6.5 KiB
Security Architecture Pattern Catalog
Status: completed genesis pattern catalog for NK-WP-0010 Owner: NetKingdom architecture, maintained in infospace-bench
Purpose
This catalog collects reusable security architecture patterns for NetKingdom-enabled infrastructures. Patterns describe recurring implementation shapes, tradeoffs, failure modes, and verification signals.
Patterns are not tutorials, ADRs, or vendor docs. A tutorial shows how to do a concrete implementation. An ADR records a decision. A vendor doc describes a product. A pattern captures a reusable architecture idea and how NetKingdom maps it into its platform.
Pattern Template
Problem
Context
Forces
Solution
Implementation sketch
Failure modes
Related capabilities
Maturity
Verification
References
Initial Pattern Set
| Pattern | Capability group | Maturity | Canonical NetKingdom mapping |
|---|---|---|---|
| STS credential vending | Secrets, authorization, data access | reviewed | IAM Profile + flex-auth + backend STS, OpenBao broker/audit where useful |
| Workload identity | Identity and secrets | draft | Kubernetes service account identity, IAM Profile mapping, OpenBao Kubernetes auth |
| Secret zero avoidance | Secrets and bootstrap | reviewed | SOPS/age bootstrap, emergency bundle, OpenBao runtime handoff |
| Dynamic secrets | Secrets and credentials | draft | OpenBao dynamic credentials with leases and revocation |
| Short-lived SSH certificates | Privileged access | draft | ops-warden issues certificates, ops-bridge consumes and audits |
| Delegated authorization | Authorization | reviewed | flex-auth as canonical boundary, Topaz as first delegated PDP |
| Break-glass access | Recovery and incident response | reviewed | emergency bundle, limited principals, audit and post-event review |
| Tenant isolation | Tenant boundary | draft | tenant ids, tenant-scoped resources, control-plane guardrails |
| Central audit ledger | Detection and audit | seed | identity, flex-auth, Topaz, OpenBao, Kubernetes, workload correlation |
| Policy-as-code admission | Kubernetes hardening | seed | deployment gates and reviewable policy packages |
| Supply-chain provenance | Supply chain | seed | SBOM, signed images, SLSA-style provenance |
| Network default deny | Network security | seed | Kubernetes NetworkPolicy and explicit service communication |
| Object-level authorization check | Application and API security | draft | every resource access includes tenant/resource/action decision |
| Human/agent identity split | Agent access control | draft | agents have explicit identities, scopes, and audit trails |
| Tenant context propagation | Tenant isolation | draft | every request and background job carries tenant context |
First-Class Pattern Artifacts
The genesis catalogue now has one first-class artifact per exact pattern
name. The authoritative completion matrix is
artifacts/generated/research-pattern-normalization.md.
| Family | Exact pattern artifacts |
|---|---|
| Identity and access | Central Identity Provider; Identity Broker; Tenant Membership Boundary; Role Composition; Policy Decision Point / Policy Enforcement Point; Time-boxed Privilege Elevation; Break-glass Access; Human/Agent Identity Split |
| Tenant isolation | Namespace-per-Tenant; Cluster-per-Tenant; Cell-based Architecture; Shared Control Plane, Isolated Data Plane; Tenant Context Propagation; Tenant Data Partitioning |
| Kubernetes and platform | Secure Cluster Baseline; Policy-as-Code Admission Control; Pod Security Baseline/Restricted; Network Default Deny; Signed Image Admission; GitOps with Guardrails; Runtime Threat Detection |
| Secrets and cryptography | External Secrets Operator; Sealed Secret / Encrypted Git Secret; Short-lived Credentials; Key-per-Tenant; Certificate Automation |
| Application/API security | API Gateway as Security Boundary; Backend-for-Frontend; Object-Level Authorization Check; Schema-First API Security; Idempotent Command API; Secure File Upload Pipeline |
| Supply chain | Protected Main Branch; Dependency Update Bot; SBOM-per-Release; SLSA Build Provenance; Signed Container Images; Quarantined Build Runner |
| Detection and response | Security Event Taxonomy; Central Audit Ledger; Tenant Audit Log View; Incident Runbook Library; Kill Switch / Tenant Freeze; Token Revocation Sweep |
The NetKingdom umbrella artifacts created during NK-WP-0008 remain in the infospace where they describe platform-specific compositions, such as STS credential vending, workload identity, dynamic secrets, delegated authorization, tenant isolation, policy-as-code admission, and supply-chain provenance.
Pattern Notes
STS Credential Vending
Problem: applications need object-storage access without holding long-lived root credentials.
Solution: use IAM Profile tokens to identify the actor, flex-auth to authorize bucket/prefix/action/TTL, provider-native STS or temporary credential APIs to mint credentials, and OpenBao for parent material, lease, broker configuration, and audit where needed.
Verification: credentials include session token and expiration; deny paths produce stable reason codes; consumers refresh before expiration.
Secret Zero Avoidance
Problem: runtime secret managers need initial trust without creating a worse unmanaged secret.
Solution: use SOPS/age and emergency bundles for bootstrap and recovery, then hand runtime workload secret authority to OpenBao once initialized, audited, backed up, and governed.
Verification: OpenBao root and recovery material are treated as platform-root break-glass material; workloads do not consume bootstrap root material.
Delegated Authorization
Problem: identity providers and application code should not become the canonical home for every resource-specific authorization decision.
Solution: flex-auth owns the canonical request/decision envelope, resource/action vocabulary, CARING descriptors, audit/explain records, and backend adapter boundary. Topaz is the first delegated PDP runtime.
Verification: policy packages distinguish tenant:platform from tenant
packages; decision envelopes include tenant, protected-system, resource,
action, assurance, obligations, deny reasons, and audit correlation.
Break-Glass Access
Problem: operators need recovery access when normal identity, policy, or cluster services are unavailable.
Solution: define a minimal emergency path with scoped credentials, separate storage, event logging where possible, and mandatory post-event review.
Verification: break-glass is tested in drills and never grants ordinary tenant administrators platform-root authority.