Security assurance case
Security claims, trust boundaries, and countermeasures for MKurator. Complements
NFR SEC-*, SECURITY.md,
and ADR-0009.
Last updated: 2026-06-06
Claims and scope
MKurator is a Kubernetes operator that manages IBM MQ administrative objects via mqweb HTTPS.
It runs with cluster credentials, holds references to MQ credentials in Secrets, and must not
leak secrets or exceed RBAC.
| ID |
Requirement |
Primary enforcement |
| SEC-1 |
No credentials in CR specs, code, images, or logs |
NFR doc, gosec, gitleaks |
| SEC-2 |
TLS verify on for mqweb; insecure opt-in only |
mqrest adapter, NFR SEC-2 |
| SEC-3 |
Least-privilege operator RBAC |
config/rbac/, task audit:rbac |
| SEC-4 |
Distroless nonroot runtime |
Dockerfile, Pod securityContext |
| SEC-6 |
No known critical/high vulns at release |
govulncheck, Trivy release gate |
Trust boundaries
flowchart TB
subgraph cluster["Kubernetes cluster"]
API["Kubernetes API"]
CRDs["MKurator CRDs"]
Secrets["Secrets"]
Webhook["Validating webhook"]
Op["MKurator operator"]
API --> Op
CRDs --> Op
Secrets --> Op
Webhook -.-> API
end
subgraph mq["Queue manager zone"]
MQWeb["mqweb REST HTTPS"]
QM["IBM MQ"]
MQWeb --> QM
end
Op -->|"TLS + credentials from Secret"| MQWeb
| Boundary |
Trust assumption |
Controls |
| Operator ↔ Kubernetes API |
Apiserver authentic; RBAC correct |
Scoped ClusterRole; namespace-bound Secret refs |
| Operator ↔ Secrets |
Secret readable only where RBAC allows |
credentialsSecretRef / caSecretRef only |
| Operator ↔ mqweb |
Network may be hostile |
TLS verify default; custom CA; dev-only insecure skip |
| Admission ↔ API writers |
Webhook pod availability |
failurePolicy: Fail; CEL migration planned |
| Supply chain ↔ Adopter |
Registry/releases may be tampered |
cosign, SBOM, SLSA attestations (ADR-0016) |
Threats and countermeasures
| Threat |
Impact |
Countermeasure |
Verification |
| Credential leakage to logs/status |
Critical |
No creds in specs; structured logging; gosec |
Unit tests; code review |
| MITM on mqweb |
High |
TLS verify default; CA from Secret |
Adapter tests |
| Over-broad operator RBAC |
High |
Minimal verbs on own API group + Secrets |
Polaris/kubeaudit CI |
| Webhook outage blocks all CR writes |
Medium |
Shrink webhook surface; CEL on CRDs |
ADR-0009 |
| Compromised release artifact |
High |
cosign, sign-blob, Trivy, attestations |
Release workflow |
| Dependency CVE |
Medium–High |
govulncheck, Dependabot, SCA policy |
CI vulncheck |
Residual risks
| Risk |
Mitigation status |
Owner action |
| Solo maintainer (bus factor 1) |
Documented in GOVERNANCE.md |
Co-maintainer when feasible |
Adopter enables allowInsecureTLS in prod |
Dev-only annotation gate |
Document in INSTALL_AND_USE |
| mqweb credential rotation not watch-driven |
Periodic requeue backstop |
See operator improvement backlog |