generated from coulomb/repo-seed
Improved documentation
This commit is contained in:
2
SCOPE.md
2
SCOPE.md
@@ -23,7 +23,7 @@ NetKingdom is a self-optimizing security platform for Kubernetes-based IT infras
|
|||||||
- NetKingdom IAM Profile specification (versioned OIDC/PKCE contract)
|
- NetKingdom IAM Profile specification (versioned OIDC/PKCE contract)
|
||||||
- SSO/MFA Platform: Keycloak with LDAP/Entra federation, enterprise identity (NK-WP-0001)
|
- SSO/MFA Platform: Keycloak with LDAP/Entra federation, enterprise identity (NK-WP-0001)
|
||||||
- Local Identity: file-based user store + minimal OIDC server for bootstrap phase (NK-WP-0002)
|
- Local Identity: file-based user store + minimal OIDC server for bootstrap phase (NK-WP-0002)
|
||||||
- Security bootstrapping: credential management, SOPS/age integration, KeePassXC/Vault progression
|
- Security bootstrapping: credential management, SOPS/age integration, OpenBao runtime secret authority
|
||||||
- Architectural decisions (DECISIONS.md): identity source, secrets, GitOps, bootstrap user store
|
- Architectural decisions (DECISIONS.md): identity source, secrets, GitOps, bootstrap user store
|
||||||
|
|
||||||
---
|
---
|
||||||
|
|||||||
@@ -66,8 +66,9 @@ Responsibilities:
|
|||||||
- canonical authorization through flex-auth
|
- canonical authorization through flex-auth
|
||||||
- delegated authorization runtime through Topaz first, with other PDPs as
|
- delegated authorization runtime through Topaz first, with other PDPs as
|
||||||
adapters
|
adapters
|
||||||
|
- runtime secret authority through OpenBao
|
||||||
- audit and explanation records
|
- audit and explanation records
|
||||||
- platform service secrets and rotation
|
- platform service secrets, dynamic credentials, leases, and rotation
|
||||||
|
|
||||||
Owned conceptually by `net-kingdom`; deployed through the Railiance stack.
|
Owned conceptually by `net-kingdom`; deployed through the Railiance stack.
|
||||||
|
|
||||||
@@ -98,6 +99,7 @@ platform itself.
|
|||||||
| `key-cape` | lightweight IAM implementation of the NetKingdom IAM Profile | a general-purpose IAM platform or authorization engine |
|
| `key-cape` | lightweight IAM implementation of the NetKingdom IAM Profile | a general-purpose IAM platform or authorization engine |
|
||||||
| Keycloak | expanded-mode IAM and optional Keycloak Authorization Services adapter | the canonical model for all platform authorization |
|
| Keycloak | expanded-mode IAM and optional Keycloak Authorization Services adapter | the canonical model for all platform authorization |
|
||||||
| privacyIDEA | MFA/token authority, especially in lightweight/key-cape mode | a policy decision point for application resources |
|
| privacyIDEA | MFA/token authority, especially in lightweight/key-cape mode | a policy decision point for application resources |
|
||||||
|
| OpenBao | runtime platform secrets service, dynamic credential broker, lease/revocation point, and audit source for secret access | the bootstrap root of trust or an application-specific configuration store |
|
||||||
| `flex-auth` | authorization control plane, CARING descriptors, policy packages, decision envelopes, audit/explain | an identity provider or backend-specific wrapper |
|
| `flex-auth` | authorization control plane, CARING descriptors, policy packages, decision envelopes, audit/explain | an identity provider or backend-specific wrapper |
|
||||||
| Topaz | first delegated authorization runtime/PDP for flex-auth | the platform control plane or identity provider |
|
| Topaz | first delegated authorization runtime/PDP for flex-auth | the platform control plane or identity provider |
|
||||||
| Railiance repos | converged infrastructure, cluster, platform services, enablement, and app deployment | the source of security policy semantics |
|
| Railiance repos | converged infrastructure, cluster, platform services, enablement, and app deployment | the source of security policy semantics |
|
||||||
@@ -156,6 +158,45 @@ Protected services enforce decisions locally. flex-auth is the canonical
|
|||||||
policy and decision boundary; delegated PDPs are runtime implementations
|
policy and decision boundary; delegated PDPs are runtime implementations
|
||||||
behind it.
|
behind it.
|
||||||
|
|
||||||
|
## Secret And Credential Path
|
||||||
|
|
||||||
|
```text
|
||||||
|
Bootstrap SOPS/age material
|
||||||
|
|
|
||||||
|
v
|
||||||
|
OpenBao platform secrets service
|
||||||
|
KV v2 platform configuration
|
||||||
|
dynamic database credentials
|
||||||
|
Kubernetes auth / workload identity
|
||||||
|
future object-storage credential brokering
|
||||||
|
audit devices and lease/revocation records
|
||||||
|
|
|
||||||
|
+-- direct OpenBao clients
|
||||||
|
+-- External Secrets Operator / synced Kubernetes Secrets
|
||||||
|
+-- CSI-mounted secrets where appropriate
|
||||||
|
|
|
||||||
|
v
|
||||||
|
Platform and tenant workloads
|
||||||
|
```
|
||||||
|
|
||||||
|
SOPS/age remains the bootstrap and Git-at-rest protection mechanism. It
|
||||||
|
can create the initial cluster secrets and emergency recovery bundles, but
|
||||||
|
it should not become the long-lived runtime authority for every workload
|
||||||
|
secret.
|
||||||
|
|
||||||
|
OpenBao is the runtime platform secrets service once the control plane is
|
||||||
|
alive. It owns secret leases, revocation, audit, dynamic credentials, and
|
||||||
|
workload-facing secret delivery patterns. Workloads should receive scoped
|
||||||
|
secrets or short-lived credentials, not platform-root material. Tenant
|
||||||
|
administrators may manage tenant-scoped secrets through approved policy
|
||||||
|
paths; they must not gain access to OpenBao root tokens, unseal keys,
|
||||||
|
platform mounts, or global secret engine configuration.
|
||||||
|
|
||||||
|
OpenBao does not replace identity or authorization. NetKingdom IAM
|
||||||
|
identifies actors and workloads; flex-auth decides whether a credential
|
||||||
|
or secret request is allowed; OpenBao stores, issues, audits, and revokes
|
||||||
|
the resulting secret material.
|
||||||
|
|
||||||
## Recursive Trust Rule
|
## Recursive Trust Rule
|
||||||
|
|
||||||
Normal tenant administration must never be sufficient to alter the
|
Normal tenant administration must never be sufficient to alter the
|
||||||
@@ -173,6 +214,8 @@ Examples of platform-root actions:
|
|||||||
- changing global MFA requirements
|
- changing global MFA requirements
|
||||||
- activating authorization policy that governs platform administration
|
- activating authorization policy that governs platform administration
|
||||||
- changing flex-auth/Topaz policy import pipelines
|
- changing flex-auth/Topaz policy import pipelines
|
||||||
|
- changing OpenBao root tokens, unseal policy, platform mounts, or global
|
||||||
|
auth methods
|
||||||
- changing audit retention or tamper-evidence settings
|
- changing audit retention or tamper-evidence settings
|
||||||
|
|
||||||
## Tenant Model
|
## Tenant Model
|
||||||
@@ -202,14 +245,17 @@ Production setup should move through explicit trust states:
|
|||||||
|
|
||||||
1. **Bare host trust** - provisioned and verified by Railiance infra.
|
1. **Bare host trust** - provisioned and verified by Railiance infra.
|
||||||
2. **Cluster trust** - Kubernetes runtime exists and is verified.
|
2. **Cluster trust** - Kubernetes runtime exists and is verified.
|
||||||
3. **Secret trust** - age/SOPS and emergency bundles are established.
|
3. **Bootstrap secret trust** - age/SOPS and emergency bundles are
|
||||||
|
established.
|
||||||
4. **Bootstrap identity trust** - local/bootstrap identity can operate
|
4. **Bootstrap identity trust** - local/bootstrap identity can operate
|
||||||
enough to install full identity services.
|
enough to install full identity services.
|
||||||
5. **Runtime identity trust** - key-cape or Keycloak becomes the normal
|
5. **Runtime secret trust** - OpenBao is deployed, initialized, unsealed,
|
||||||
|
audited, backed up, and ready to issue scoped secrets.
|
||||||
|
6. **Runtime identity trust** - key-cape or Keycloak becomes the normal
|
||||||
IAM Profile issuer.
|
IAM Profile issuer.
|
||||||
6. **Runtime authorization trust** - flex-auth and Topaz are initialized
|
7. **Runtime authorization trust** - flex-auth and Topaz are initialized
|
||||||
with platform and tenant policies.
|
with platform and tenant policies.
|
||||||
7. **Tenant onboarding trust** - Coulomb and later tenants register
|
8. **Tenant onboarding trust** - Coulomb and later tenants register
|
||||||
resources and receive scoped authority.
|
resources and receive scoped authority.
|
||||||
|
|
||||||
Each transition needs a verification check and a rollback/recovery path.
|
Each transition needs a verification check and a rollback/recovery path.
|
||||||
@@ -226,7 +272,7 @@ railiance-cluster
|
|||||||
Kubernetes, ingress, cert-manager, network policy
|
Kubernetes, ingress, cert-manager, network policy
|
||||||
|
|
||||||
railiance-platform
|
railiance-platform
|
||||||
PostgreSQL, object storage, secret management
|
OpenBao, PostgreSQL, object storage, platform service secret delivery
|
||||||
key-cape or Keycloak
|
key-cape or Keycloak
|
||||||
privacyIDEA where used
|
privacyIDEA where used
|
||||||
flex-auth
|
flex-auth
|
||||||
@@ -262,8 +308,12 @@ than bypassing the Railiance stack boundaries.
|
|||||||
## Open Questions
|
## Open Questions
|
||||||
|
|
||||||
- Where is the durable audit log stored for platform-root decisions?
|
- Where is the durable audit log stored for platform-root decisions?
|
||||||
|
- Where are OpenBao audit logs durably shipped, and how are they included
|
||||||
|
in tamper-evidence and restore drills?
|
||||||
- Which actions require dual control or human confirmation?
|
- Which actions require dual control or human confirmation?
|
||||||
- How is break-glass use recorded when normal identity is unavailable?
|
- How is break-glass use recorded when normal identity is unavailable?
|
||||||
|
- Which workloads consume OpenBao directly, via External Secrets Operator,
|
||||||
|
or via CSI-mounted secrets?
|
||||||
- Which tenant metadata is required before a service can register
|
- Which tenant metadata is required before a service can register
|
||||||
resources with flex-auth?
|
resources with flex-auth?
|
||||||
- When does the platform switch from key-cape lightweight mode to
|
- When does the platform switch from key-cape lightweight mode to
|
||||||
|
|||||||
Reference in New Issue
Block a user