{"id":"unified-security-from-install-through-api-governance","text":"OpenShift enforces security as a continuous chain from install-time locks (FIPS, CPU partitioning) through runtime TLS/IPsec enforcement to API-level immutability and webhook admission control — no single layer can be bypassed without affecting the others.","truth_value":"IN","source":"","source_url":"","source_hash":"","justifications":[{"type":"SL","antecedents":["api-governance-enforces-stability-and-immutability","security-enforced-at-install-runtime-and-api-boundary"],"outlist":[],"label":"depth-3 API governance (stability+immutability) and depth-2 security enforcement (install+runtime+API) together show that security is not layered independently but forms a single enforcement chain where install-time decisions constrain what runtime and API governance must enforce"}],"dependents":["security-and-governance-unified-enforcement-stack","security-constrains-entire-update-path"],"metadata":{},"explanation":{"steps":[{"node":"unified-security-from-install-through-api-governance","truth_value":"IN","reason":"SL justification valid","antecedents":["api-governance-enforces-stability-and-immutability","security-enforced-at-install-runtime-and-api-boundary"],"label":"depth-3 API governance (stability+immutability) and depth-2 security enforcement (install+runtime+API) together show that security is not layered independently but forms a single enforcement chain where install-time decisions constrain what runtime and API governance must enforce"},{"node":"api-governance-enforces-stability-and-immutability","truth_value":"IN","reason":"SL justification valid","antecedents":["api-governance-spans-stability-and-admission","immutability-enforced-at-resource-and-platform-levels"],"label":"depth-2 API stability/admission + depth-2 immutability enforcement combine into a comprehensive API governance model"},{"node":"api-governance-spans-stability-and-admission","truth_value":"IN","reason":"SL justification valid","antecedents":["api-stability-tiered-guarantee-model","webhook-admission-enforcement-model"],"label":"depth-2 — API governance has both a temporal dimension (stability tiers) and a runtime dimension (admission enforcement)"},{"node":"api-stability-tiered-guarantee-model","truth_value":"IN","reason":"SL justification valid","antecedents":["compatibility-level-1-stable-12-months","compatibility-level-definitions","consoleplugin-compat-level-1","image-content-source-policy-v1alpha1-level4","api-tier3-default-for-unassigned-groups"],"label":"API consumers can assess migration risk by checking compatibility level"},{"node":"compatibility-level-1-stable-12-months","truth_value":"IN","reason":"premise"},{"node":"compatibility-level-definitions","truth_value":"IN","reason":"premise"},{"node":"consoleplugin-compat-level-1","truth_value":"IN","reason":"premise"},{"node":"image-content-source-policy-v1alpha1-level4","truth_value":"IN","reason":"premise"},{"node":"api-tier3-default-for-unassigned-groups","truth_value":"IN","reason":"premise"},{"node":"webhook-admission-enforcement-model","truth_value":"IN","reason":"SL justification valid","antecedents":["webhook-communication-requires-tls","webhook-max-timeout-13-seconds","webhook-never-invoked-on-own-kind","webhook-required-fields"],"label":"These four constraints collectively define the safety envelope for admission webhooks — TLS for integrity, timeout cap for availability, self-exclusion for stability, required fields for correctness"},{"node":"webhook-communication-requires-tls","truth_value":"IN","reason":"premise"},{"node":"webhook-max-timeout-13-seconds","truth_value":"IN","reason":"premise"},{"node":"webhook-never-invoked-on-own-kind","truth_value":"IN","reason":"premise"},{"node":"webhook-required-fields","truth_value":"IN","reason":"premise"},{"node":"immutability-enforced-at-resource-and-platform-levels","truth_value":"IN","reason":"SL justification valid","antecedents":["resource-field-immutability-pattern","install-time-irreversible-constraints"],"label":"depth-2 — immutability operates at both the resource field level and the cluster-wide level"},{"node":"resource-field-immutability-pattern","truth_value":"IN","reason":"SL justification valid","antecedents":["route-host-immutable","ingress-domain-field-immutable-unique","ingressclass-controller-immutable"],"label":"Three independent immutable-field constraints form a write-once identity pattern"},{"node":"route-host-immutable","truth_value":"IN","reason":"premise"},{"node":"ingress-domain-field-immutable-unique","truth_value":"IN","reason":"premise"},{"node":"ingressclass-controller-immutable","truth_value":"IN","reason":"premise"},{"node":"install-time-irreversible-constraints","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-security-fips-install-time-only","cpu-partitioning-install-time-only","network-plugin-selected-at-install-time"],"label":"Three independent install-time-only constraints form a coherent class of irreversible cluster decisions"},{"node":"ocp-security-fips-install-time-only","truth_value":"IN","reason":"premise"},{"node":"cpu-partitioning-install-time-only","truth_value":"IN","reason":"premise"},{"node":"network-plugin-selected-at-install-time","truth_value":"IN","reason":"premise"},{"node":"security-enforced-at-install-runtime-and-api-boundary","truth_value":"IN","reason":"SL justification valid","antecedents":["encryption-and-tls-infrastructure-model","webhook-admission-enforcement-model","install-time-irreversible-constraints"],"label":"depth-2 synthesis — three distinct enforcement points (install, runtime, API) form a unified security posture"},{"node":"encryption-and-tls-infrastructure-model","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-tls-four-profile-types","ipsec-cipher-aes-gcm-16-256","ipsec-pod-to-pod-transport-mode","ocp-410-san-certificate-requirement"],"label":"Four base beliefs about TLS/IPsec/certificates combine into a layered encryption model"},{"node":"ocp-tls-four-profile-types","truth_value":"IN","reason":"premise"},{"node":"ipsec-cipher-aes-gcm-16-256","truth_value":"IN","reason":"premise"},{"node":"ipsec-pod-to-pod-transport-mode","truth_value":"IN","reason":"premise"},{"node":"ocp-410-san-certificate-requirement","truth_value":"IN","reason":"premise"},{"node":"webhook-admission-enforcement-model","truth_value":"IN","reason":"SL justification valid","antecedents":["webhook-communication-requires-tls","webhook-max-timeout-13-seconds","webhook-never-invoked-on-own-kind","webhook-required-fields"],"label":"These four constraints collectively define the safety envelope for admission webhooks — TLS for integrity, timeout cap for availability, self-exclusion for stability, required fields for correctness"},{"node":"webhook-communication-requires-tls","truth_value":"IN","reason":"premise"},{"node":"webhook-max-timeout-13-seconds","truth_value":"IN","reason":"premise"},{"node":"webhook-never-invoked-on-own-kind","truth_value":"IN","reason":"premise"},{"node":"webhook-required-fields","truth_value":"IN","reason":"premise"},{"node":"install-time-irreversible-constraints","truth_value":"IN","reason":"SL justification valid","antecedents":["ocp-security-fips-install-time-only","cpu-partitioning-install-time-only","network-plugin-selected-at-install-time"],"label":"Three independent install-time-only constraints form a coherent class of irreversible cluster decisions"},{"node":"ocp-security-fips-install-time-only","truth_value":"IN","reason":"premise"},{"node":"cpu-partitioning-install-time-only","truth_value":"IN","reason":"premise"},{"node":"network-plugin-selected-at-install-time","truth_value":"IN","reason":"premise"}]}}