The basic authorization pattern serves as a minimum bar for application of IAM principles to a cloud-native application. In this model, authentication and authorization is performed primarily by the primary workload which receives the user's access token or session state. Note that the authentication and authorization (PEP) is performed by the workload using resource-specific parameters supplied to the PDP, and is not implemented by ingress or gateway rules which only have access to the request context.
Implement the requirements from FAPI and RFC 9700. For human users, apply the appropriate assurance levels from NIST SP800-63.
note: this covers TLS (FAPI), ID verification (SP800-63A), multiple auth factors (SP800-63B), federation security (SP800-63C), authorization code flow (RFC9700), including many other requirements not currently specified in the whitepaper.
Implement authorization (PEP) using a consistent framework or patter
Evan Anderson evankanderson
evankanderson
/ example.md
Last active
March 2, 2026 21:58
evankanderson
/ devel.md
Created
November 14, 2025 18:28
Version: devel
{: .warning} Not for production use.
<button onclick="toTop()" id="topButton" title="Go to top" style="display: none; position: fixed; bottom: 20px; right: 30px; border: none; background-color: CornflowerBlue; color: white; cursor: pointer; padding: 10px; border-radius: 10px; font-size: 18px;">to top
evankanderson
/ baseline.md.diff
Created
October 13, 2025 19:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- docs/versions/2025-02-25.md 2025-10-13 12:41:28.344206651 -0700 | |
| +++ docs/versions/2025-10-10.md 2025-10-13 12:41:28.344707215 -0700 | |
| @@ -1,10 +1,14 @@ | |
| +--- | |
| +nav-title: Current Version | |
| +--- | |
| # Open Source Project Security Baseline | |
| -Version: 2025-02-25 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show hidden characters
| { | |
| "_type": "https://in-toto.io/Statement/v1", | |
| "subject": [ | |
| { | |
| "name": "software", | |
| "uri": "https://github.com/mindersec/minder" | |
| }, | |
| { | |
| "name": "governance", | |
| "uri": "https://github.com/mindersec/community" |
evankanderson
/ base-supplychain.yaml
Last active
August 5, 2022 17:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ... | |
| - name: config-provider | |
| templateRef: | |
| kind: ClusterConfigTemplate | |
| name: convention-template | |
| params: | |
| - name: serviceAccount | |
| value: default | |
| images: | |
| - resource: image-provider |
evankanderson
/ Func demo setup script
Last active
February 28, 2022 20:06
Kn plugin func binary research install script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Assumes Docker desktop installed | |
| # | |
| VARIANT="$(uname -sm | tr 'A-Z ' 'a-z-' | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)" | |
| FUNC_VARIANT="$(echo $VARIANT | tr '-' '_')" | |
| curl -L -o kn https://github.com/knative/client/releases/download/knative-v1.2.0/kn-$VARIANT | |
| curl -L -o kn-plugin-quickstart https://github.com/knative-sandbox/kn-plugin-quickstart/releases/download/knative-v1.2.0/kn-quickstart-$VARIANT |
evankanderson
/ config.yaml
Last active
December 17, 2020 22:47
Serving config for 3 ingress options
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| serving-istio: | |
| primary: | |
| github: | |
| repo: "knative/serving" | |
| include: | |
| - ".*.yaml" | |
| exclude: | |
| - "monitoring.*" | |
| - "serving.yaml" | |
| - "serving-storage-version-migration.yaml" |
evankanderson
/ Update and set tags
Created
August 28, 2020 18:02
evankanderson
/ peribolos-output.json
Created
May 20, 2020 13:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"GetOrg(knative-sandbox)","time":"2020-05-20T06:26:35-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"ListOrgInvitations(knative-sandbox)","time":"2020-05-20T06:26:35-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"User()","time":"2020-05-20T06:26:36-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"ListOrgMembers(knative-sandbox, admin)","time":"2020-05-20T06:26:37-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"ListOrgMembers(knative-sa |
evankanderson
/ binding.yaml
Created
April 3, 2020 16:36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| apiGroup: security.knative.dev/v1alpha1 | |
| kind: PolicyBinding | |
| metadata: | |
| name: green-service | |
| spec: | |
| policy: green-policy | |
| targets: | |
| - apiGroup: serving.knative.dev/v1 | |
| kind: Service | |
| selector: |
NewerOlder