This repository has been archived on 2026-07-08. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/relations/netkingdom-ownership-map.md

5.6 KiB

NetKingdom Security Pattern Ownership Map

Status: ownership mapping refreshed for NK-WP-0010

Purpose

This map connects capabilities and patterns to the repos, components, workplans, and responsibilities that own implementation or governance.

Responsibility Split

Area Platform responsibility Product/application responsibility Tenant responsibility
Identity NetKingdom IAM Profile, key-cape/Keycloak integration consume OIDC/IAM Profile correctly manage tenant users and groups where delegated
Authorization flex-auth model, CARING descriptors, Topaz boundary enforce decisions locally request/administer tenant-scoped access only
Secrets SOPS/age bootstrap, OpenBao runtime authority consume scoped secrets and rotate safely manage tenant-scoped secrets where allowed
Object storage STS vending policy and backend broker boundary support temporary credentials and refresh request credentials for registered resources
SSH/admin access ops-warden/ops-bridge short-lived access paths avoid direct unmanaged admin paths no platform-root access
Audit central audit taxonomy and durable sinks emit workload events and correlation ids review tenant-visible events where offered
Deployment Railiance stack layers and readiness checks app manifests and release posture tenant configuration within guardrails

Component Mapping

Component or repo Role in this infospace Related patterns
net-kingdom canonical security architecture, IAM Profile, workplans, ADRs IAM Profile, recursive platform identity, STS vending, secret-zero avoidance
key-cape lightweight IAM Profile implementation central identity provider, lightweight identity, MFA integration
Keycloak expanded IAM implementation and federation central identity provider, identity broker
Authelia lightweight SSO backing component central identity provider, SSO boundary
LLDAP lightweight directory backing component user lifecycle, group mapping
privacyIDEA MFA and token lifecycle privileged MFA, break-glass controls
flex-auth authorization control plane delegated authorization, policy-as-code, decision envelopes
Topaz delegated PDP runtime policy decision runtime
OpenBao runtime secret authority dynamic secrets, secret zero avoidance, STS broker/audit support
railiance-platform platform service deployment OpenBao, object storage, databases, platform secret delivery
Ceph RGW candidate object-storage backend STS credential vending
MinIO-compatible stores candidate object-storage backend STS credential vending
artifact-store S3 consumer and artifact integrity owner STS credential consumer, supply-chain evidence
ops-warden short-lived SSH certificate issuer privileged access, short-lived credentials
ops-bridge SSH/tunnel access consumer and audit path human/agent access, auditability
State Hub cross-repo workstream and decision read model security readiness tracking, progress evidence

First-Class Pattern Ownership

Pattern family Primary ownership Notes
Identity and access NetKingdom, key-cape, Keycloak, flex-auth IdP, broker, membership, role, PDP/PEP, elevation, break-glass, human/agent split
Tenant isolation NetKingdom, Railiance platform, product repos namespace, cluster, cell, shared-control/isolated-data, tenant context, data partitioning
Kubernetes and platform Railiance platform, NetKingdom, product repos secure baseline, admission, pod security, network, image, GitOps, runtime detection
Secrets and cryptography NetKingdom, Railiance platform, OpenBao, product repos external secrets, encrypted Git secrets, short-lived credentials, tenant keys, certificates
Application/API security product repos, NetKingdom, flex-auth, artifact-store gateway, BFF, object auth, schema-first APIs, idempotent commands, file uploads
Supply chain Railiance platform, artifact-store, product repos protected branches, dependency updates, SBOMs, SLSA provenance, signatures, build runners
Detection and response NetKingdom, Railiance platform, State Hub, product repos event taxonomy, central audit, tenant audit, runbooks, freeze, revocation
NetKingdom umbrella patterns NetKingdom plus implementing repos STS vending, workload identity, secret-zero avoidance, dynamic secrets, SSH certificates, delegated authorization, tenant isolation, policy-as-code admission, supply-chain provenance

The exact per-pattern artifact coverage is maintained in artifacts/generated/research-pattern-normalization.md.

Workplan Mapping

Workplan Relationship
NK-WP-0006 platform, tenant, bootstrap, identity, authorization, and OpenBao architecture baseline
NK-WP-0007 object-storage STS credential-vending pattern baseline
NK-WP-0008 this infospace and pattern catalog
NK-WP-0010 complete first-class artifacts for every exact genesis pattern
NK-WP-0009 tutorials derived from canonical patterns
RAIL-PL-WP-0002 OpenBao deployment, unseal, break-glass, audit, backup, and workload integration
ARTIFACT-STORE-WP-0007 S3 compatibility and temporary credential consumer behavior

Open Mapping Questions

  • Which patterns should become NetKingdom internal standards versus Railiance operational runbooks?
  • Which patterns require external customer-facing documentation?
  • Which audit events are platform-only and which become tenant-visible?
  • Which patterns need machine-readable status in State Hub or a future capability registry?