From fb3ac750d519690282d86b439bbf8b20b8a1c7c8 Mon Sep 17 00:00:00 2001 From: tegwick Date: Sat, 23 May 2026 06:53:30 +0200 Subject: [PATCH] Add CARING Kubernetes RBAC benchmark --- README.md | 8 + ...ring-kubernetes-rbac-access-descriptors.md | 33 +++ ...k-caring-kubernetes-rbac-caring-mapping.md | 29 ++ ...nchmark-caring-kubernetes-rbac-findings.md | 29 ++ ...-caring-kubernetes-rbac-native-concepts.md | 29 ++ .../benchmark-caring-kubernetes-rbac.md | 31 +++ infospace/agent/global-agent-brief.md | 4 +- infospace/agent/retrieval-index.json | 189 ++++++++++++- infospace/agent/retrieval-index.md | 52 +++- infospace/agent/retrieval-index.yaml | 119 +++++++- infospace/artifacts/index.yaml | 92 +++++++ infospace/indexes/artifact-tree.yaml | 35 ++- infospace/indexes/concept-ownership.yaml | 22 +- infospace/indexes/import-matrix.yaml | 67 +++++ .../benchmarks/kubernetes-rbac/README.md | 30 +++ .../kubernetes-rbac/access-descriptors.yaml | 164 +++++++++++ .../benchmarks/kubernetes-rbac/benchmark.yaml | 102 +++++++ .../kubernetes-rbac/caring-mapping.yaml | 79 ++++++ .../findings-and-canon-pressure.yaml | 76 ++++++ .../kubernetes-rbac/native-concepts.yaml | 87 ++++++ infospace/validation/latest.json | 6 +- infospace/views/by-concept.md | 7 +- infospace/views/by-mapping-target.md | 29 ++ infospace/views/import-matrix.md | 107 ++++---- infospace/views/kernel-overview.md | 18 +- infospace/views/repository-tree.md | 13 +- src/info_tech_canon/generation.py | 15 ++ src/info_tech_canon/validation.py | 254 ++++++++++++++++++ tests/test_cli.py | 2 +- tests/test_service.py | 14 +- ...P-0010-caring-kubernetes-rbac-benchmark.md | 23 +- workplans/index.yaml | 2 +- 32 files changed, 1688 insertions(+), 79 deletions(-) create mode 100644 infospace/agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md create mode 100644 infospace/agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md create mode 100644 infospace/agent/briefs/benchmark-caring-kubernetes-rbac-findings.md create mode 100644 infospace/agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md create mode 100644 infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md create mode 100644 infospace/standards/caring/benchmarks/kubernetes-rbac/README.md create mode 100644 infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml create mode 100644 infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml create mode 100644 infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml create mode 100644 infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml create mode 100644 infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml diff --git a/README.md b/README.md index 7d8bf8e..f632e88 100644 --- a/README.md +++ b/README.md @@ -99,3 +99,11 @@ current scope, future scope, consumer purposes, review decisions, evidence, source observations, utility relationships, scope freshness, and SCOPE.md as an interface profile. The pack is intended to seed the consumer-side repo-scoping workplan while keeping proposed canon extensions reviewable. + +## Benchmarks + +CARING benchmark assets live under `infospace/standards/caring/benchmarks/`. +The first benchmark is `kubernetes-rbac`, which maps Kubernetes RBAC native +constructs into CARING descriptors and records canon pressure around native +roles, effective access, derived workload capabilities, induced secret exposure, +and the rule that a Namespace is not automatically a tenant boundary. diff --git a/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md new file mode 100644 index 0000000..3257213 --- /dev/null +++ b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md @@ -0,0 +1,33 @@ +--- +id: agent-brief/benchmark-caring-kubernetes-rbac-access-descriptors +artifact_id: benchmark/caring/kubernetes-rbac/access-descriptors +source_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml +source_kind: access-descriptor-set +generated: true +--- + + + +# Agent Brief: Kubernetes RBAC CARING Access Descriptors + +- Artifact ID: `benchmark/caring/kubernetes-rbac/access-descriptors` +- Kind: `access-descriptor-set` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml` +- Full source: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml` +- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors. + +## Retrieval Hints + +Imports and anchors: +- `model/access-control` +- `model/devsecops` +- `model/security` +- `standard/caring` + +## Owned Concepts + +- `Kubernetes RBAC CARING Access Descriptors` + +## Related Distinctions + +No common distinction is anchored directly on this artifact. diff --git a/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md new file mode 100644 index 0000000..c9d4717 --- /dev/null +++ b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md @@ -0,0 +1,29 @@ +--- +id: agent-brief/benchmark-caring-kubernetes-rbac-caring-mapping +artifact_id: benchmark/caring/kubernetes-rbac/caring-mapping +source_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml +source_kind: caring-mapping +generated: true +--- + + + +# Agent Brief: Kubernetes RBAC To CARING Mapping + +- Artifact ID: `benchmark/caring/kubernetes-rbac/caring-mapping` +- Kind: `caring-mapping` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml` +- Full source: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml` +- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping. + +## Retrieval Hints + +No imports or anchors recorded. + +## Owned Concepts + +- `Kubernetes RBAC To CARING Mapping` + +## Related Distinctions + +No common distinction is anchored directly on this artifact. diff --git a/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-findings.md b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-findings.md new file mode 100644 index 0000000..90fcc4d --- /dev/null +++ b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-findings.md @@ -0,0 +1,29 @@ +--- +id: agent-brief/benchmark-caring-kubernetes-rbac-findings +artifact_id: benchmark/caring/kubernetes-rbac/findings +source_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml +source_kind: benchmark-findings +generated: true +--- + + + +# Agent Brief: Kubernetes RBAC Benchmark Findings And Canon Pressure + +- Artifact ID: `benchmark/caring/kubernetes-rbac/findings` +- Kind: `benchmark-findings` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml` +- Full source: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml` +- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure. + +## Retrieval Hints + +No imports or anchors recorded. + +## Owned Concepts + +- `Kubernetes RBAC Benchmark Findings And Canon Pressure` + +## Related Distinctions + +No common distinction is anchored directly on this artifact. diff --git a/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md new file mode 100644 index 0000000..11a1fd3 --- /dev/null +++ b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md @@ -0,0 +1,29 @@ +--- +id: agent-brief/benchmark-caring-kubernetes-rbac-native-concepts +artifact_id: benchmark/caring/kubernetes-rbac/native-concepts +source_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml +source_kind: native-concept-map +generated: true +--- + + + +# Agent Brief: Kubernetes RBAC Native Concept Map + +- Artifact ID: `benchmark/caring/kubernetes-rbac/native-concepts` +- Kind: `native-concept-map` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml` +- Full source: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml` +- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map. + +## Retrieval Hints + +No imports or anchors recorded. + +## Owned Concepts + +- `Kubernetes RBAC Native Concept Map` + +## Related Distinctions + +No common distinction is anchored directly on this artifact. diff --git a/infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md new file mode 100644 index 0000000..9238abc --- /dev/null +++ b/infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md @@ -0,0 +1,31 @@ +--- +id: agent-brief/benchmark-caring-kubernetes-rbac +artifact_id: benchmark/caring/kubernetes-rbac +source_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml +source_kind: benchmark-workspace +generated: true +--- + + + +# Agent Brief: CARING Kubernetes RBAC Benchmark + +- Artifact ID: `benchmark/caring/kubernetes-rbac` +- Kind: `benchmark-workspace` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml` +- Full source: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml` +- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark. + +## Retrieval Hints + +Imports and anchors: +- `standard/caring` +- `standard/tagging` + +## Owned Concepts + +- `CARING Kubernetes RBAC Benchmark` + +## Related Distinctions + +No common distinction is anchored directly on this artifact. diff --git a/infospace/agent/global-agent-brief.md b/infospace/agent/global-agent-brief.md index aa8fa8f..71ca439 100644 --- a/infospace/agent/global-agent-brief.md +++ b/infospace/agent/global-agent-brief.md @@ -5,8 +5,8 @@ This brief summarizes the current canon service surface for agents. - Infospace slug: `canon` -- Artifact count: 49 -- Retrieval index items: 49 +- Artifact count: 54 +- Retrieval index items: 54 - Primary confidence command: `make validate` - Refresh generated indexes and views with: `make index` - Refresh agent briefs and interface templates with: `make agent-briefs` diff --git a/infospace/agent/retrieval-index.json b/infospace/agent/retrieval-index.json index c4873e5..b55b922 100644 --- a/infospace/agent/retrieval-index.json +++ b/infospace/agent/retrieval-index.json @@ -43,8 +43,195 @@ } ], "infospace": "canon", - "item_count": 49, + "item_count": 54, "items": [ + { + "canonical_path": "standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml", + "id": "benchmark/caring/kubernetes-rbac", + "imports": [ + "standard/caring", + "standard/tagging" + ], + "kind": "benchmark-workspace", + "owned_concepts": [ + "CARING Kubernetes RBAC Benchmark" + ], + "relationships": [ + { + "target": "standard/caring", + "type": "conforms_to" + }, + { + "target": "model/access-control", + "type": "stress_tests" + }, + { + "target": "model/governance", + "type": "stress_tests" + }, + { + "target": "model/security", + "type": "stress_tests" + }, + { + "target": "model/devsecops", + "type": "stress_tests" + }, + { + "target": "model/network", + "type": "stress_tests" + }, + { + "target": "model/observability", + "type": "stress_tests" + }, + { + "target": "standard/tagging", + "type": "uses" + } + ], + "source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml", + "summary": "Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.", + "title": "CARING Kubernetes RBAC Benchmark", + "warnings": [] + }, + { + "canonical_path": "standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml", + "id": "benchmark/caring/kubernetes-rbac/access-descriptors", + "imports": [ + "model/access-control", + "model/devsecops", + "model/security", + "standard/caring" + ], + "kind": "access-descriptor-set", + "owned_concepts": [ + "Kubernetes RBAC CARING Access Descriptors" + ], + "relationships": [ + { + "target": "benchmark/caring/kubernetes-rbac", + "type": "part_of" + }, + { + "target": "standard/caring", + "type": "uses" + }, + { + "target": "model/access-control", + "type": "uses" + }, + { + "target": "model/security", + "type": "uses" + }, + { + "target": "model/devsecops", + "type": "uses" + } + ], + "source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml", + "summary": "Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.", + "title": "Kubernetes RBAC CARING Access Descriptors", + "warnings": [] + }, + { + "canonical_path": "standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml", + "id": "benchmark/caring/kubernetes-rbac/caring-mapping", + "imports": [], + "kind": "caring-mapping", + "owned_concepts": [ + "Kubernetes RBAC To CARING Mapping" + ], + "relationships": [ + { + "target": "benchmark/caring/kubernetes-rbac", + "type": "part_of" + }, + { + "target": "standard/caring", + "type": "maps" + }, + { + "target": "model/access-control", + "type": "maps" + }, + { + "target": "model/governance", + "type": "maps" + }, + { + "target": "model/security", + "type": "maps" + } + ], + "source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml", + "summary": "Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.", + "title": "Kubernetes RBAC To CARING Mapping", + "warnings": [] + }, + { + "canonical_path": "standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml", + "id": "benchmark/caring/kubernetes-rbac/findings", + "imports": [], + "kind": "benchmark-findings", + "owned_concepts": [ + "Kubernetes RBAC Benchmark Findings And Canon Pressure" + ], + "relationships": [ + { + "target": "benchmark/caring/kubernetes-rbac", + "type": "part_of" + }, + { + "target": "standard/caring", + "type": "proposes" + }, + { + "target": "model/governance", + "type": "proposes" + }, + { + "target": "model/security", + "type": "proposes" + } + ], + "source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml", + "summary": "Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.", + "title": "Kubernetes RBAC Benchmark Findings And Canon Pressure", + "warnings": [] + }, + { + "canonical_path": "standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml", + "id": "benchmark/caring/kubernetes-rbac/native-concepts", + "imports": [], + "kind": "native-concept-map", + "owned_concepts": [ + "Kubernetes RBAC Native Concept Map" + ], + "relationships": [ + { + "target": "benchmark/caring/kubernetes-rbac", + "type": "part_of" + }, + { + "target": "standard/caring", + "type": "maps" + }, + { + "target": "model/access-control", + "type": "maps" + }, + { + "target": "model/landscape", + "type": "maps" + } + ], + "source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml", + "summary": "Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.", + "title": "Kubernetes RBAC Native Concept Map", + "warnings": [] + }, { "canonical_path": "evaluations/repo-scoping/canon-benefit-analysis.yaml", "id": "comparison/repo-scoping/canon-benefit-analysis", diff --git a/infospace/agent/retrieval-index.md b/infospace/agent/retrieval-index.md index 668ecb5..dcdd059 100644 --- a/infospace/agent/retrieval-index.md +++ b/infospace/agent/retrieval-index.md @@ -4,7 +4,7 @@ Schema: `info-tech-canon.retrieval-index.v1` Infospace: `canon` -Items: **49** +Items: **54** ## Common Distinctions @@ -15,6 +15,56 @@ Items: **49** ## Items +### CARING Kubernetes RBAC Benchmark + +- ID: `benchmark/caring/kubernetes-rbac` +- Kind: `benchmark-workspace` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml` +- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml` +- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark. +- Imports and anchors: `standard/caring`, `standard/tagging` +- Owned concepts: `CARING Kubernetes RBAC Benchmark` + +### Kubernetes RBAC CARING Access Descriptors + +- ID: `benchmark/caring/kubernetes-rbac/access-descriptors` +- Kind: `access-descriptor-set` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml` +- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml` +- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors. +- Imports and anchors: `model/access-control`, `model/devsecops`, `model/security`, `standard/caring` +- Owned concepts: `Kubernetes RBAC CARING Access Descriptors` + +### Kubernetes RBAC To CARING Mapping + +- ID: `benchmark/caring/kubernetes-rbac/caring-mapping` +- Kind: `caring-mapping` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml` +- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml` +- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping. +- Imports and anchors: none +- Owned concepts: `Kubernetes RBAC To CARING Mapping` + +### Kubernetes RBAC Benchmark Findings And Canon Pressure + +- ID: `benchmark/caring/kubernetes-rbac/findings` +- Kind: `benchmark-findings` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml` +- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml` +- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure. +- Imports and anchors: none +- Owned concepts: `Kubernetes RBAC Benchmark Findings And Canon Pressure` + +### Kubernetes RBAC Native Concept Map + +- ID: `benchmark/caring/kubernetes-rbac/native-concepts` +- Kind: `native-concept-map` +- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml` +- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml` +- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map. +- Imports and anchors: none +- Owned concepts: `Kubernetes RBAC Native Concept Map` + ### Repo Scoping Canon Benefit Analysis - ID: `comparison/repo-scoping/canon-benefit-analysis` diff --git a/infospace/agent/retrieval-index.yaml b/infospace/agent/retrieval-index.yaml index 2744681..3343fe3 100644 --- a/infospace/agent/retrieval-index.yaml +++ b/infospace/agent/retrieval-index.yaml @@ -1,7 +1,124 @@ schema: info-tech-canon.retrieval-index.v1 infospace: canon -item_count: 49 +item_count: 54 items: +- id: benchmark/caring/kubernetes-rbac + kind: benchmark-workspace + title: CARING Kubernetes RBAC Benchmark + canonical_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml + summary: 'Benchmark workspace definition and review criteria: CARING Kubernetes + RBAC Benchmark.' + owned_concepts: + - CARING Kubernetes RBAC Benchmark + imports: + - standard/caring + - standard/tagging + relationships: + - type: conforms_to + target: standard/caring + - type: stress_tests + target: model/access-control + - type: stress_tests + target: model/governance + - type: stress_tests + target: model/security + - type: stress_tests + target: model/devsecops + - type: stress_tests + target: model/network + - type: stress_tests + target: model/observability + - type: uses + target: standard/tagging + warnings: [] +- id: benchmark/caring/kubernetes-rbac/access-descriptors + kind: access-descriptor-set + title: Kubernetes RBAC CARING Access Descriptors + canonical_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml + summary: 'Structured CARING access descriptor set: Kubernetes RBAC CARING Access + Descriptors.' + owned_concepts: + - Kubernetes RBAC CARING Access Descriptors + imports: + - model/access-control + - model/devsecops + - model/security + - standard/caring + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: uses + target: standard/caring + - type: uses + target: model/access-control + - type: uses + target: model/security + - type: uses + target: model/devsecops + warnings: [] +- id: benchmark/caring/kubernetes-rbac/caring-mapping + kind: caring-mapping + title: Kubernetes RBAC To CARING Mapping + canonical_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml + summary: 'Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.' + owned_concepts: + - Kubernetes RBAC To CARING Mapping + imports: [] + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: maps + target: standard/caring + - type: maps + target: model/access-control + - type: maps + target: model/governance + - type: maps + target: model/security + warnings: [] +- id: benchmark/caring/kubernetes-rbac/findings + kind: benchmark-findings + title: Kubernetes RBAC Benchmark Findings And Canon Pressure + canonical_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml + summary: 'Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark + Findings And Canon Pressure.' + owned_concepts: + - Kubernetes RBAC Benchmark Findings And Canon Pressure + imports: [] + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: proposes + target: standard/caring + - type: proposes + target: model/governance + - type: proposes + target: model/security + warnings: [] +- id: benchmark/caring/kubernetes-rbac/native-concepts + kind: native-concept-map + title: Kubernetes RBAC Native Concept Map + canonical_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml + summary: 'Native source concept map for assimilation or benchmark work: Kubernetes + RBAC Native Concept Map.' + owned_concepts: + - Kubernetes RBAC Native Concept Map + imports: [] + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: maps + target: standard/caring + - type: maps + target: model/access-control + - type: maps + target: model/landscape + warnings: [] - id: comparison/repo-scoping/canon-benefit-analysis kind: benefit-analysis title: Repo Scoping Canon Benefit Analysis diff --git a/infospace/artifacts/index.yaml b/infospace/artifacts/index.yaml index e0a1485..89b0f08 100644 --- a/infospace/artifacts/index.yaml +++ b/infospace/artifacts/index.yaml @@ -242,6 +242,98 @@ artifacts: target: model/task - type: imports target: standard/tagging + - id: benchmark/caring/kubernetes-rbac + path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml + kind: benchmark-workspace + title: CARING Kubernetes RBAC Benchmark + provenance: + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml + placement_workplan: ITC-WP-0010 + relationships: + - type: conforms_to + target: standard/caring + - type: stress_tests + target: model/access-control + - type: stress_tests + target: model/governance + - type: stress_tests + target: model/security + - type: stress_tests + target: model/devsecops + - type: stress_tests + target: model/network + - type: stress_tests + target: model/observability + - type: uses + target: standard/tagging + - id: benchmark/caring/kubernetes-rbac/native-concepts + path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml + kind: native-concept-map + title: Kubernetes RBAC Native Concept Map + provenance: + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml + placement_workplan: ITC-WP-0010 + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: maps + target: standard/caring + - type: maps + target: model/access-control + - type: maps + target: model/landscape + - id: benchmark/caring/kubernetes-rbac/caring-mapping + path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml + kind: caring-mapping + title: Kubernetes RBAC To CARING Mapping + provenance: + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml + placement_workplan: ITC-WP-0010 + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: maps + target: standard/caring + - type: maps + target: model/access-control + - type: maps + target: model/governance + - type: maps + target: model/security + - id: benchmark/caring/kubernetes-rbac/access-descriptors + path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml + kind: access-descriptor-set + title: Kubernetes RBAC CARING Access Descriptors + provenance: + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml + placement_workplan: ITC-WP-0010 + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: uses + target: standard/caring + - type: uses + target: model/access-control + - type: uses + target: model/security + - type: uses + target: model/devsecops + - id: benchmark/caring/kubernetes-rbac/findings + path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml + kind: benchmark-findings + title: Kubernetes RBAC Benchmark Findings And Canon Pressure + provenance: + source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml + placement_workplan: ITC-WP-0010 + relationships: + - type: part_of + target: benchmark/caring/kubernetes-rbac + - type: proposes + target: standard/caring + - type: proposes + target: model/governance + - type: proposes + target: model/security - id: profile/small-saas path: profiles/small-saas/profile.yaml kind: profile diff --git a/infospace/indexes/artifact-tree.yaml b/infospace/indexes/artifact-tree.yaml index 9eafbe6..41cf6b7 100644 --- a/infospace/indexes/artifact-tree.yaml +++ b/infospace/indexes/artifact-tree.yaml @@ -1,5 +1,5 @@ root: infospace -file_count: 131 +file_count: 142 files: - path: README.md directory: . @@ -7,6 +7,21 @@ files: - path: agent/README.md directory: agent name: README.md +- path: agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md + directory: agent/briefs + name: benchmark-caring-kubernetes-rbac-access-descriptors.md +- path: agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md + directory: agent/briefs + name: benchmark-caring-kubernetes-rbac-caring-mapping.md +- path: agent/briefs/benchmark-caring-kubernetes-rbac-findings.md + directory: agent/briefs + name: benchmark-caring-kubernetes-rbac-findings.md +- path: agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md + directory: agent/briefs + name: benchmark-caring-kubernetes-rbac-native-concepts.md +- path: agent/briefs/benchmark-caring-kubernetes-rbac.md + directory: agent/briefs + name: benchmark-caring-kubernetes-rbac.md - path: agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md directory: agent/briefs name: comparison-repo-scoping-canon-benefit-analysis.md @@ -361,6 +376,24 @@ files: - path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md directory: standards/caring name: InfoTechCanonCaringAccessGovernanceStandard.md +- path: standards/caring/benchmarks/kubernetes-rbac/README.md + directory: standards/caring/benchmarks/kubernetes-rbac + name: README.md +- path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml + directory: standards/caring/benchmarks/kubernetes-rbac + name: access-descriptors.yaml +- path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml + directory: standards/caring/benchmarks/kubernetes-rbac + name: benchmark.yaml +- path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml + directory: standards/caring/benchmarks/kubernetes-rbac + name: caring-mapping.yaml +- path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml + directory: standards/caring/benchmarks/kubernetes-rbac + name: findings-and-canon-pressure.yaml +- path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml + directory: standards/caring/benchmarks/kubernetes-rbac + name: native-concepts.yaml - path: standards/tagging/InfoTechCanonTaggingStandard.md directory: standards/tagging name: InfoTechCanonTaggingStandard.md diff --git a/infospace/indexes/concept-ownership.yaml b/infospace/indexes/concept-ownership.yaml index a584812..367deb9 100644 --- a/infospace/indexes/concept-ownership.yaml +++ b/infospace/indexes/concept-ownership.yaml @@ -1,5 +1,25 @@ -concept_count: 74 +concept_count: 79 concepts: +- concept: CARING Kubernetes RBAC Benchmark + owner: benchmark/caring/kubernetes-rbac + path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml + source: artifact_title +- concept: Kubernetes RBAC CARING Access Descriptors + owner: benchmark/caring/kubernetes-rbac/access-descriptors + path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml + source: artifact_title +- concept: Kubernetes RBAC To CARING Mapping + owner: benchmark/caring/kubernetes-rbac/caring-mapping + path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml + source: artifact_title +- concept: Kubernetes RBAC Benchmark Findings And Canon Pressure + owner: benchmark/caring/kubernetes-rbac/findings + path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml + source: artifact_title +- concept: Kubernetes RBAC Native Concept Map + owner: benchmark/caring/kubernetes-rbac/native-concepts + path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml + source: artifact_title - concept: Repo Scoping Canon Benefit Analysis owner: comparison/repo-scoping/canon-benefit-analysis path: evaluations/repo-scoping/canon-benefit-analysis.yaml diff --git a/infospace/indexes/import-matrix.yaml b/infospace/indexes/import-matrix.yaml index d8bef16..e6c1086 100644 --- a/infospace/indexes/import-matrix.yaml +++ b/infospace/indexes/import-matrix.yaml @@ -1,4 +1,9 @@ artifacts: +- benchmark/caring/kubernetes-rbac +- benchmark/caring/kubernetes-rbac/access-descriptors +- benchmark/caring/kubernetes-rbac/caring-mapping +- benchmark/caring/kubernetes-rbac/findings +- benchmark/caring/kubernetes-rbac/native-concepts - comparison/repo-scoping/canon-benefit-analysis - comparison/repo-scoping/consumer-workplan-brief - comparison/repo-scoping/extension-candidates @@ -49,6 +54,68 @@ artifacts: - standard/caring - standard/tagging rows: +- artifact: benchmark/caring/kubernetes-rbac + targets: + model/access-control: + - stress_tests + model/devsecops: + - stress_tests + model/governance: + - stress_tests + model/network: + - stress_tests + model/observability: + - stress_tests + model/security: + - stress_tests + standard/caring: + - conforms_to + standard/tagging: + - uses +- artifact: benchmark/caring/kubernetes-rbac/access-descriptors + targets: + benchmark/caring/kubernetes-rbac: + - part_of + model/access-control: + - uses + model/devsecops: + - uses + model/security: + - uses + standard/caring: + - uses +- artifact: benchmark/caring/kubernetes-rbac/caring-mapping + targets: + benchmark/caring/kubernetes-rbac: + - part_of + model/access-control: + - maps + model/governance: + - maps + model/security: + - maps + standard/caring: + - maps +- artifact: benchmark/caring/kubernetes-rbac/findings + targets: + benchmark/caring/kubernetes-rbac: + - part_of + model/governance: + - proposes + model/security: + - proposes + standard/caring: + - proposes +- artifact: benchmark/caring/kubernetes-rbac/native-concepts + targets: + benchmark/caring/kubernetes-rbac: + - part_of + model/access-control: + - maps + model/landscape: + - maps + standard/caring: + - maps - artifact: comparison/repo-scoping/canon-benefit-analysis targets: comparison/repo-scoping/report: diff --git a/infospace/standards/caring/benchmarks/kubernetes-rbac/README.md b/infospace/standards/caring/benchmarks/kubernetes-rbac/README.md new file mode 100644 index 0000000..b9e5026 --- /dev/null +++ b/infospace/standards/caring/benchmarks/kubernetes-rbac/README.md @@ -0,0 +1,30 @@ +--- +id: benchmark/caring/kubernetes-rbac/readme +title: CARING Kubernetes RBAC Benchmark Workspace +status: candidate +created_by_workplan: ITC-WP-0010 +--- + +# CARING Kubernetes RBAC Benchmark + +This workspace analyzes Kubernetes RBAC as a CARING benchmark, not as a +shortcut profile. It is designed to stress access-governance orthogonality +across Access Control, Organization, Governance, Security, Landscape, +DevSecOps, Network, Observability, Task, and Tagging. + +The benchmark keeps Kubernetes native constructs separate from CARING meaning: + +- `Role` and `ClusterRole` are rule bundles or capability profiles, not + automatically CARING canonical roles. +- `RoleBinding` and `ClusterRoleBinding` are grants or assignments. +- `ServiceAccount` is a service subject and a workload identity anchor. +- `Namespace` is a useful scope signal, but it is not automatically a tenant + boundary. + +Indexed benchmark artifacts: + +- `benchmark.yaml` +- `native-concepts.yaml` +- `caring-mapping.yaml` +- `access-descriptors.yaml` +- `findings-and-canon-pressure.yaml` diff --git a/infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml b/infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml new file mode 100644 index 0000000..a3963dd --- /dev/null +++ b/infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml @@ -0,0 +1,164 @@ +id: benchmark/caring/kubernetes-rbac/access-descriptors +title: Kubernetes RBAC CARING Access Descriptors +status: candidate +benchmark: benchmark/caring/kubernetes-rbac +descriptor_classes: + - declared_access + - effective_access + - derived_capability + - induced_access +descriptors: + - id: descriptor/namespace-pod-reader/declared + case_id: namespace-pod-reader + descriptor_class: declared_access + subject: serviceaccount:tenant-a:report-viewer + organization_relation: customer-operated-service + canonical_role: Viewer + scope: namespace:tenant-a + plane: Runtime + capabilities: + - get pods + - list pods + - watch pods + exposure_mode: metadata-and-runtime-state + lifecycle_state: steady-state-observation + conditions: + - bound by RoleBinding in namespace tenant-a + restrictions: + - no pod mutation + - no secret read + - namespace is not accepted as tenant boundary without additional evidence + native_evidence: + - Role/report-viewer + - RoleBinding/report-viewer-binding + - ServiceAccount/report-viewer + - id: descriptor/workload-creator/declared + case_id: workload-creator-derived-execution + descriptor_class: declared_access + subject: serviceaccount:tenant-a:job-runner + organization_relation: customer-operated-automation + canonical_role: Doer + scope: namespace:tenant-a + plane: Runtime + capabilities: + - create pods + - get pods + - delete pods + exposure_mode: workload-specification-control + lifecycle_state: job-execution + conditions: + - bound by RoleBinding in namespace tenant-a + restrictions: + - no direct secret get/list/watch declared + native_evidence: + - Role/job-runner + - RoleBinding/job-runner-binding + - ServiceAccount/job-runner + - id: descriptor/workload-creator/effective + case_id: workload-creator-derived-execution + descriptor_class: effective_access + subject: serviceaccount:tenant-a:job-runner + organization_relation: customer-operated-automation + canonical_role: Doer + scope: namespace:tenant-a + plane: Runtime + capabilities: + - create workload + - select pod service account + - influence mounted volumes + - execute container image + exposure_mode: mediated-runtime-execution + lifecycle_state: job-execution + conditions: + - pod admission and service-account mount behavior determine actual reach + restrictions: + - effective access must be checked against admission policy and service-account permissions + native_evidence: + - create pods verb + - pod spec serviceAccountName + - projected service account token behavior + - id: descriptor/workload-creator/derived + case_id: workload-creator-derived-execution + descriptor_class: derived_capability + subject: serviceaccount:tenant-a:job-runner + organization_relation: customer-operated-automation + canonical_role: Doer + scope: namespace:tenant-a + plane: Runtime + capabilities: + - execute arbitrary workload image + - use mounted service account identity + - read mounted runtime inputs + exposure_mode: derived-execution-and-identity-use + lifecycle_state: job-execution + conditions: + - derived from create pods permission + restrictions: + - must be bounded by admission controls, image policy, and service-account selection rules + native_evidence: + - Role/job-runner create pods + - id: descriptor/workload-creator/induced + case_id: workload-creator-derived-execution + descriptor_class: induced_access + subject: serviceaccount:tenant-a:job-runner + organization_relation: customer-operated-automation + canonical_role: Doer + scope: namespace:tenant-a + plane: Secret + capabilities: + - potential secret exposure through mounted volumes + - potential token exposure through mounted identity + exposure_mode: induced-secret-and-identity-exposure + lifecycle_state: job-execution + conditions: + - induced path exists only when workload can mount or reach sensitive material + restrictions: + - classify as candidate finding until manifests, admission, and secret references are reviewed + native_evidence: + - pod volume mounts + - service account token projection + - secret references in pod spec + - id: descriptor/cluster-secret-reader/declared + case_id: cluster-secret-reader + descriptor_class: declared_access + subject: serviceaccount:platform:inventory + organization_relation: platform-service-provider + canonical_role: Auditor + scope: cluster + plane: Secret + capabilities: + - get secrets + - list secrets + - watch secrets + exposure_mode: sensitive-data-read + lifecycle_state: operational-inventory + conditions: + - bound by ClusterRoleBinding + restrictions: + - requires governance review and audit evidence + native_evidence: + - ClusterRole/secret-reader + - ClusterRoleBinding/inventory-secret-reader + - ServiceAccount/inventory + - id: descriptor/namespace-boundary/review + case_id: namespace-as-tenant-boundary + descriptor_class: effective_access + subject: tenant-boundary-claim:tenant-a + organization_relation: platform-provider + canonical_role: Governor + scope: namespace:tenant-a + plane: Policy + capabilities: + - claim tenant isolation + - review access and runtime boundaries + exposure_mode: governance-claim + lifecycle_state: design-review + conditions: + - claim must be supported by access, network, runtime, data, and governance evidence + restrictions: + - namespace alone is insufficient evidence + native_evidence: + - Namespace/tenant-a + - RoleBinding set + - NetworkPolicy set + - ResourceQuota set diff --git a/infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml b/infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml new file mode 100644 index 0000000..1172d70 --- /dev/null +++ b/infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml @@ -0,0 +1,102 @@ +id: benchmark/caring/kubernetes-rbac +title: CARING Kubernetes RBAC Benchmark +status: candidate +standard: standard/caring +created_by_workplan: ITC-WP-0010 +purpose: Stress-test CARING descriptor shape against Kubernetes RBAC without treating Kubernetes native names as canon roles. +source_corpus: + - id: kubernetes-rbac-reference + title: Kubernetes RBAC Reference + source_type: vendor-documentation + url: https://kubernetes.io/docs/reference/access-authn-authz/rbac/ + role: primary-native-model-reference + - id: kubernetes-service-account-concepts + title: Kubernetes Service Accounts + source_type: vendor-documentation + url: https://kubernetes.io/docs/concepts/security/service-accounts/ + role: workload-identity-reference + - id: local-caring-standard + title: InfoTechCanon CARING Access Governance Standard + source_type: canon-standard + path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md + role: descriptor-vocabulary +cases: + - id: namespace-pod-reader + title: Namespace-Scoped Pod Reader + native_objects: + - Role + - RoleBinding + - ServiceAccount + - Namespace + stress_focus: + - declared-access + - scope-mapping + - native-role-warning + expected_outputs: + - Role maps to a scoped capability profile over get/list/watch pods. + - RoleBinding maps to a grant from subject to capability profile. + - Namespace is recorded as Kubernetes scope, not tenant boundary. + - id: workload-creator-derived-execution + title: Workload Creator With Derived Execution Capability + native_objects: + - Role + - RoleBinding + - ServiceAccount + - Pod + - Secret + stress_focus: + - declared-access + - effective-access + - derived-capability + - induced-access + expected_outputs: + - Create pod is declared as workload creation access. + - Execute workload is derived from the ability to create pods. + - Mounted service-account and secret exposure are induced access candidates. + - id: cluster-secret-reader + title: ClusterRole Secret Reader + native_objects: + - ClusterRole + - ClusterRoleBinding + - ServiceAccount + - Secret + stress_focus: + - cluster-scope + - exposure-mode + - governance-review + expected_outputs: + - ClusterRole maps to cluster-scoped data exposure capability. + - ClusterRoleBinding broadens scope beyond a namespace. + - Secret read access produces security and governance findings. + - id: namespace-as-tenant-boundary + title: Namespace Used As Tenant Boundary Claim + native_objects: + - Namespace + - Role + - RoleBinding + - NetworkPolicy + - ResourceQuota + stress_focus: + - tenant-boundary-warning + - cross-model-evidence + - review-criteria + expected_outputs: + - Namespace alone cannot prove tenant isolation. + - Tenant-boundary claim requires access, network, data, runtime, and governance evidence. + - Missing evidence creates a canon pressure finding instead of an approved boundary claim. +expected_outputs: + - Native concept map covering Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, Namespace, verbs, resources, and scopes. + - CARING mapping that separates native role objects from canonical roles, capability profiles, grants, scopes, planes, and exposure modes. + - Access descriptors that distinguish declared access, effective access, derived capability, and induced access. + - Findings that identify gaps, conflicts, and proposed canon changes without changing standards silently. +review_criteria: + - id: descriptor-completeness + criterion: Every benchmark case has at least one CARING access descriptor with subject, scope, plane, capabilities, exposure mode, lifecycle state, and native evidence. + - id: native-role-warning + criterion: Kubernetes Role and ClusterRole are never accepted as CARINGCanonicalRole without an explicit mapping rationale. + - id: namespace-boundary-check + criterion: Namespace isolation is treated as a claim requiring evidence, not as a tenant boundary by default. + - id: effective-access-analysis + criterion: Create or update workload permissions are reviewed for derived execution, mounted identity, secret, and volume exposure. + - id: canon-pressure-routing + criterion: Gaps become reviewable proposed changes, tasks, or open questions rather than immediate model changes. diff --git a/infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml b/infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml new file mode 100644 index 0000000..d437548 --- /dev/null +++ b/infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml @@ -0,0 +1,79 @@ +id: benchmark/caring/kubernetes-rbac/caring-mapping +title: Kubernetes RBAC To CARING Mapping +status: candidate +benchmark: benchmark/caring/kubernetes-rbac +namespace_tenant_boundary_warning: true +mappings: + - native_concept: Role + caring_dimension: capability_profile + canon_targets: + - standard/caring:CARINGCapabilityProfile + - model/access-control:Permission + - model/governance:Policy + mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names. + - native_concept: ClusterRole + caring_dimension: capability_profile + canon_targets: + - standard/caring:CARINGCapabilityProfile + - model/access-control:Permission + - model/governance:Policy + mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility. + - native_concept: RoleBinding + caring_dimension: declared_access + canon_targets: + - standard/caring:CARINGDeclaredAccessMap + - model/access-control:Grant + - model/governance:Decision + mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace. + - native_concept: ClusterRoleBinding + caring_dimension: declared_access + canon_targets: + - standard/caring:CARINGDeclaredAccessMap + - model/access-control:Grant + - model/governance:Decision + mapping_rule: Bind subject to a ClusterRole at cluster scope. + - native_concept: ServiceAccount + caring_dimension: subject + canon_targets: + - model/access-control:Subject + - model/devsecops:WorkloadIdentity + - model/organization:Service + mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access. + - native_concept: Namespace + caring_dimension: scope + canon_targets: + - model/access-control:ResourceScope + - model/landscape:RuntimeContainment + - model/network:SegmentationContext + mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary. + - native_concept: Verb + caring_dimension: capability + canon_targets: + - model/access-control:Action + - standard/caring:CARINGCapabilityProfile + mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences. + - native_concept: Resource + caring_dimension: scope + canon_targets: + - model/access-control:Resource + - model/landscape:RuntimeResource + - model/security:ExposureTarget + mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane. + - native_concept: Scope + caring_dimension: scope + canon_targets: + - model/access-control:ResourceScope + - model/landscape:LandscapeScope + - model/governance:GovernanceScope + mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets. +analysis_rules: + - id: native-role-warning + rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale. + - id: declared-to-effective + rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access. + - id: derived-workload-execution + rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities. + - id: secret-exposure + rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review. + - id: namespace-tenant-boundary + rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership. diff --git a/infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml b/infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml new file mode 100644 index 0000000..f0a9965 --- /dev/null +++ b/infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml @@ -0,0 +1,76 @@ +id: benchmark/caring/kubernetes-rbac/findings +title: Kubernetes RBAC Benchmark Findings And Canon Pressure +status: candidate +benchmark: benchmark/caring/kubernetes-rbac +stable_findings: + - id: finding/native-role-is-rule-bundle + severity: high + summary: Kubernetes Role and ClusterRole are native rule bundles, not automatically CARING canonical roles. + canon_pressure: + - Keep the native role warning visible in CARING validation. + - Add benchmark assertions that reject direct Role to CARINGCanonicalRole mappings without rationale. + - id: finding/namespace-not-tenant-boundary + severity: high + summary: Namespace is a useful scope signal but does not by itself prove tenant isolation. + canon_pressure: + - Treat tenant-boundary claims as reviewable evidence bundles across access, network, data, runtime, and governance. + - Add a reusable tenant-boundary review pattern if this recurs in other benchmarks. + - id: finding/workload-create-derives-execution + severity: high + summary: Workload creation permissions can derive runtime execution, mounted identity use, volume access, and secret exposure paths. + canon_pressure: + - Clarify ownership of DerivedCapability between CARING, Access Control, Security, and DevSecOps. + - Add effective-access checks for workload-mediated permission paths. + - id: finding/serviceaccount-is-service-subject + severity: medium + summary: ServiceAccount should map to a service subject and workload identity, not to a human actor or organization role. + canon_pressure: + - Strengthen subject and principal distinctions in access reviews. + - Preserve actor, subject, principal, and workload identity as separate concepts. +gaps: + - id: gap/caring-access-descriptor-schema + title: Machine-readable CARING descriptor schema + description: The benchmark uses structured descriptors, but there is not yet a formal schema for CARINGAccessDescriptor. + proposed_route: Create schema under a future CARING validation workplan. + - id: gap/effective-access-calculus + title: Effective access derivation rules + description: The canon needs reusable derivation rules for workload creation, mounted identities, secrets, impersonation, bind, and escalate. + proposed_route: Add validation rules after more benchmark cases are exercised. + - id: gap/tenant-boundary-evidence-profile + title: Tenant boundary evidence profile + description: Namespace boundary claims need a reusable evidence profile spanning access, network, runtime, data, and governance controls. + proposed_route: Candidate pattern or profile, not an immediate standard change. +conflicts: + - id: conflict/native-role-name + summary: Kubernetes native Role conflicts with the everyday meaning of role and with CARINGCanonicalRole. + resolution: Preserve native construct name and require explicit mapping to capability profile or canonical role. + - id: conflict/scope-overload + summary: Kubernetes namespace, resource scope, governance scope, tenant scope, and CARING scope can be conflated. + resolution: Record scope facets separately and only approve tenant-boundary claims after evidence review. +proposed_changes: + - id: proposal/caring-descriptor-schema + owner: standard/caring + change_type: new-schema + proposal: Add a CARING access descriptor schema with required fields for subject, organization relation, canonical role, scope, plane, capabilities, exposure mode, lifecycle state, restrictions, descriptor class, and native evidence. + - id: proposal/kubernetes-rbac-validation-rules + owner: standard/caring + change_type: benchmark-validation + proposal: Add CARING validation rules for native role warning, namespace tenant-boundary claims, workload-derived execution, and secret exposure. + - id: proposal/tenant-boundary-review-pattern + owner: model/governance + change_type: new-pattern + proposal: Add a review pattern for tenant-boundary claims that requires evidence from access control, network, runtime, data, security, and governance. + - id: proposal/derived-capability-ownership + owner: standard/caring + change_type: open-question + proposal: Decide whether DerivedCapability remains CARING-owned or becomes shared with Access Control and Security through a model profile. +follow_up_tasks: + - id: task/formalize-caring-descriptor-schema + target_workplan: proposed + summary: Create the CARING access descriptor schema and validate this benchmark against it. + - id: task/add-kubernetes-rbac-case-corpus + target_workplan: proposed + summary: Add concrete Kubernetes YAML manifests for the four benchmark cases and expected parsed observations. + - id: task/expand-effective-access-engine + target_workplan: proposed + summary: Prototype derivation rules for pod creation, service-account mounting, secrets, bind, escalate, and impersonate. diff --git a/infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml b/infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml new file mode 100644 index 0000000..5417dff --- /dev/null +++ b/infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml @@ -0,0 +1,87 @@ +id: benchmark/caring/kubernetes-rbac/native-concepts +title: Kubernetes RBAC Native Concept Map +status: candidate +benchmark: benchmark/caring/kubernetes-rbac +namespace_tenant_boundary_warning: true +concepts: + - native: Role + category: rule-bundle + native_scope: namespace + caring_mapping: CARINGCapabilityProfile + canon_mappings: + - model/access-control:PermissionSet + - model/governance:Policy + notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole. + - native: ClusterRole + category: rule-bundle + native_scope: cluster + caring_mapping: CARINGCapabilityProfile + canon_mappings: + - model/access-control:PermissionSet + - model/governance:Policy + notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings. + - native: RoleBinding + category: assignment + native_scope: namespace + caring_mapping: CARINGDeclaredAccessMap + canon_mappings: + - model/access-control:Grant + - model/governance:AssignmentDecision + notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace. + - native: ClusterRoleBinding + category: assignment + native_scope: cluster + caring_mapping: CARINGDeclaredAccessMap + canon_mappings: + - model/access-control:Grant + - model/governance:AssignmentDecision + notes: A ClusterRoleBinding grants a ClusterRole across cluster scope. + - native: ServiceAccount + category: service-subject + native_scope: namespace + caring_mapping: Subject + canon_mappings: + - model/access-control:Subject + - model/organization:Service + - model/devsecops:WorkloadIdentity + notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor. + - native: Namespace + category: scope-signal + native_scope: namespace + caring_mapping: Scope + canon_mappings: + - model/landscape:RuntimeContainment + - model/access-control:ResourceScope + - model/network:SegmentationContext + notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence. + - native: Verb + category: action + native_scope: rule + caring_mapping: Capability + canon_mappings: + - model/access-control:Action + - standard/caring:CARINGCapabilityProfile + notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope. + - native: Resource + category: target + native_scope: api-group + caring_mapping: Scope + canon_mappings: + - model/access-control:Resource + - model/landscape:RuntimeResource + - model/data:ProtectedInformationAsset + notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications. + - native: Scope + category: boundary + native_scope: namespace-or-cluster + caring_mapping: Scope + canon_mappings: + - model/access-control:ResourceScope + - model/landscape:LandscapeScope + - model/governance:GovernanceScope + notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence. +mapping_constraints: + - Kubernetes native names are preserved as source semantics. + - CARING canonical roles are assigned only after analyzing lifecycle responsibility posture. + - Namespace tenancy is a reviewable claim, not a default mapping. + - Effective access must include controller-mediated and workload-mediated paths where relevant. diff --git a/infospace/validation/latest.json b/infospace/validation/latest.json index 5d547b4..9ce9b39 100644 --- a/infospace/validation/latest.json +++ b/infospace/validation/latest.json @@ -1,14 +1,14 @@ { "details": { - "artifact_count": 49, - "relationship_count": 212 + "artifact_count": 54, + "relationship_count": 238 }, "errors": [], "metrics": { "coherence_components": 1.0, "consistency_cycles": 0.0, "coverage_ratio": 1.0, - "granularity_entropy": 3.6776822595640257, + "granularity_entropy": 3.9972143235892474, "redundancy_ratio": 0.0 }, "ok": true, diff --git a/infospace/views/by-concept.md b/infospace/views/by-concept.md index 1cf2d34..c0e0464 100644 --- a/infospace/views/by-concept.md +++ b/infospace/views/by-concept.md @@ -2,10 +2,15 @@ # By Concept -Concept count: **74** +Concept count: **79** | Concept | Owner | Source | | --- | --- | --- | +| CARING Kubernetes RBAC Benchmark | `benchmark/caring/kubernetes-rbac` | `artifact_title` | +| Kubernetes RBAC CARING Access Descriptors | `benchmark/caring/kubernetes-rbac/access-descriptors` | `artifact_title` | +| Kubernetes RBAC To CARING Mapping | `benchmark/caring/kubernetes-rbac/caring-mapping` | `artifact_title` | +| Kubernetes RBAC Benchmark Findings And Canon Pressure | `benchmark/caring/kubernetes-rbac/findings` | `artifact_title` | +| Kubernetes RBAC Native Concept Map | `benchmark/caring/kubernetes-rbac/native-concepts` | `artifact_title` | | Repo Scoping Canon Benefit Analysis | `comparison/repo-scoping/canon-benefit-analysis` | `artifact_title` | | Repo Scoping Consumer Workplan Brief | `comparison/repo-scoping/consumer-workplan-brief` | `artifact_title` | | Repo Scoping Canon Extension Candidates | `comparison/repo-scoping/extension-candidates` | `artifact_title` | diff --git a/infospace/views/by-mapping-target.md b/infospace/views/by-mapping-target.md index 6985716..00e4667 100644 --- a/infospace/views/by-mapping-target.md +++ b/infospace/views/by-mapping-target.md @@ -2,6 +2,13 @@ # By Mapping Target +## `benchmark/caring/kubernetes-rbac` + +- `benchmark/caring/kubernetes-rbac/access-descriptors` via `part_of` +- `benchmark/caring/kubernetes-rbac/caring-mapping` via `part_of` +- `benchmark/caring/kubernetes-rbac/findings` via `part_of` +- `benchmark/caring/kubernetes-rbac/native-concepts` via `part_of` + ## `comparison/repo-scoping/report` - `comparison/repo-scoping/canon-benefit-analysis` via `part_of` @@ -57,6 +64,10 @@ ## `model/access-control` +- `benchmark/caring/kubernetes-rbac` via `stress_tests` +- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses` +- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps` +- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps` - `evaluation/user-engine` via `uses` - `evaluation/user-engine/questions` via `uses` - `evaluation/user-engine/small-saas-alignment` via `uses` @@ -80,6 +91,8 @@ ## `model/devsecops` +- `benchmark/caring/kubernetes-rbac` via `stress_tests` +- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses` - `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/mapping-expectations` via `maps` @@ -90,6 +103,9 @@ ## `model/governance` +- `benchmark/caring/kubernetes-rbac` via `stress_tests` +- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps` +- `benchmark/caring/kubernetes-rbac/findings` via `proposes` - `comparison/repo-scoping/canon-benefit-analysis` via `maps` - `comparison/repo-scoping/extension-candidates` via `proposes` - `comparison/repo-scoping/frame` via `uses` @@ -121,6 +137,7 @@ ## `model/landscape` +- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps` - `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/mapping-expectations` via `maps` @@ -131,6 +148,7 @@ ## `model/network` +- `benchmark/caring/kubernetes-rbac` via `stress_tests` - `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/mapping-expectations` via `maps` @@ -141,6 +159,7 @@ ## `model/observability` +- `benchmark/caring/kubernetes-rbac` via `stress_tests` - `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/mapping-expectations` via `maps` @@ -184,6 +203,10 @@ ## `model/security` +- `benchmark/caring/kubernetes-rbac` via `stress_tests` +- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses` +- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps` +- `benchmark/caring/kubernetes-rbac/findings` via `proposes` - `conformance/railiance-fabric` via `uses` - `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses` - `conformance/railiance-fabric/mapping-expectations` via `maps` @@ -296,6 +319,11 @@ ## `standard/caring` +- `benchmark/caring/kubernetes-rbac` via `conforms_to` +- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses` +- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps` +- `benchmark/caring/kubernetes-rbac/findings` via `proposes` +- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps` - `evaluation/user-engine` via `uses` - `evaluation/user-engine/interface-card-expectations` via `uses` - `kernel/itc-kernel-map` via `maps` @@ -304,6 +332,7 @@ ## `standard/tagging` +- `benchmark/caring/kubernetes-rbac` via `uses` - `comparison/repo-scoping/canon-benefit-analysis` via `maps` - `conformance/railiance-fabric` via `uses` - `kernel/itc-kernel-map` via `maps` diff --git a/infospace/views/import-matrix.md b/infospace/views/import-matrix.md index 091a5ab..356d003 100644 --- a/infospace/views/import-matrix.md +++ b/infospace/views/import-matrix.md @@ -2,54 +2,59 @@ # Import Matrix -| Artifact | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` | -| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | -| `comparison/repo-scoping/canon-benefit-analysis` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` | -| `comparison/repo-scoping/consumer-workplan-brief` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | -| `comparison/repo-scoping/extension-candidates` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | | -| `comparison/repo-scoping/frame` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | | -| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | | -| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | -| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` | -| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | -| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | | -| `conformance/railiance-fabric/mapping-expectations` | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | | -| `conformance/railiance-fabric/visualization-examples` | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | | -| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | -| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | | -| `evaluation/user-engine/questions` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | | -| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | | -| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | | -| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` | -| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | | -| `model/access-control` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | -| `model/data` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | -| `model/devsecops` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | -| `model/governance` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `model/information-space` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `model/landscape` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `model/network` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | -| `model/observability` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | -| `model/organization` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `model/purpose-demand-extension` | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | | -| `model/security` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `model/task` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | | -| `profile/small-saas` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` | -| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | | -| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | | -| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | | -| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | | -| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | | -| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | | -| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | | -| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | | -| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | | -| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | | -| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | | -| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | | -| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | | -| `standard/caring` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` | -| `standard/tagging` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | | +| Artifact | `benchmark/caring/kubernetes-rbac` | `benchmark/caring/kubernetes-rbac/access-descriptors` | `benchmark/caring/kubernetes-rbac/caring-mapping` | `benchmark/caring/kubernetes-rbac/findings` | `benchmark/caring/kubernetes-rbac/native-concepts` | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` | +| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | +| `benchmark/caring/kubernetes-rbac` | | | | | | | | | | | | | | | | | | | | | | | | | | `stress_tests` | | `stress_tests` | `stress_tests` | | | `stress_tests` | `stress_tests` | | | `stress_tests` | | | | | | | | | | | | | | | | | `conforms_to` | `uses` | +| `benchmark/caring/kubernetes-rbac/access-descriptors` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `uses` | | | | | | | | `uses` | | | | | | | | | | | | | | | | | `uses` | | +| `benchmark/caring/kubernetes-rbac/caring-mapping` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | | | | | | | `maps` | | | | | | | | | | | | | | | | | `maps` | | +| `benchmark/caring/kubernetes-rbac/findings` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `proposes` | | | | | | | `proposes` | | | | | | | | | | | | | | | | | `proposes` | | +| `benchmark/caring/kubernetes-rbac/native-concepts` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | `maps` | | | | | | | | | | | | | | | | | | | | | | `maps` | | +| `comparison/repo-scoping/canon-benefit-analysis` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` | +| `comparison/repo-scoping/consumer-workplan-brief` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | +| `comparison/repo-scoping/extension-candidates` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | | +| `comparison/repo-scoping/frame` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | | +| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | | +| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | +| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` | +| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | +| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | | +| `conformance/railiance-fabric/mapping-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | | +| `conformance/railiance-fabric/visualization-examples` | | | | | | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | | +| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | +| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | | +| `evaluation/user-engine/questions` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | | +| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | | +| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | | +| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` | +| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | | +| `model/access-control` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | +| `model/data` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | +| `model/devsecops` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | +| `model/governance` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `model/information-space` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `model/landscape` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `model/network` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | +| `model/observability` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | +| `model/organization` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `model/purpose-demand-extension` | | | | | | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | | +| `model/security` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `model/task` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | +| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | | +| `profile/small-saas` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` | +| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | | +| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | | +| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | | +| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | | +| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | | +| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | | +| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | | +| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | | +| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | | +| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | | +| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | | +| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | | +| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | | +| `standard/caring` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` | +| `standard/tagging` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | | diff --git a/infospace/views/kernel-overview.md b/infospace/views/kernel-overview.md index aded484..2010b87 100644 --- a/infospace/views/kernel-overview.md +++ b/infospace/views/kernel-overview.md @@ -3,12 +3,16 @@ # Kernel Overview - Infospace: `canon` -- Artifacts: 49 +- Artifacts: 54 ## Artifact Kinds +- `access-descriptor-set`: 1 +- `benchmark-findings`: 1 +- `benchmark-workspace`: 1 - `benefit-analysis`: 1 - `capture-criteria`: 1 +- `caring-mapping`: 1 - `comparison-frame`: 1 - `comparison-report`: 1 - `concept-catalog`: 1 @@ -24,6 +28,7 @@ - `mapping-expectation`: 1 - `model`: 11 - `model-extension`: 1 +- `native-concept-map`: 1 - `pattern`: 1 - `profile`: 1 - `profile-alignment`: 1 @@ -36,7 +41,7 @@ - `access_evidenced_by`: 1 - `changes`: 1 - `compares`: 1 -- `conforms_to`: 16 +- `conforms_to`: 17 - `constrained_by`: 1 - `deploys`: 1 - `evaluates`: 2 @@ -50,14 +55,15 @@ - `instantiates`: 13 - `introduces`: 1 - `isolated_by`: 2 -- `maps`: 29 +- `maps`: 36 - `member_of`: 1 - `owned_by`: 3 -- `part_of`: 13 +- `part_of`: 17 - `partitioned_for`: 2 -- `proposes`: 4 +- `proposes`: 7 - `represented_by`: 1 - `requires`: 13 - `separates`: 2 - `serves`: 2 -- `uses`: 79 +- `stress_tests`: 6 +- `uses`: 84 diff --git a/infospace/views/repository-tree.md b/infospace/views/repository-tree.md index 2656d1a..8fbf876 100644 --- a/infospace/views/repository-tree.md +++ b/infospace/views/repository-tree.md @@ -2,10 +2,15 @@ # Repository Tree -File count: **131** +File count: **142** - `README.md` - `agent/README.md` +- `agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md` +- `agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md` +- `agent/briefs/benchmark-caring-kubernetes-rbac-findings.md` +- `agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md` +- `agent/briefs/benchmark-caring-kubernetes-rbac.md` - `agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md` - `agent/briefs/comparison-repo-scoping-consumer-workplan-brief.md` - `agent/briefs/comparison-repo-scoping-extension-candidates.md` @@ -124,6 +129,12 @@ File count: **131** - `schemas/standard.schema.yaml` - `schemas/workplan.schema.yaml` - `standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md` +- `standards/caring/benchmarks/kubernetes-rbac/README.md` +- `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml` +- `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml` +- `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml` +- `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml` +- `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml` - `standards/tagging/InfoTechCanonTaggingStandard.md` - `validation/README.md` - `validation/latest.json` diff --git a/src/info_tech_canon/generation.py b/src/info_tech_canon/generation.py index 49fb106..824cab0 100644 --- a/src/info_tech_canon/generation.py +++ b/src/info_tech_canon/generation.py @@ -10,8 +10,12 @@ import yaml GENERATED_NOTICE = "" RETRIEVAL_ARTIFACT_KINDS = { + "access-descriptor-set", "benefit-analysis", + "benchmark-findings", + "benchmark-workspace", "capture-criteria", + "caring-mapping", "comparison-frame", "comparison-report", "concept-catalog", @@ -27,6 +31,7 @@ RETRIEVAL_ARTIFACT_KINDS = { "mapping-expectation", "model", "model-extension", + "native-concept-map", "pattern", "profile-alignment", "profile", @@ -869,10 +874,18 @@ def _safe_id(value: str) -> str: def _summary_for_artifact(artifact: Any) -> str: if artifact.kind == "profile-artifact": return f"Example artifact for the {artifact.provenance.get('profile', 'unknown')} profile: {artifact.title}." + if artifact.kind == "access-descriptor-set": + return f"Structured CARING access descriptor set: {artifact.title}." if artifact.kind == "benefit-analysis": return f"Consumer benefit analysis against canon surfaces: {artifact.title}." + if artifact.kind == "benchmark-findings": + return f"Benchmark findings, gaps, and canon pressure: {artifact.title}." + if artifact.kind == "benchmark-workspace": + return f"Benchmark workspace definition and review criteria: {artifact.title}." if artifact.kind == "capture-criteria": return f"Criteria for canonical entity and edge capture: {artifact.title}." + if artifact.kind == "caring-mapping": + return f"Native access model to CARING mapping: {artifact.title}." if artifact.kind == "comparison-frame": return f"Structured comparison questions and domains: {artifact.title}." if artifact.kind == "comparison-report": @@ -899,6 +912,8 @@ def _summary_for_artifact(artifact: Any) -> str: return f"Expected mappings between consumer graph capture and canon surfaces: {artifact.title}." if artifact.kind == "model-extension": return f"Candidate extension to an existing canon model: {artifact.title}." + if artifact.kind == "native-concept-map": + return f"Native source concept map for assimilation or benchmark work: {artifact.title}." if artifact.kind == "pattern": return f"Reusable canon pattern: {artifact.title}." if artifact.kind == "profile-alignment": diff --git a/src/info_tech_canon/validation.py b/src/info_tech_canon/validation.py index c5416db..a5dfa35 100644 --- a/src/info_tech_canon/validation.py +++ b/src/info_tech_canon/validation.py @@ -53,8 +53,12 @@ REQUIRED_SCHEMAS = ( ) RETRIEVAL_BRIEF_KINDS = { + "access-descriptor-set", "benefit-analysis", + "benchmark-findings", + "benchmark-workspace", "capture-criteria", + "caring-mapping", "comparison-frame", "comparison-report", "concept-catalog", @@ -69,6 +73,7 @@ RETRIEVAL_BRIEF_KINDS = { "mapping-expectation", "model", "model-extension", + "native-concept-map", "pattern", "profile-alignment", "profile", @@ -243,6 +248,40 @@ REPO_SCOPING_REQUIRED_EXTENSION_CANDIDATES = { "extension/scope-md-interface", } +CARING_K8S_BENCHMARK_ARTIFACT_IDS = { + "benchmark/caring/kubernetes-rbac", + "benchmark/caring/kubernetes-rbac/access-descriptors", + "benchmark/caring/kubernetes-rbac/caring-mapping", + "benchmark/caring/kubernetes-rbac/findings", + "benchmark/caring/kubernetes-rbac/native-concepts", +} + +CARING_K8S_REQUIRED_NATIVE_CONCEPTS = { + "Role", + "ClusterRole", + "RoleBinding", + "ClusterRoleBinding", + "ServiceAccount", + "Namespace", + "Verb", + "Resource", + "Scope", +} + +CARING_K8S_REQUIRED_CASES = { + "namespace-pod-reader", + "workload-creator-derived-execution", + "cluster-secret-reader", + "namespace-as-tenant-boundary", +} + +CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES = { + "declared_access", + "effective_access", + "derived_capability", + "induced_access", +} + def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]: errors: list[dict[str, Any]] = [] @@ -270,6 +309,11 @@ def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]: context.infospace.artifacts, errors, ) + _check_caring_kubernetes_rbac_benchmark_assets( + context.infospace_root, + context.infospace.artifacts, + errors, + ) _check_optional_assets(context.infospace_root, warnings) return {"errors": errors, "warnings": warnings} @@ -1167,6 +1211,216 @@ def _check_repo_scoping_comparison_assets( ) +def _check_caring_kubernetes_rbac_benchmark_assets( + infospace_root: Path, + artifacts: list[Any], + errors: list[dict[str, Any]], +) -> None: + artifact_ids = {artifact.id for artifact in artifacts} + for artifact_id in sorted(CARING_K8S_BENCHMARK_ARTIFACT_IDS - artifact_ids): + errors.append( + { + "code": "missing_caring_kubernetes_rbac_benchmark_artifact", + "artifact_id": artifact_id, + } + ) + + benchmark_root = infospace_root / "standards" / "caring" / "benchmarks" / "kubernetes-rbac" + if not benchmark_root.is_dir(): + errors.append( + { + "code": "missing_caring_kubernetes_rbac_benchmark_workspace", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac", + } + ) + return + + benchmark = _read_yaml(benchmark_root / "benchmark.yaml", errors) + if isinstance(benchmark, dict): + for field in ("source_corpus", "expected_outputs", "review_criteria"): + items = benchmark.get(field) or [] + if not isinstance(items, list) or not items: + errors.append( + { + "code": "missing_caring_kubernetes_benchmark_field", + "field": field, + } + ) + cases = benchmark.get("cases") or [] + if not isinstance(cases, list): + errors.append( + { + "code": "invalid_caring_kubernetes_benchmark_cases", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml", + } + ) + else: + case_ids = { + str(case.get("id")) + for case in cases + if isinstance(case, dict) and case.get("id") + } + for case_id in sorted(CARING_K8S_REQUIRED_CASES - case_ids): + errors.append( + { + "code": "missing_caring_kubernetes_benchmark_case", + "case": case_id, + } + ) + + native = _read_yaml(benchmark_root / "native-concepts.yaml", errors) + if isinstance(native, dict): + if native.get("namespace_tenant_boundary_warning") is not True: + errors.append( + { + "code": "missing_caring_kubernetes_namespace_warning", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml", + } + ) + concepts = native.get("concepts") or [] + if not isinstance(concepts, list): + errors.append( + { + "code": "invalid_caring_kubernetes_native_concepts", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml", + } + ) + else: + native_names = { + str(concept.get("native")) + for concept in concepts + if isinstance(concept, dict) and concept.get("native") + } + for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - native_names): + errors.append( + { + "code": "missing_caring_kubernetes_native_concept", + "concept": concept, + } + ) + + mapping = _read_yaml(benchmark_root / "caring-mapping.yaml", errors) + if isinstance(mapping, dict): + if mapping.get("namespace_tenant_boundary_warning") is not True: + errors.append( + { + "code": "missing_caring_kubernetes_mapping_namespace_warning", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml", + } + ) + mappings = mapping.get("mappings") or [] + if not isinstance(mappings, list): + errors.append( + { + "code": "invalid_caring_kubernetes_mappings", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml", + } + ) + else: + mapped_names = { + str(item.get("native_concept")) + for item in mappings + if isinstance(item, dict) and item.get("native_concept") + } + for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - mapped_names): + errors.append( + { + "code": "missing_caring_kubernetes_mapping", + "concept": concept, + } + ) + analysis_rules = mapping.get("analysis_rules") or [] + if not isinstance(analysis_rules, list) or not analysis_rules: + errors.append( + { + "code": "missing_caring_kubernetes_analysis_rules", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml", + } + ) + + descriptors = _read_yaml(benchmark_root / "access-descriptors.yaml", errors) + if isinstance(descriptors, dict): + descriptor_classes = set(descriptors.get("descriptor_classes") or []) + for descriptor_class in sorted( + CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - descriptor_classes + ): + errors.append( + { + "code": "missing_caring_kubernetes_descriptor_class", + "descriptor_class": descriptor_class, + } + ) + descriptor_items = descriptors.get("descriptors") or [] + if not isinstance(descriptor_items, list): + errors.append( + { + "code": "invalid_caring_kubernetes_descriptors", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml", + } + ) + else: + used_classes = { + str(item.get("descriptor_class")) + for item in descriptor_items + if isinstance(item, dict) and item.get("descriptor_class") + } + for descriptor_class in sorted( + CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - used_classes + ): + errors.append( + { + "code": "missing_caring_kubernetes_descriptor_example", + "descriptor_class": descriptor_class, + } + ) + required_fields = ( + "subject", + "scope", + "plane", + "capabilities", + "exposure_mode", + "lifecycle_state", + "native_evidence", + ) + for item in descriptor_items: + if not isinstance(item, dict): + continue + for field in required_fields: + if not item.get(field): + errors.append( + { + "code": "incomplete_caring_kubernetes_descriptor", + "descriptor": item.get("id"), + "field": field, + } + ) + + findings = _read_yaml(benchmark_root / "findings-and-canon-pressure.yaml", errors) + if isinstance(findings, dict): + for field in ("stable_findings", "gaps", "conflicts", "proposed_changes"): + items = findings.get(field) or [] + if not isinstance(items, list) or not items: + errors.append( + { + "code": "missing_caring_kubernetes_findings_field", + "field": field, + } + ) + stable_findings = findings.get("stable_findings") or [] + finding_ids = { + str(finding.get("id")) + for finding in stable_findings + if isinstance(finding, dict) and finding.get("id") + } + if "finding/namespace-not-tenant-boundary" not in finding_ids: + errors.append( + { + "code": "missing_caring_kubernetes_namespace_finding", + "path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml", + } + ) + + def _artifact_paths_by_path( infospace_root: Path, errors: list[dict[str, Any]], diff --git a/tests/test_cli.py b/tests/test_cli.py index 39aed60..bb091c4 100644 --- a/tests/test_cli.py +++ b/tests/test_cli.py @@ -11,7 +11,7 @@ def test_cli_inspect_emits_json(capsys) -> None: assert exit_code == 0 payload = json.loads(capsys.readouterr().out) assert payload["ok"] is True - assert payload["infospace"]["artifact_count"] == 49 + assert payload["infospace"]["artifact_count"] == 54 def test_cli_missing_profile_uses_structured_error(capsys) -> None: diff --git a/tests/test_service.py b/tests/test_service.py index 9952e1d..0b9c957 100644 --- a/tests/test_service.py +++ b/tests/test_service.py @@ -19,10 +19,14 @@ def test_inspect_canon_counts_artifact_kinds() -> None: assert payload["ok"] is True assert payload["infospace"]["slug"] == "canon" - assert payload["infospace"]["artifact_count"] == 49 + assert payload["infospace"]["artifact_count"] == 54 assert payload["infospace"]["kinds"] == { + "access-descriptor-set": 1, "benefit-analysis": 1, + "benchmark-findings": 1, + "benchmark-workspace": 1, "capture-criteria": 1, + "caring-mapping": 1, "comparison-frame": 1, "comparison-report": 1, "concept-catalog": 1, @@ -38,6 +42,7 @@ def test_inspect_canon_counts_artifact_kinds() -> None: "mapping-expectation": 1, "model": 11, "model-extension": 1, + "native-concept-map": 1, "pattern": 1, "profile-alignment": 1, "profile": 1, @@ -58,14 +63,14 @@ def test_validate_canon_passes_scaffold() -> None: assert payload["ok"] is True assert payload["errors"] == [] assert "warnings" in payload - assert payload["details"]["artifact_count"] == 49 + assert payload["details"]["artifact_count"] == 54 def test_graph_exports_relationship_summary() -> None: payload = artifact_graph() assert payload["ok"] is True - assert payload["graph"]["node_count"] == 49 + assert payload["graph"]["node_count"] == 54 assert payload["graph"]["edge_count"] > 15 @@ -115,6 +120,9 @@ def test_generators_write_expected_assets(tmp_path) -> None: assert ( root / "agent" / "briefs" / "comparison-repo-scoping-report.md" ).is_file() + assert ( + root / "agent" / "briefs" / "benchmark-caring-kubernetes-rbac.md" + ).is_file() assert (root / "agent" / "briefs" / "pattern-intent-scope-purposes.md").is_file() assert ( root / "agent" / "templates" / "canon-interface-card.template.yaml" diff --git a/workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md b/workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md index 23ca936..b36aba3 100644 --- a/workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md +++ b/workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md @@ -4,7 +4,7 @@ type: workplan title: "CARING Kubernetes RBAC Benchmark" domain: canon repo: info-tech-canon -status: proposed +status: finished priority: medium created: "2026-05-23" updated: "2026-05-23" @@ -33,7 +33,7 @@ Governance, Security, Network, DevSecOps, Observability, Task, and Tagging. ```task id: ITC-WP-0010-T01 -status: todo +status: done priority: high state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4" ``` @@ -45,7 +45,7 @@ state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4" ```task id: ITC-WP-0010-T02 -status: todo +status: done priority: high state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442" ``` @@ -58,7 +58,7 @@ state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442" ```task id: ITC-WP-0010-T03 -status: todo +status: done priority: high state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83" ``` @@ -71,7 +71,7 @@ state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83" ```task id: ITC-WP-0010-T04 -status: todo +status: done priority: medium state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42" ``` @@ -84,3 +84,16 @@ state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42" - Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile. - CARING descriptor shape is tested with practical examples. - Benchmark findings produce explicit canon change proposals. + +## Implementation Notes + +- Created `infospace/standards/caring/benchmarks/kubernetes-rbac/` as a + distinct benchmark workspace. +- Added benchmark workspace, native concept map, CARING mapping, descriptor + set, and findings/canon-pressure artifacts. +- Registered all benchmark artifacts in the artifact index and retrieval + generation flow. +- Added structural validation for the benchmark corpus, Kubernetes RBAC native + concept coverage, namespace tenant-boundary warning, CARING descriptor + classes, and findings/proposals. +- Regenerated agent briefs, indexes, tree views, and validation output. diff --git a/workplans/index.yaml b/workplans/index.yaml index 2c050ee..e99b21f 100644 --- a/workplans/index.yaml +++ b/workplans/index.yaml @@ -136,7 +136,7 @@ workplans: - id: ITC-WP-0010 title: CARING Kubernetes RBAC Benchmark - status: proposed + status: finished priority: medium path: workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md depends_on: