Control CoreDocs

🛡️ Production PBAC Blueprint

This blueprint defines a hardened production operating model for Control Core deployments using Control Plane and Bouncer services.

It is implementation-oriented and includes concrete deployment templates and probe specifications.

📌 Goals

  • Prevent policy drift and stale enforcement.
  • Guarantee bouncer-only enforcement path (no direct app bypass).
  • Promote controls through signed, auditable release flow.
  • Fail fast on runtime degradation and support rollback.

🏗️ Architecture baseline

  1. Control Plane
    • Source of desired control state.
    • Publishes policy updates and tracks sync/health.
  2. Bouncer
    • Enforces policies at runtime.
    • Reports readiness and bundle attestation.
  3. Policy repository (GitHub)
    • Immutable audit trail for policy code and promotion history.

🚀 1) Policy Release Pipeline

Use a CI gate that validates policy quality before promotion:

  • Regal/lint + syntax checks
  • Unit and scenario tests
  • Signature/attestation of approved commit SHA
  • Environment promotion (sandbox -> production) only from approved SHA

Reference artifact:

  • policy-release-pipeline.github-actions.yml

🔧 2) Bouncer Bundle Attestation Endpoint

Each bouncer should expose a read-only attestation payload for loaded bundle:

  • active policy repo SHA/hash
  • bundle revision timestamp
  • source repo/branch
  • bouncer id/environment/resource

Spec template:

  • pep-attestation-endpoint.openapi.yaml

📌 3) Enforcement Health Controller

A controller loop should gate rollout readiness using:

  • Control Plane health + sync metrics
  • Bouncer ready signals
  • synthetic policy outcome probes through protected runtime paths
  • rollback hooks on threshold breach

Spec template:

  • enforcement-health-controller.spec.yaml

🛡️ 4) Network Policy Baseline Templates

Use explicit deny-by-default network policy with allow-lists per mode:

  • Sidecar mode baseline
  • Reverse-proxy mode baseline

Template:

  • networkpolicy-baselines.yaml

📌 5) Drift Reconciler Service

Run a periodic reconciler to compare:

  • Control Plane desired state
  • GitHub canonical state
  • Bouncer attested loaded state

Spec template:

  • drift-reconciler.spec.yaml

📌 Probe specs

Define platform probes and synthetic checks as deployable specs:

  • probe-specs.yaml

🛡️ Rollout policy

Recommended:

  1. Deploy to sandbox Bouncer cohort.
  2. Verify attestation SHA and synthetic probe pass rate.
  3. Promote signed SHA to production cohort.
  4. Auto-rollback if:
    • probe pass rate drops below threshold,
    • attestation mismatch persists,
    • sync stalls exceed SLA.

📌 Operational requirement

Treat policy enforcement health as a release blocker:

  • Do not mark deployment healthy when probes fail.
  • Do not bypass bouncer path for any production traffic.
  • Do not promote unsigned or un-attested policy revisions.