ProficientNowTechRFCs
Platform RFCs/RFC-TENANT-SECURITY-0001: Tenant Application Security Architecture

3. Architecture

RFC-TENANT-SECURITY-0001                                         Section 3
Category: Standards Track                                     Architecture

3. Architecture

← Requirements | Index | Next: Components →

3.1 System Overview

The Tenant Application Security Architecture establishes a layered defense model for protecting applications from external threats and isolating tenants at the network layer. Traffic flows through multiple security checkpoints, each providing distinct protection capabilities.

3.2 Defense Layers

The architecture implements defense-in-depth through distinct security layers:

3.2.1 Layer Model

LayerFunctionFailure BehaviorEnforces
L1: TLSEncryption in transitConnection refusedINV-2
L2: WAFAttack signature detectionBlock or logINV-1, INV-4
L3: Rate LimitingAbuse preventionRequest throttled
L4: Bot MitigationAutomated threat blockingChallenge issued
L5: Network PolicyNamespace isolationTraffic deniedINV-5, INV-6, INV-7
L6: Service MeshService authorizationRequest rejectedRFC-WORKLOAD-IDENTITY

3.2.2 Layer Independence

Each layer operates independently such that:

  • Compromise of one layer does not compromise other layers
  • Layers can be updated independently
  • Failure of one layer does not cascade to others (where possible)
  • Each layer provides distinct security value

3.2.3 Traffic Flow States

3.3 Trust Boundaries

3.3.1 Boundary Definitions

Trust boundaries define where security context changes and additional verification is required.

3.3.2 Boundary Characteristics

BoundaryFromToVerification Required
B1: Internet → DMZUntrustedDMZTLS, WAF inspection
B2: DMZ → ClusterDMZClusterNetwork policy, mesh identity
B3: Platform → TenantPlatformTenantExplicit policy authorization
B4: Tenant → TenantTenant ATenant BProhibited by default (INV-6)

3.3.3 Boundary Enforcement

BoundaryEnforcement MechanismInvariant
B1BunkerWeb WAFINV-1
B2Kubernetes NetworkPolicyINV-5
B3Kubernetes NetworkPolicyINV-6
B4Kubernetes NetworkPolicyINV-6

3.4 Authority Domains

Authority domains define who controls what aspects of the security architecture.

3.4.1 Domain Definitions

DomainAuthorityScopeOverride Permitted
Global WAF RulesSecurity TeamOWASP CRS, custom rulesNo
WAF ExceptionsSecurity Team + TenantPer-application exceptionsWith approval
Global Rate LimitsPlatform TeamCluster-wide defaultsNo
Route Rate LimitsTenantPer-route overrides (within bounds)Within limits
Platform Network PoliciesPlatform TeamGuardrail policiesNo (INV-8)
Tenant Network PoliciesTenantNamespace-scoped policiesYes
TLS ConfigurationPlatform TeamMinimum TLS version, ciphersNo
Certificate IssuanceAutomatedcert-managerN/A

3.4.2 Authority Hierarchy

3.5 Data Flow

3.5.1 Inbound Request Flow

3.5.2 Cross-Namespace Request Flow

3.6 Integration Architecture

3.6.1 RFC Integration Points

3.6.2 Integration Contracts

IntegrationThis RFC ProvidesOther RFC Provides
RFC-IAM-0001WAF exceptions for Keycloak endpointsAuthentication patterns
RFC-SECOPS-0001Secret references for TLSTLS certificates via ESO
RFC-WORKLOAD-IDENTITYFiltered traffic to meshmTLS for service traffic

3.7 Failure Modes

3.7.1 Component Failure Behavior

ComponentFailure ModeSystem BehaviorRecovery
BunkerWebCrashTraffic blocked at LBPod restart
BunkerWebWAF overloadDegraded inspectionScale out
Network PolicyMisconfigurationTraffic deniedGitOps rollback
cert-managerCertificate expiryTLS handshake failureManual intervention
CalicoCNI failureAll traffic blockedNode restart

3.7.2 Degraded Operation Modes

ModeTriggerBehaviorRisk
WAF Detection OnlyHigh false positivesLog but don't blockAttacks not blocked
Rate Limit BypassLegitimate traffic spikeIncrease limitsAbuse possible
Emergency BypassCritical outageDirect to meshFull WAF bypass

Document Navigation

PreviousIndexNext
← 2. RequirementsTable of Contents4. Components →

End of Section 3

Next

2. Requirements

Next

4. Components

On this page