIC) for use as a network address within a network segment.
Microsegmentation
Dividing networks into smaller zones to enforce granular security controls.
Multi-Factor Authentication (MFA)
A security mechanism requiring multiple forms of verification to access systems; for example, a password and mobile code.
Multipart upload
Multipart uploads (or "MPUs") refer to uploading large objects as multiple pieces. See also: Uploading and copying objects using multipart upload (Amazon)
Mutual TLS (mTLS)
An extension of TLS where both client and server authenticate each other using certificates.
Natural Language Processing (NLP)
The ability of computers to understand, interpret, and generate human language.
Network Access Control Lists (NACLs)
Stateless filters that control traffic at the subnet level in a cloud network.
Network Interface Controller (NIC)
A network interface controller (NIC) is a hardware component that connects a computer to a network. NICs are commonly used to connect computers to Ethernet networks, wireless networks, and other types of networks.
Node
An individual computer within a cluster.
Node Pool
A Node Pool is a logical grouping of Nodes in a CKS cluster with the same Instance Type, Labels, Taints, and Annotations. Node Pools are useful for managing a group of Nodes as a single entity or assigning workloads to specific Nodes based on their configuration.
Non-Volatile Memory Express (NVMe)
NVMe is a storage protocol that provides high-performance access to non-volatile memory devices. NVMe is designed to take advantage of the low latency and high throughput of modern storage devices, providing improved performance over traditional storage protocols.
Non-Volatile Memory Express over Fabrics (NVMe-oF)
NVMe-oF is a network protocol that enables remote access to NVMe storage devices over a network. NVMe-oF allows for the efficient transfer of data between servers and storage devices, providing low latency and high throughput.
OpenID Connect (OIDC)
OpenID Connect (OIDC) is an identity layer laid atop the OAuth 2.0 protocol, which allows users to authenticate themselves by way of verifying their identity through an identity provider (IdP), such as Okta. CoreWeave supports OIDC as an authentication method to CKS clusters.
An identity layer on top of OAuth 2.0, used for user authentication.
Open vSwitch (OVS)
Open vSwitch (OVS) is a production quality, multilayer virtual switch licensed under the open source Apache 2.0 license.
Parallel Processing
Simultaneous execution of tasks across multiple processors or cores.
PCI Express (PCIe)
Peripheral Component Interconnect Express, officially abbreviated as PCIe, is a high-speed serial computer expansion bus standard.
Penetration Testing
Simulated cyberattacks used to evaluate the security of cloud environments.
Persistent Volume Management Operator (PVMO)
A Kubernetes controller manager that periodically runs to clean up any orphaned storage volumes.
See also: Persistent Volume Management Operator (PVMO)
Point of Presence (POP)
A Point of Presence (POP) is a location where two or more networks interconnect.
Policy as Code
The practice of defining and enforcing security and compliance rules using machine-readable code; for instance, using Open Policy Agent.
Preboot eXecution Environment (PXE)
PXE specification describes a standardized client-server environment that boots a software assembly, retrieved from a network, on PXE-enabled clients. On the client side it requires only a PXE-capable network interface controller (NIC), and uses a small set of industry-standard network protocols such as DHCP and TFTP. PXE is most often pronounced as "pixie", and the process is often called "pixie boot".
See also: iPXE.
RDMA over Converged Ethernet (RoCE)
A network protocol that allows RDMA over an Ethernet network.
See also: Remote Direct Memory Access (RDMA)
Region
An area within a Geo that contains multiple Availability Zones (AZs). Regions provide redundancy and failover capabilities by allowing workloads to be distributed across multiple AZs. Regions are strategically placed to offer low latency, high-performance connectivity, and meet data residency requirements. For example, in US-EAST-05, the Geo is US and the Region is EAST-05.
See also: Geo, Availability Zone (AZ)
Remote Direct Memory Access (RDMA)
RDMA allows data to be transferred directly between the memory of two computers without involving the operating system or CPU. RDMA provides low latency and high throughput data transfers, making it ideal for high-performance computing environments.
See also: GPUDirect RDMA, RDMA over Converged Ethernet (RoCE)
Role-Based Access Control (RBAC)
An authorization method where users are granted permissions based on their role within an organization.
Runtime Security
Monitoring and securing workloads during execution; for example, using tools like Falco or Tetragon.
Security Groups
Virtual firewalls used to control inbound and outbound traffic to resources in the cloud.
Security Token Service (STS)
A service that issues temporary, limited-privilege credentials to users or services.
Secrets Management
Storing and retrieving sensitive information (such as passwords and API keys) securely in a cloud-native vault.
Service Mesh
A network layer (such as Istio or Linkerd) that handles secure service-to-service communication with observability and policy enforcement.
Shared Responsibility Model
A framework outlining security responsibilities split between the cloud provider and the customer.
SIEM (Security Information and Event Management)
Tools that aggregate and analyze log data for real-time threat detection.
Single-root input/output virtualization (SR-IOV)
SR-IOV is a specification that allows a single physical PCIe device to appear as multiple separate physical devices. SR-IOV allows a single physical device to be shared by multiple virtual machines, providing improved performance and reduced latency.
Learn more at Wikipedia: Single-root input/output virtualization
Slurm
A popular job scheduling system typically deployed on HPC clusters.
Storage
A strategy to prevent unauthorized sharing or leakage of sensitive data.
Supercomputer
A computer with a high level of performance compared to a general-purpose computer.
Supply Chain Security
Protecting cloud software pipelines from tampering, including the use of signed artifacts and SBOMs.
Throughput
The amount of work completed in a given time period.
Top of Rack (TOR)
A network switch that connects servers in an Availability Zone to the rest of the network. TOR switches are typically located at the top of a rack of servers and provide network connectivity to the servers within the rack.
Trivial File Transfer Protocol (TFTP)
TFTP is a lightweight file transfer protocol that does not provide authentication or encryption. TFTP is commonly used for network booting and firmware updates.
Virtual Extensible LAN (VXLAN)
VXLAN addresses the limitations of traditional Virtual Local Area Networks (VLANs) in large-scale environments. VXLAN encapsulates Ethernet frames within User Datagram Protocol (UDP) packets, enabling them to traverse across IP networks. By extending Layer 2 networks over Layer 3 infrastructure, VXLAN allows for greater flexibility and scalability in large-scale, multi-tenant environments.
Virtual Local Area Network (VLAN)
A Virtual Local Area Network (VLAN) is a broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).
Virtual Private Cloud (VPC)
A VPC is a private network hosted within a public cloud infrastructure. A VPC provides a secure environment where resources can be isolated from the public internet and other VPCs. VPCs are commonly used to create virtual networks with specific IP address ranges, subnets, and security groups.
A logically isolated network within a cloud provider where resources can be launched.
Virtual Routing and Forwarding (VRF)
VRF allows multiple instances of a routing table to coexist within the same router at the same time. Each VRF instance maintains its own routing table, which is separate from the global routing table.
Workload Identity
Associating workloads (like containers and VMs) with verifiable identities for secure communication and policy enforcement.
Zero Trust Architecture
A security model where no user or device is trusted by default, even if it's inside the network perimeter.