{"id":"identity-governed-software-delivery","text":"The complete software delivery pipeline (build→image→operator→console) is identity-governed end-to-end: the OAuth→Identity→Authorization chain controls who can build images, deploy operators, and access console plugins, while dual RBAC+SCC enforces what those actors can do at each pipeline stage.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["identity-governs-operator-and-workload-access","complete-software-delivery-from-build-to-console"],"outlist":[],"label":"Combines identity governance (depth-4) with software delivery (depth-4) — delivery requires identity at every stage"}],"dependents":[],"metadata":{},"explanation":{"steps":[{"node":"identity-governed-software-delivery","truth_value":"IN","reason":"SL justification valid","antecedents":["identity-governs-operator-and-workload-access","complete-software-delivery-from-build-to-console"],"label":"Combines identity governance (depth-4) with software delivery (depth-4) — delivery requires identity at every stage"},{"node":"identity-governs-operator-and-workload-access","truth_value":"IN","reason":"SL justification valid","antecedents":["identity-session-and-authorization-complete","olm-transitioning-between-generations"],"label":"Identity governance is upstream of both operator installation and workload admission — the OLM chain cannot begin without RBAC, making identity the root dependency."},{"node":"identity-session-and-authorization-complete","truth_value":"IN","reason":"SL justification valid","antecedents":["identity-to-authorization-governance-chain","oauth-session-lifecycle-management"],"label":"depth-2 identity-to-authorization covers the static mapping; depth-1 session lifecycle adds the temporal dimension — combining reveals that authorization is not just identity-based but session-scoped, and revocation propagates through the entire chain"},{"node":"identity-to-authorization-governance-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["openshift-identity-lifecycle-chain","openshift-extends-k8s-authorization-model"],"label":"Identity chain output (authenticated users) is the input to the authorization model — combining reveals the full access control pipeline"},{"node":"openshift-identity-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","oauth-requires-integratedoauth-type","user-api-group-user-openshift-io","useridentitymapping-maps-user-to-identity","oauthclientauthorization-delete-revokes"],"label":"Five resources form a directed chain from authentication config to session lifecycle"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"oauth-requires-integratedoauth-type","truth_value":"IN","reason":"premise"},{"node":"user-api-group-user-openshift-io","truth_value":"IN","reason":"premise"},{"node":"useridentitymapping-maps-user-to-identity","truth_value":"IN","reason":"premise"},{"node":"oauthclientauthorization-delete-revokes","truth_value":"IN","reason":"premise"},{"node":"openshift-extends-k8s-authorization-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-authorization-api-groups","openshift-has-own-authorization-api","scc-api-group-security-openshift","default-clusterroles-list"],"label":"Parallel authorization APIs reflect OpenShift's extension of Kubernetes security model"},{"node":"ocp-two-authorization-api-groups","truth_value":"IN","reason":"premise"},{"node":"openshift-has-own-authorization-api","truth_value":"IN","reason":"premise"},{"node":"scc-api-group-security-openshift","truth_value":"IN","reason":"premise"},{"node":"default-clusterroles-list","truth_value":"IN","reason":"premise"},{"node":"oauth-session-lifecycle-management","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-five-api-resources","oauth-delete-token-revokes-session","delete-oauthaccesstoken-revokes-session"],"label":"OAuth token deletion as the primary session revocation mechanism"},{"node":"oauth-five-api-resources","truth_value":"IN","reason":"premise"},{"node":"oauth-delete-token-revokes-session","truth_value":"IN","reason":"premise"},{"node":"delete-oauthaccesstoken-revokes-session","truth_value":"IN","reason":"premise"},{"node":"olm-transitioning-between-generations","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-full-lifecycle-chain","clusterextension-replaces-subscription-operatorgroup","fbc-modernizes-operator-catalog-format"],"label":"depth-2 synthesis — OLM is not static; the v1→v1alpha1 transition creates a dual-path operational reality"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"clusterextension-replaces-subscription-operatorgroup","truth_value":"IN","reason":"premise"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"},{"node":"complete-software-delivery-from-build-to-console","truth_value":"IN","reason":"SL justification valid","antecedents":["image-supply-chain-end-to-end","operator-delivery-through-console-integration"],"label":"depth-3 image supply chain + depth-3 operator delivery pipeline converge at the console UI layer, revealing a unified delivery model"},{"node":"image-supply-chain-end-to-end","truth_value":"IN","reason":"SL justification valid","antecedents":["build-and-image-delivery-pipeline","operator-catalog-to-deployment-pipeline"],"label":"depth-3 — application and operator image delivery are structurally parallel managed pipelines"},{"node":"build-and-image-delivery-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["build-system-openshift-native-duality","imagestream-controlled-access-model","image-registry-external-access-model"],"label":"Build systems, ImageStream access control, and registry exposure form a complete image delivery chain"},{"node":"build-system-openshift-native-duality","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-build-systems-shipwright-buildconfig","ocp-buildconfigs-not-in-upstream-k8s","imagestream-buildconfig-openshift-native"],"label":"The build system is entirely OpenShift-native — both build mechanisms and their image output target (ImageStream) have no K8s equivalents"},{"node":"ocp-two-build-systems-shipwright-buildconfig","truth_value":"IN","reason":"premise"},{"node":"ocp-buildconfigs-not-in-upstream-k8s","truth_value":"IN","reason":"premise"},{"node":"imagestream-buildconfig-openshift-native","truth_value":"IN","reason":"premise"},{"node":"imagestream-controlled-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-objects-immutable-content-addressed","end-users-access-images-via-imagestreamtag-or-imagestreamimage","imagestream-pull-requires-get-layers-permission","ocp-imagestreammapping-privileged-only"],"label":"Four beliefs collectively enforce a layered access control model over image content"},{"node":"image-objects-immutable-content-addressed","truth_value":"IN","reason":"premise"},{"node":"end-users-access-images-via-imagestreamtag-or-imagestreamimage","truth_value":"IN","reason":"premise"},{"node":"imagestream-pull-requires-get-layers-permission","truth_value":"IN","reason":"premise"},{"node":"ocp-imagestreammapping-privileged-only","truth_value":"IN","reason":"premise"},{"node":"image-registry-external-access-model","truth_value":"IN","reason":"SL justification valid","antecedents":["image-registry-default-route-true-exposes-externally","default-route-uses-reencrypt","registry-credential-secret-name","image-registry-storage-backends"],"label":"Four beliefs that together describe how the registry is configured, secured, and exposed"},{"node":"image-registry-default-route-true-exposes-externally","truth_value":"IN","reason":"premise"},{"node":"default-route-uses-reencrypt","truth_value":"IN","reason":"premise"},{"node":"registry-credential-secret-name","truth_value":"IN","reason":"premise"},{"node":"image-registry-storage-backends","truth_value":"IN","reason":"premise"},{"node":"operator-catalog-to-deployment-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-modernizes-operator-catalog-format","olm-full-lifecycle-chain"],"label":"FBC defines the catalog format; OLM defines the installation chain — together they form the complete operator delivery pipeline"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"operator-delivery-through-console-integration","truth_value":"IN","reason":"SL justification valid","antecedents":["operator-catalog-to-deployment-pipeline","console-plugin-integration-model"],"label":"OLM is the shared dependency — it drives both operator deployment and console plugin registration, revealing OLM as the universal operator delivery bus"},{"node":"operator-catalog-to-deployment-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-modernizes-operator-catalog-format","olm-full-lifecycle-chain"],"label":"FBC defines the catalog format; OLM defines the installation chain — together they form the complete operator delivery pipeline"},{"node":"fbc-modernizes-operator-catalog-format","truth_value":"IN","reason":"SL justification valid","antecedents":["fbc-default-since-ocp-411-sqlite-deprecated","opm-validate-checks-catalog","fbc-skiprange-prunes-update-graph"],"label":"FBC as the complete modern catalog toolchain"},{"node":"fbc-default-since-ocp-411-sqlite-deprecated","truth_value":"IN","reason":"premise"},{"node":"opm-validate-checks-catalog","truth_value":"IN","reason":"premise"},{"node":"fbc-skiprange-prunes-update-graph","truth_value":"IN","reason":"premise"},{"node":"olm-full-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["olm-resource-chain","olm-subscription-tracks-channel","subscription-triggers-installplan-then-csv","installplan-required-spec-fields"],"label":"End-to-end OLM lifecycle with each resource's role clarified"},{"node":"olm-resource-chain","truth_value":"IN","reason":"premise"},{"node":"olm-subscription-tracks-channel","truth_value":"IN","reason":"premise"},{"node":"subscription-triggers-installplan-then-csv","truth_value":"IN","reason":"premise"},{"node":"installplan-required-spec-fields","truth_value":"IN","reason":"premise"},{"node":"console-plugin-integration-model","truth_value":"IN","reason":"SL justification valid","antecedents":["consoleplugin-backend-must-use-https","console-plugins-registered-via-olm","console-config-singleton-named-cluster","consoleplugin-compat-level-1"],"label":"Console plugin architecture with security, registration, and stability guarantees"},{"node":"consoleplugin-backend-must-use-https","truth_value":"IN","reason":"premise"},{"node":"console-plugins-registered-via-olm","truth_value":"IN","reason":"premise"},{"node":"console-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"consoleplugin-compat-level-1","truth_value":"IN","reason":"premise"}]}}