Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/security-architecture-pattern-catalog.md

6.5 KiB

Security Architecture Pattern Catalog

Status: completed genesis pattern catalog for NK-WP-0010 Owner: NetKingdom architecture, maintained in infospace-bench

Purpose

This catalog collects reusable security architecture patterns for NetKingdom-enabled infrastructures. Patterns describe recurring implementation shapes, tradeoffs, failure modes, and verification signals.

Patterns are not tutorials, ADRs, or vendor docs. A tutorial shows how to do a concrete implementation. An ADR records a decision. A vendor doc describes a product. A pattern captures a reusable architecture idea and how NetKingdom maps it into its platform.

Pattern Template

Problem
Context
Forces
Solution
Implementation sketch
Failure modes
Related capabilities
Maturity
Verification
References

Initial Pattern Set

Pattern Capability group Maturity Canonical NetKingdom mapping
STS credential vending Secrets, authorization, data access reviewed IAM Profile + flex-auth + backend STS, OpenBao broker/audit where useful
Workload identity Identity and secrets draft Kubernetes service account identity, IAM Profile mapping, OpenBao Kubernetes auth
Secret zero avoidance Secrets and bootstrap reviewed SOPS/age bootstrap, emergency bundle, OpenBao runtime handoff
Dynamic secrets Secrets and credentials draft OpenBao dynamic credentials with leases and revocation
Short-lived SSH certificates Privileged access draft ops-warden issues certificates, ops-bridge consumes and audits
Delegated authorization Authorization reviewed flex-auth as canonical boundary, Topaz as first delegated PDP
Break-glass access Recovery and incident response reviewed emergency bundle, limited principals, audit and post-event review
Tenant isolation Tenant boundary draft tenant ids, tenant-scoped resources, control-plane guardrails
Central audit ledger Detection and audit seed identity, flex-auth, Topaz, OpenBao, Kubernetes, workload correlation
Policy-as-code admission Kubernetes hardening seed deployment gates and reviewable policy packages
Supply-chain provenance Supply chain seed SBOM, signed images, SLSA-style provenance
Network default deny Network security seed Kubernetes NetworkPolicy and explicit service communication
Object-level authorization check Application and API security draft every resource access includes tenant/resource/action decision
Human/agent identity split Agent access control draft agents have explicit identities, scopes, and audit trails
Tenant context propagation Tenant isolation draft every request and background job carries tenant context

First-Class Pattern Artifacts

The genesis catalogue now has one first-class artifact per exact pattern name. The authoritative completion matrix is artifacts/generated/research-pattern-normalization.md.

Family Exact pattern artifacts
Identity and access Central Identity Provider; Identity Broker; Tenant Membership Boundary; Role Composition; Policy Decision Point / Policy Enforcement Point; Time-boxed Privilege Elevation; Break-glass Access; Human/Agent Identity Split
Tenant isolation Namespace-per-Tenant; Cluster-per-Tenant; Cell-based Architecture; Shared Control Plane, Isolated Data Plane; Tenant Context Propagation; Tenant Data Partitioning
Kubernetes and platform Secure Cluster Baseline; Policy-as-Code Admission Control; Pod Security Baseline/Restricted; Network Default Deny; Signed Image Admission; GitOps with Guardrails; Runtime Threat Detection
Secrets and cryptography External Secrets Operator; Sealed Secret / Encrypted Git Secret; Short-lived Credentials; Key-per-Tenant; Certificate Automation
Application/API security API Gateway as Security Boundary; Backend-for-Frontend; Object-Level Authorization Check; Schema-First API Security; Idempotent Command API; Secure File Upload Pipeline
Supply chain Protected Main Branch; Dependency Update Bot; SBOM-per-Release; SLSA Build Provenance; Signed Container Images; Quarantined Build Runner
Detection and response Security Event Taxonomy; Central Audit Ledger; Tenant Audit Log View; Incident Runbook Library; Kill Switch / Tenant Freeze; Token Revocation Sweep

The NetKingdom umbrella artifacts created during NK-WP-0008 remain in the infospace where they describe platform-specific compositions, such as STS credential vending, workload identity, dynamic secrets, delegated authorization, tenant isolation, policy-as-code admission, and supply-chain provenance.

Pattern Notes

STS Credential Vending

Problem: applications need object-storage access without holding long-lived root credentials.

Solution: use IAM Profile tokens to identify the actor, flex-auth to authorize bucket/prefix/action/TTL, provider-native STS or temporary credential APIs to mint credentials, and OpenBao for parent material, lease, broker configuration, and audit where needed.

Verification: credentials include session token and expiration; deny paths produce stable reason codes; consumers refresh before expiration.

Secret Zero Avoidance

Problem: runtime secret managers need initial trust without creating a worse unmanaged secret.

Solution: use SOPS/age and emergency bundles for bootstrap and recovery, then hand runtime workload secret authority to OpenBao once initialized, audited, backed up, and governed.

Verification: OpenBao root and recovery material are treated as platform-root break-glass material; workloads do not consume bootstrap root material.

Delegated Authorization

Problem: identity providers and application code should not become the canonical home for every resource-specific authorization decision.

Solution: flex-auth owns the canonical request/decision envelope, resource/action vocabulary, CARING descriptors, audit/explain records, and backend adapter boundary. Topaz is the first delegated PDP runtime.

Verification: policy packages distinguish tenant:platform from tenant packages; decision envelopes include tenant, protected-system, resource, action, assurance, obligations, deny reasons, and audit correlation.

Break-Glass Access

Problem: operators need recovery access when normal identity, policy, or cluster services are unavailable.

Solution: define a minimal emergency path with scoped credentials, separate storage, event logging where possible, and mandatory post-event review.

Verification: break-glass is tested in drills and never grants ordinary tenant administrators platform-root authority.