generated from coulomb/repo-seed
127 lines
6.5 KiB
Markdown
127 lines
6.5 KiB
Markdown
# Security Architecture Pattern Catalog
|
|
|
|
Status: completed genesis pattern catalog for NK-WP-0010
|
|
Owner: NetKingdom architecture, maintained in infospace-bench
|
|
|
|
## Purpose
|
|
|
|
This catalog collects reusable security architecture patterns for
|
|
NetKingdom-enabled infrastructures. Patterns describe recurring
|
|
implementation shapes, tradeoffs, failure modes, and verification
|
|
signals.
|
|
|
|
Patterns are not tutorials, ADRs, or vendor docs. A tutorial shows how to
|
|
do a concrete implementation. An ADR records a decision. A vendor doc
|
|
describes a product. A pattern captures a reusable architecture idea and
|
|
how NetKingdom maps it into its platform.
|
|
|
|
## Pattern Template
|
|
|
|
```text
|
|
Problem
|
|
Context
|
|
Forces
|
|
Solution
|
|
Implementation sketch
|
|
Failure modes
|
|
Related capabilities
|
|
Maturity
|
|
Verification
|
|
References
|
|
```
|
|
|
|
## Initial Pattern Set
|
|
|
|
| Pattern | Capability group | Maturity | Canonical NetKingdom mapping |
|
|
| --- | --- | --- | --- |
|
|
| STS credential vending | Secrets, authorization, data access | reviewed | IAM Profile + flex-auth + backend STS, OpenBao broker/audit where useful |
|
|
| Workload identity | Identity and secrets | draft | Kubernetes service account identity, IAM Profile mapping, OpenBao Kubernetes auth |
|
|
| Secret zero avoidance | Secrets and bootstrap | reviewed | SOPS/age bootstrap, emergency bundle, OpenBao runtime handoff |
|
|
| Dynamic secrets | Secrets and credentials | draft | OpenBao dynamic credentials with leases and revocation |
|
|
| Short-lived SSH certificates | Privileged access | draft | ops-warden issues certificates, ops-bridge consumes and audits |
|
|
| Delegated authorization | Authorization | reviewed | flex-auth as canonical boundary, Topaz as first delegated PDP |
|
|
| Break-glass access | Recovery and incident response | reviewed | emergency bundle, limited principals, audit and post-event review |
|
|
| Tenant isolation | Tenant boundary | draft | tenant ids, tenant-scoped resources, control-plane guardrails |
|
|
| Central audit ledger | Detection and audit | seed | identity, flex-auth, Topaz, OpenBao, Kubernetes, workload correlation |
|
|
| Policy-as-code admission | Kubernetes hardening | seed | deployment gates and reviewable policy packages |
|
|
| Supply-chain provenance | Supply chain | seed | SBOM, signed images, SLSA-style provenance |
|
|
| Network default deny | Network security | seed | Kubernetes NetworkPolicy and explicit service communication |
|
|
| Object-level authorization check | Application and API security | draft | every resource access includes tenant/resource/action decision |
|
|
| Human/agent identity split | Agent access control | draft | agents have explicit identities, scopes, and audit trails |
|
|
| Tenant context propagation | Tenant isolation | draft | every request and background job carries tenant context |
|
|
|
|
## First-Class Pattern Artifacts
|
|
|
|
The genesis catalogue now has one first-class artifact per exact pattern
|
|
name. The authoritative completion matrix is
|
|
`artifacts/generated/research-pattern-normalization.md`.
|
|
|
|
| Family | Exact pattern artifacts |
|
|
| --- | --- |
|
|
| Identity and access | Central Identity Provider; Identity Broker; Tenant Membership Boundary; Role Composition; Policy Decision Point / Policy Enforcement Point; Time-boxed Privilege Elevation; Break-glass Access; Human/Agent Identity Split |
|
|
| Tenant isolation | Namespace-per-Tenant; Cluster-per-Tenant; Cell-based Architecture; Shared Control Plane, Isolated Data Plane; Tenant Context Propagation; Tenant Data Partitioning |
|
|
| Kubernetes and platform | Secure Cluster Baseline; Policy-as-Code Admission Control; Pod Security Baseline/Restricted; Network Default Deny; Signed Image Admission; GitOps with Guardrails; Runtime Threat Detection |
|
|
| Secrets and cryptography | External Secrets Operator; Sealed Secret / Encrypted Git Secret; Short-lived Credentials; Key-per-Tenant; Certificate Automation |
|
|
| Application/API security | API Gateway as Security Boundary; Backend-for-Frontend; Object-Level Authorization Check; Schema-First API Security; Idempotent Command API; Secure File Upload Pipeline |
|
|
| Supply chain | Protected Main Branch; Dependency Update Bot; SBOM-per-Release; SLSA Build Provenance; Signed Container Images; Quarantined Build Runner |
|
|
| Detection and response | Security Event Taxonomy; Central Audit Ledger; Tenant Audit Log View; Incident Runbook Library; Kill Switch / Tenant Freeze; Token Revocation Sweep |
|
|
|
|
The NetKingdom umbrella artifacts created during NK-WP-0008 remain in
|
|
the infospace where they describe platform-specific compositions, such
|
|
as STS credential vending, workload identity, dynamic secrets, delegated
|
|
authorization, tenant isolation, policy-as-code admission, and
|
|
supply-chain provenance.
|
|
|
|
## Pattern Notes
|
|
|
|
### STS Credential Vending
|
|
|
|
Problem: applications need object-storage access without holding
|
|
long-lived root credentials.
|
|
|
|
Solution: use IAM Profile tokens to identify the actor, flex-auth to
|
|
authorize bucket/prefix/action/TTL, provider-native STS or temporary
|
|
credential APIs to mint credentials, and OpenBao for parent material,
|
|
lease, broker configuration, and audit where needed.
|
|
|
|
Verification: credentials include session token and expiration; deny
|
|
paths produce stable reason codes; consumers refresh before expiration.
|
|
|
|
### Secret Zero Avoidance
|
|
|
|
Problem: runtime secret managers need initial trust without creating a
|
|
worse unmanaged secret.
|
|
|
|
Solution: use SOPS/age and emergency bundles for bootstrap and recovery,
|
|
then hand runtime workload secret authority to OpenBao once initialized,
|
|
audited, backed up, and governed.
|
|
|
|
Verification: OpenBao root and recovery material are treated as
|
|
platform-root break-glass material; workloads do not consume bootstrap
|
|
root material.
|
|
|
|
### Delegated Authorization
|
|
|
|
Problem: identity providers and application code should not become the
|
|
canonical home for every resource-specific authorization decision.
|
|
|
|
Solution: flex-auth owns the canonical request/decision envelope,
|
|
resource/action vocabulary, CARING descriptors, audit/explain records,
|
|
and backend adapter boundary. Topaz is the first delegated PDP runtime.
|
|
|
|
Verification: policy packages distinguish `tenant:platform` from tenant
|
|
packages; decision envelopes include tenant, protected-system, resource,
|
|
action, assurance, obligations, deny reasons, and audit correlation.
|
|
|
|
### Break-Glass Access
|
|
|
|
Problem: operators need recovery access when normal identity, policy, or
|
|
cluster services are unavailable.
|
|
|
|
Solution: define a minimal emergency path with scoped credentials,
|
|
separate storage, event logging where possible, and mandatory post-event
|
|
review.
|
|
|
|
Verification: break-glass is tested in drills and never grants ordinary
|
|
tenant administrators platform-root authority.
|