The basic authorization pattern serves as a minimum bar for application of IAM principles to a cloud-native application. In this model, authentication and authorization is performed primarily by the primary workload which receives the user's access token or session state. Note that the authentication and authorization (PEP) is performed by the workload using resource-specific parameters supplied to the PDP, and is not implemented by ingress or gateway rules which only have access to the request context.
Implement the requirements from FAPI and RFC 9700. For human users, apply the appropriate assurance levels from NIST SP800-63.
note: this covers TLS (FAPI), ID verification (SP800-63A), multiple auth factors (SP800-63B), federation security (SP800-63C), authorization code flow (RFC9700), including many other requirements not currently specified in the whitepaper.
Implement authorization (PEP) using a consistent framework or patter
Evan Anderson evankanderson
evankanderson
/ Minder Individual CLA
Last active
March 19, 2026 18:14
— forked from dussab/Individual CLA
CLA
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # OpenSSF Minder Individual Contributor License Agreement | |
| "You" (or "Your") shall mean the copyright owner or legal entity authorized by the copyright owner that is making this Agreement with Stacklok. For legal entities, the entity making a Contribution and all other entities that control, are controlled by, or are under common control with that entity are considered to be a single Contributor. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. | |
| In consideration of the opportunity to participate in the community of contributors to OpenSSF Minder projects, You accept and agree to the following terms and conditions for Your present and future Contributions submitted to OpenSSF Minder. Except for the license granted herein to OpenSSF Minder and recipients of software di |
evankanderson
/ example.md
Last active
March 2, 2026 21:58
evankanderson
/ devel.md
Created
November 14, 2025 18:28
Version: devel
{: .warning} Not for production use.
<button onclick="toTop()" id="topButton" title="Go to top" style="display: none; position: fixed; bottom: 20px; right: 30px; border: none; background-color: CornflowerBlue; color: white; cursor: pointer; padding: 10px; border-radius: 10px; font-size: 18px;">to top
evankanderson
/ baseline.md.diff
Created
October 13, 2025 19:43
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- docs/versions/2025-02-25.md 2025-10-13 12:41:28.344206651 -0700 | |
| +++ docs/versions/2025-10-10.md 2025-10-13 12:41:28.344707215 -0700 | |
| @@ -1,10 +1,14 @@ | |
| +--- | |
| +nav-title: Current Version | |
| +--- | |
| # Open Source Project Security Baseline | |
| -Version: 2025-02-25 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show hidden characters
| { | |
| "_type": "https://in-toto.io/Statement/v1", | |
| "subject": [ | |
| { | |
| "name": "software", | |
| "uri": "https://github.com/mindersec/minder" | |
| }, | |
| { | |
| "name": "governance", | |
| "uri": "https://github.com/mindersec/community" |
evankanderson
/ base-supplychain.yaml
Last active
August 5, 2022 17:17
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ... | |
| - name: config-provider | |
| templateRef: | |
| kind: ClusterConfigTemplate | |
| name: convention-template | |
| params: | |
| - name: serviceAccount | |
| value: default | |
| images: | |
| - resource: image-provider |
evankanderson
/ Func demo setup script
Last active
February 28, 2022 20:06
Kn plugin func binary research install script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # Assumes Docker desktop installed | |
| # | |
| VARIANT="$(uname -sm | tr 'A-Z ' 'a-z-' | sed s/aarch64/arm64/ | sed s/x86_64/amd64/)" | |
| FUNC_VARIANT="$(echo $VARIANT | tr '-' '_')" | |
| curl -L -o kn https://github.com/knative/client/releases/download/knative-v1.2.0/kn-$VARIANT | |
| curl -L -o kn-plugin-quickstart https://github.com/knative-sandbox/kn-plugin-quickstart/releases/download/knative-v1.2.0/kn-quickstart-$VARIANT |
evankanderson
/ config.yaml
Last active
December 17, 2020 22:47
Serving config for 3 ingress options
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| serving-istio: | |
| primary: | |
| github: | |
| repo: "knative/serving" | |
| include: | |
| - ".*.yaml" | |
| exclude: | |
| - "monitoring.*" | |
| - "serving.yaml" | |
| - "serving-storage-version-migration.yaml" |
evankanderson
/ Update and set tags
Created
August 28, 2020 18:02
evankanderson
/ peribolos-output.json
Created
May 20, 2020 13:28
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"GetOrg(knative-sandbox)","time":"2020-05-20T06:26:35-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"ListOrgInvitations(knative-sandbox)","time":"2020-05-20T06:26:35-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"User()","time":"2020-05-20T06:26:36-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"ListOrgMembers(knative-sandbox, admin)","time":"2020-05-20T06:26:37-07:00"} | |
| {"client":"github","component":"unset","file":"prow/github/client.go:562","func":"k8s.io/test-infra/prow/github.(*client).log","level":"info","msg":"ListOrgMembers(knative-sa |
NewerOlder