# Kubernetes Boundary Extraction for Reachability and Proof Analysis

## Module
Scanner

## Status
VERIFIED

## Description
Extracts network boundary information from Kubernetes Ingress, Service, and NetworkPolicy manifests to determine external exposure, cluster exposure level, and network controls (WAF/rate-limiting). Feeds boundary data into the reachability graph and produces boundary proof for internet-facing vs internal-only path classification. Priority 200 in extractor pipeline.

## Implementation Details
- **Kubernetes Boundary Extractor**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/K8sBoundaryExtractor.cs` - `K8sBoundaryExtractor` (implements `IBoundaryProofExtractor`) extracts boundary info from Kubernetes Ingress, Service, and NetworkPolicy manifests
- **Boundary Extraction Framework**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IBoundaryProofExtractor.cs` - `IBoundaryProofExtractor` interface defining the boundary extraction contract
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryExtractionContext.cs` - `BoundaryExtractionContext` provides context (manifest files, image metadata) for extraction
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/CompositeBoundaryExtractor.cs` - `CompositeBoundaryExtractor` composes multiple extractors (K8s, API Gateway, IaC) into a pipeline
- **Related Extractors**:
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/GatewayBoundaryExtractor.cs` - API gateway boundary extraction
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/IacBoundaryExtractor.cs` - Infrastructure-as-code boundary extraction
  - `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/RichGraphBoundaryExtractor.cs` - Rich graph integration for boundary data
- **DI Registration**: `src/Scanner/__Libraries/StellaOps.Scanner.Reachability/Boundary/BoundaryServiceCollectionExtensions.cs`

## E2E Test Plan
- [ ] Provide a Kubernetes Ingress manifest referencing a scanned service and verify the K8s boundary extractor identifies it as internet-facing
- [ ] Provide a Kubernetes NetworkPolicy that restricts ingress to specific namespaces and verify the extractor classifies the service as internal-only
- [ ] Verify WAF annotations on Ingress resources (e.g., nginx WAF, ModSecurity) are detected as network controls
- [ ] Verify the composite boundary extractor aggregates results from K8s, API Gateway, and IaC extractors
- [ ] Verify boundary proof is produced and feeds into the reachability graph for path classification
- [ ] Verify Kubernetes Services without Ingress or LoadBalancer type are classified as cluster-internal

---

## Verification

| Check | Result |
|-------|--------|
| Tier 0 - Source files exist | PASS |
| Tier 1 - Build + code review | PASS |
| Tier 2 - Integration tests | PASS |
| Verified | 2026-02-13T18:10:00Z |