Skip to content

docs: add initial threat model#2192

Draft
EItanya wants to merge 3 commits into
mainfrom
eitanya/threat-model
Draft

docs: add initial threat model#2192
EItanya wants to merge 3 commits into
mainfrom
eitanya/threat-model

Conversation

@EItanya

@EItanya EItanya commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds a first-pass THREAT_MODEL.md at the repo root, aimed at maintainers triaging inbound security reports. Its primary purpose is to make in-scope vs. out-of-scope decisions fast, consistent, and defensible — so genuine privilege-boundary violations get fixed quickly and reports that merely restate a documented, intended default can be closed with a clear, reusable rationale.

What's in this draft

  • §1 System context — components (two agent runtimes: Go go/adk + Python kagent-adk), PostgreSQL-only storage, all-ClusterIP defaults.
  • §2 Trust boundary — establishes the Kubernetes namespace as kagent's core trust boundary; an Agent is a workload-creating resource equivalent to a Deployment.
  • §3 Actors / §4 Trust boundaries — in-scope vs. out-of-scope actors (A1–A7) and boundaries (TB-1…TB-9).
  • §5 Documented insecure-by-default posture — the catalogue of intended getting-started defaults (unsecure auth, NoopAuthorizer, cluster-wide RBAC, no NetworkPolicy, bundled DB, kagent-tools).
  • §6 Triage rubric — a 4-step decision procedure with two worked examples (kagent-tools RCE; skills-init injection) showing why neither rises to a CVE.
  • §7 Deprioritized, §8 Threats, §9 Mitigations — §7 populated; §8/§9 scaffolded for iteration.

Scope decisions baked in

Status

Draft — §8 (in-scope threats) and §9 (mitigations) are stubbed and will be expanded in follow-ups. Feedback on the framing and triage rubric is especially welcome.

EItanya and others added 2 commits July 9, 2026 15:29
Add a first-pass THREAT_MODEL.md aimed at maintainers triaging inbound
security reports. It establishes the Kubernetes namespace as kagent's
core trust boundary, enumerates in-scope vs. out-of-scope actors and
trust boundaries, documents the intended insecure-by-default posture,
and provides a triage rubric with worked examples for deciding whether
a report rises to the level of a real threat.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added the documentation Improvements or additions to documentation label Jul 9, 2026
@EItanya

EItanya commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

@dimetron mentioned:

  • sandboxing and skills
  • Credentials/Secrets leaking into prompts

Cover the skills subsystem (git/OCI fetch via the argv-based skills-init
init container, same-namespace credentials) and both sandbox mechanisms
(the spec.sandbox default-deny egress allowlist, and SandboxAgent on the
external Agent Substrate). Add a §2.1/§2.2 framing, trust boundaries
TB-10..TB-12, insecure-default entries, and deprioritized cases, keeping
in-namespace skill/sandbox use classified as Deployment-equivalent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant