{"id":"platform-governance-from-identity-to-node","text":"OpenShift governance is a unified stack spanning four layers: identity management (OAuth→User→Identity chain), resource access control (dual RBAC + SCC), namespace/project self-provisioning, and node-level immutable configuration — all enforced through singleton operator CRs.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["governance-spans-identity-resources-and-namespaces","immutable-nodes-with-singleton-operator-control"],"outlist":[],"label":"depth-3 identity/resource governance + depth-3 node/singleton governance combine into a complete governance stack from user login to node OS"}],"dependents":["platform-delivers-software-under-governance-across-topologies","security-and-governance-unified-enforcement-stack"],"metadata":{},"explanation":{"steps":[{"node":"platform-governance-from-identity-to-node","truth_value":"IN","reason":"SL justification valid","antecedents":["governance-spans-identity-resources-and-namespaces","immutable-nodes-with-singleton-operator-control"],"label":"depth-3 identity/resource governance + depth-3 node/singleton governance combine into a complete governance stack from user login to node OS"},{"node":"governance-spans-identity-resources-and-namespaces","truth_value":"IN","reason":"SL justification valid","antecedents":["authorization-and-resource-governance-model","openshift-identity-lifecycle-chain","project-self-provisioning-governance"],"label":"Depth-3 — the three governance layers (identity, resource, namespace) interact: project self-provisioning is constrained by both identity chain and resource quotas"},{"node":"authorization-and-resource-governance-model","truth_value":"IN","reason":"SL justification valid","antecedents":["openshift-extends-k8s-authorization-model","quota-forces-complete-resource-declarations"],"label":"Authorization gates who can act; quotas gate how much — both enforce strictness"},{"node":"openshift-extends-k8s-authorization-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-two-authorization-api-groups","openshift-has-own-authorization-api","scc-api-group-security-openshift","default-clusterroles-list"],"label":"Parallel authorization APIs reflect OpenShift's extension of Kubernetes security model"},{"node":"ocp-two-authorization-api-groups","truth_value":"IN","reason":"premise"},{"node":"openshift-has-own-authorization-api","truth_value":"IN","reason":"premise"},{"node":"scc-api-group-security-openshift","truth_value":"IN","reason":"premise"},{"node":"default-clusterroles-list","truth_value":"IN","reason":"premise"},{"node":"quota-forces-complete-resource-declarations","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-quota-forces-explicit-resource-specs","ocp-extended-resources-no-overcommit"],"label":"Quotas enforce exhaustive resource declarations with no implicit defaults"},{"node":"ocp-quota-forces-explicit-resource-specs","truth_value":"IN","reason":"premise"},{"node":"ocp-extended-resources-no-overcommit","truth_value":"IN","reason":"premise"},{"node":"openshift-identity-lifecycle-chain","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","oauth-requires-integratedoauth-type","user-api-group-user-openshift-io","useridentitymapping-maps-user-to-identity","oauthclientauthorization-delete-revokes"],"label":"Five resources form a directed chain from authentication config to session lifecycle"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"oauth-requires-integratedoauth-type","truth_value":"IN","reason":"premise"},{"node":"user-api-group-user-openshift-io","truth_value":"IN","reason":"premise"},{"node":"useridentitymapping-maps-user-to-identity","truth_value":"IN","reason":"premise"},{"node":"oauthclientauthorization-delete-revokes","truth_value":"IN","reason":"premise"},{"node":"project-self-provisioning-governance","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-admin-can-disable-self-provisioning","ocp-disable-self-provisioning-two-steps","project-request-template-in-openshift-config-ns","project-request-message-shown-when-denied"],"label":"Four beliefs describe the complete self-provisioning governance lifecycle"},{"node":"ocp-admin-can-disable-self-provisioning","truth_value":"IN","reason":"premise"},{"node":"ocp-disable-self-provisioning-two-steps","truth_value":"IN","reason":"premise"},{"node":"project-request-template-in-openshift-config-ns","truth_value":"IN","reason":"premise"},{"node":"project-request-message-shown-when-denied","truth_value":"IN","reason":"premise"},{"node":"immutable-nodes-with-singleton-operator-control","truth_value":"IN","reason":"SL justification valid","antecedents":["node-config-immutable-delivery-pipeline","singleton-resource-naming-convention","mco-rollout-process"],"label":"The MCO pipeline delivers changes to immutable nodes, and the singleton pattern ensures exactly one configuration authority — together they prevent configuration drift and split-brain"},{"node":"node-config-immutable-delivery-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["rhcos-immutable-update-model","image-mirror-configuration-pipeline"],"label":"Both OS updates and registry configuration use the same MCO-mediated immutable delivery pattern"},{"node":"rhcos-immutable-update-model","truth_value":"IN","reason":"SL justification valid","antecedents":["rhcos-nodes-immutable","rhcos-rpm-ostree-updates","image-layering-verify-rpm-ostree-status"],"label":"Three facets of the same immutable-OS operational model"},{"node":"rhcos-nodes-immutable","truth_value":"IN","reason":"premise"},{"node":"rhcos-rpm-ostree-updates","truth_value":"IN","reason":"premise"},{"node":"image-layering-verify-rpm-ostree-status","truth_value":"IN","reason":"premise"},{"node":"image-mirror-configuration-pipeline","truth_value":"IN","reason":"SL justification valid","antecedents":["oc-mirror-generates-idms","mirror-config-applied-via-mco-registries-conf","icsp-deprecated-in-favor-of-idms"],"label":"End-to-end mirror configuration from generation to node application"},{"node":"oc-mirror-generates-idms","truth_value":"IN","reason":"premise"},{"node":"mirror-config-applied-via-mco-registries-conf","truth_value":"IN","reason":"premise"},{"node":"icsp-deprecated-in-favor-of-idms","truth_value":"IN","reason":"premise"},{"node":"singleton-resource-naming-convention","truth_value":"IN","reason":"SL justification valid","antecedents":["oauth-config-singleton-named-cluster","flowcollector-must-be-named-cluster","clusterautoscaler-singleton-named-default","storage-operator-singleton-named-cluster","powermonitor-must-be-named-power-monitor"],"label":"A recurring platform pattern worth capturing as a cross-cutting architectural constraint"},{"node":"oauth-config-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"flowcollector-must-be-named-cluster","truth_value":"IN","reason":"premise"},{"node":"clusterautoscaler-singleton-named-default","truth_value":"IN","reason":"premise"},{"node":"storage-operator-singleton-named-cluster","truth_value":"IN","reason":"premise"},{"node":"powermonitor-must-be-named-power-monitor","truth_value":"IN","reason":"premise"},{"node":"mco-rollout-process","truth_value":"IN","reason":"premise"}]}}