Karma — Cosmos Operators

01

Overview

Karma transforms how platform teams manage access control. Instead of static RBAC policies and manual approval workflows, Karma calculates dynamic trust scores based on real behavioral signals: successful deployments, test coverage, security scan results, incident frequency, and more. Teams automatically move between tiers as their behavior changes, unlocking or restricting capabilities without manual intervention.

Enforcement happens through native Kubernetes ValidatingAdmissionPolicies. CEL expressions evaluate tier-based rules at admission time, controlling configuration like replica limits, privileged containers, production access, and resource quotas. No sidecars, no external dependencies; just Kubernetes-native policy enforcement driven by earned trust.

02

Features

Modular Signal Collection

Six provider types collect signals from any source: built-in Kubernetes resource watchers, webhooks from CI/CD pipelines, Prometheus metrics, custom CRD status fields, HTTP polling endpoints, and gRPC services.

Seven Signal Categories

Track behavior across deployment success, testing coverage, security posture, code quality, incident frequency, observability compliance, and custom business metrics; each with configurable weights and severity multipliers.

Graduated Trust Tiers

Three tiers with configurable thresholds: trusted (85+), standard (50-84), and probation (below 50). New teams start in a probationary period with clear graduation requirements based on deployment success and incident history.

Native Policy Enforcement

Tier-based entitlements automatically generate ValidatingAdmissionPolicies with CEL expressions. Control replica limits, privileged containers, production access, resource quotas, and custom policies per tier.

Anti-Gaming Protection

Deployment throttling, minimum change size detection, diminishing returns on frequent signals, pattern analysis for bot behavior, and custom CEL rules prevent artificial score inflation.

Multi-Cluster Support

Hub/spoke topology aggregates signals across clusters. Hub clusters distribute policies; spoke clusters report signals and sync tier assignments at configurable intervals.

03

Use Cases

Progressive Deployment Permissions

Teams unlock production access after demonstrating reliability in staging. Trusted teams deploy without gates; probation teams require additional approvals or face deployment windows until trust is rebuilt.
Graduated Resource Quotas

Higher trust tiers access larger replica counts, more CPU and memory, and autoscaling capabilities. Lower tiers operate within conservative limits that expand automatically as trust builds through positive signals.
Incident-Driven Guardrails

Recent production incidents automatically reduce trust scores. Affected teams face tighter deployment constraints until they demonstrate recovery through successful deployments and clean incident records.
Self-Service Platform Access

Replace ticket-based approval workflows with automated trust. Teams that consistently pass tests, maintain security compliance, and deploy successfully earn capabilities without platform team intervention.

04

Custom Resources

KarmaPolicy

Cluster-wide configuration defining tier thresholds, scoring weights, severity multipliers, decay policies, anti-gaming rules, visibility controls, and multi-cluster mode (hub/spoke/standalone).
TeamKarma

Per-team tracking mapped to a namespace. Stores current score (0-100), tier, trend direction, detailed breakdown by contributor and category, activity statistics, entitlements status, and compliance tracking.
KarmaContributor

Configures modular signal sources via six provider types: builtin, webhook, prometheus, crd-watcher, polling, and gRPC. Each defines signal types with custom weights, decay overrides, streak bonuses, and anti-gaming rules.
KarmaEntitlement

Tier-based access controls that generate ValidatingAdmissionPolicies. Defines permissions, limits, and requirements per tier using CEL expressions evaluated at admission time.
KarmaOverride

Manual adjustments with full audit trails. Supports score adjustments, tier locks, and signal exclusions with required approvers, optional evidence, expiration dates, and review scheduling.

05

Example Workflow

This example demonstrates onboarding a team namespace and configuring tier-based deployment limits that automatically adjust based on the team's earned trust score.

# 1. Create the default KarmaPolicy with tier thresholds
  oc apply -f - <<EOF
  apiVersion: karma.cosmosdevops.co.uk/v1alpha1
  kind: KarmaPolicy
  metadata:
    name: default
  spec:
    tiers:
      trusted: { threshold: 85 }
      standard: { threshold: 50 }
      probation: { threshold: 0 }
  EOF

  # 2. Onboard a team by creating a TeamKarma resource
  oc apply -f - <<EOF
  apiVersion: karma.cosmosdevops.co.uk/v1alpha1
  kind: TeamKarma
  metadata:
    name: frontend-team
  spec:
    namespaceRef: frontend
    policyRef: default
  EOF

  # 3. Create an entitlement for replica limits per tier
  oc apply -f - <<EOF
  apiVersion: karma.cosmosdevops.co.uk/v1alpha1
  kind: KarmaEntitlement
  metadata:
    name: max-replicas
  spec:
    category: resources
    tiers:
      trusted: { maxReplicas: "100" }
      standard: { maxReplicas: "20" }
      probation: { maxReplicas: "5" }
  EOF

  # 4. Check the team's current score and tier
  oc get teamkarma frontend-team -o jsonpath='{.status.score} {.status.tier}'

Overview

Features

Modular Signal Collection

Seven Signal Categories

Graduated Trust Tiers

Native Policy Enforcement

Anti-Gaming Protection

Multi-Cluster Support

Use Cases

Progressive Deployment Permissions

Graduated Resource Quotas

Incident-Driven Guardrails

Self-Service Platform Access

Custom Resources

KarmaPolicy

TeamKarma

KarmaContributor

KarmaEntitlement

KarmaOverride

Example Workflow

Build Trust-Based Platforms