← XML SPINE SOVEREIGN OPA HELIX KCF HELIX γ₁ = 14.134725141734693
TRIPLE HELIX BONIXER · ADMISSION × RUNTIME × LINEAGE
SOVEREIGN POLICY ENFORCEMENT · 3-LAYER CROSS-EXAMINATION · MEROSTONE L1/L2/L3
γ₁ = 14.134725141734693
ADMISSION
RUNTIME
LINEAGE
0
ADMIT
17
HOLD
0
DENY
⬡ HELIX 1 · ADMISSION BONIXER · EA-64–EA-73 · MEROSTONE L1
EA-64 · ADMISSION IDENTITY BINDING
Workload identity must bind to sovereign GID before admission
⊕ GREYBACK YANG
All fleet workloads are GID-stamped at build time via the PEMCLAU CI pipeline. Identity binding is verified pre-pull by the ACR token chain.
⊖ TAZ INVERSION
External workloads pulled via third-party Helm charts bypass GID stamping. Admission controller does not yet reject unlabeled pods from public registries.
SOURCE: eose-sre/mefine · sovereign-opa-helix · KCF EA-64
EA-65 · IMAGE PROVENANCE ATTESTATION
All images must carry signed provenance attestation before cluster admission
⊕ GREYBACK YANG
EOSE ACR pipeline signs all first-party images with cosign. Notation attestations stored in ACR and verifiable at admission time via OPA webhook.
⊖ TAZ INVERSION
Cosign policy exists in OPA Rego but MutatingWebhookConfiguration is pending Day 94 deployment. Enforcement not live yet.
SOURCE: eose-sre/fleet-sync · cosign-policy.rego · KCF EA-65
EA-66 · NAMESPACE SOVEREIGNTY GATE
Pods admitted only to namespaces matching their GID sovereignty scope
⊕ GREYBACK YANG
pemos-system and pemos-agents namespaces are GID-scoped. RBAC ensures service accounts cannot cross namespace boundaries. Network policies enforce isolation.
⊖ TAZ INVERSION
kube-system pods are excluded from sovereignty scoping. System daemonsets (Datadog, Falco) run outside GID boundaries — exemptions not yet documented in MEROSTONE.
SOURCE: eose-sre/aks-fleet · ns-policy.yaml · KCF EA-66
EA-67 · RESOURCE QUOTA ADMISSION
Resource requests/limits must be declared; unbounded pods denied
⊕ GREYBACK YANG
LimitRange objects in all EOSE namespaces. ResourceQuota caps CPU+RAM per namespace. Pods without requests rejected by LimitRange defaulting.
⊖ TAZ INVERSION
LimitRange defaulting allows pods through without explicit declarations. OPA policy for hard-denial of missing requests not yet in ENFORCE mode.
SOURCE: eose-sre/aks-fleet · resource-quota.yaml · KCF EA-67
EA-68 · PRIVILEGE ESCALATION BLOCK
allowPrivilegeEscalation:false; privileged containers denied
⊕ GREYBACK YANG
Pod Security Standards (restricted) enabled on pemos-system. PSS denies privileged containers. OPA Gatekeeper constraint EA-68 enforces at admission.
⊖ TAZ INVERSION
Falco and eBPF probes require privileged daemonsets — exempted via policy exclusion. Exemptions must be documented in MEROSTONE L1 before PASS.
SOURCE: eose-sre/fleet-sync · pss-policy.yaml · KCF EA-68
EA-69 · REGISTRY ALLOWLIST
Only images from EOSE ACR or approved registries may be admitted
⊕ GREYBACK YANG
OPA ConstraintTemplate EA-69 defines allowedRegistries list. eosefleetacrdev.azurecr.io and mcr.microsoft.com on the list. Admission webhook enforces at pod creation.
⊖ TAZ INVERSION
Docker Hub still on allowlist for legacy tooling. External registries should be mirrored into ACR — not allowlisted. Sovereignty gap.
SOURCE: eose-sre/fleet-sync · registry-allowlist.rego · KCF EA-69
EA-70 · ADMISSION LABEL SCHEMA
Pods must carry sovereign labels: gid, silo, day, gamma1
⊕ GREYBACK YANG
Label schema is defined in KCF EA-70. Helm charts auto-inject gid, silo, day labels. gamma1 label stamped at build time via CI.
⊖ TAZ INVERSION
Label injection is not enforced at admission — it relies on CI convention. OPA policy EA-70 is draft; not yet deployed to the admission webhook.
SOURCE: eose-sre/fleet-sync · label-schema.rego · KCF EA-70
EA-72 · SERVICE MESH ADMISSION
All admitted pods must participate in the Istio/Linkerd service mesh
⊕ GREYBACK YANG
Istio injection enabled namespace-wide on pemos-system