generated from coulomb/repo-seed
Add CARING Kubernetes RBAC benchmark
This commit is contained in:
@@ -0,0 +1,164 @@
|
||||
id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||
title: Kubernetes RBAC CARING Access Descriptors
|
||||
status: candidate
|
||||
benchmark: benchmark/caring/kubernetes-rbac
|
||||
descriptor_classes:
|
||||
- declared_access
|
||||
- effective_access
|
||||
- derived_capability
|
||||
- induced_access
|
||||
descriptors:
|
||||
- id: descriptor/namespace-pod-reader/declared
|
||||
case_id: namespace-pod-reader
|
||||
descriptor_class: declared_access
|
||||
subject: serviceaccount:tenant-a:report-viewer
|
||||
organization_relation: customer-operated-service
|
||||
canonical_role: Viewer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- get pods
|
||||
- list pods
|
||||
- watch pods
|
||||
exposure_mode: metadata-and-runtime-state
|
||||
lifecycle_state: steady-state-observation
|
||||
conditions:
|
||||
- bound by RoleBinding in namespace tenant-a
|
||||
restrictions:
|
||||
- no pod mutation
|
||||
- no secret read
|
||||
- namespace is not accepted as tenant boundary without additional evidence
|
||||
native_evidence:
|
||||
- Role/report-viewer
|
||||
- RoleBinding/report-viewer-binding
|
||||
- ServiceAccount/report-viewer
|
||||
- id: descriptor/workload-creator/declared
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: declared_access
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- create pods
|
||||
- get pods
|
||||
- delete pods
|
||||
exposure_mode: workload-specification-control
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- bound by RoleBinding in namespace tenant-a
|
||||
restrictions:
|
||||
- no direct secret get/list/watch declared
|
||||
native_evidence:
|
||||
- Role/job-runner
|
||||
- RoleBinding/job-runner-binding
|
||||
- ServiceAccount/job-runner
|
||||
- id: descriptor/workload-creator/effective
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: effective_access
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- create workload
|
||||
- select pod service account
|
||||
- influence mounted volumes
|
||||
- execute container image
|
||||
exposure_mode: mediated-runtime-execution
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- pod admission and service-account mount behavior determine actual reach
|
||||
restrictions:
|
||||
- effective access must be checked against admission policy and service-account permissions
|
||||
native_evidence:
|
||||
- create pods verb
|
||||
- pod spec serviceAccountName
|
||||
- projected service account token behavior
|
||||
- id: descriptor/workload-creator/derived
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: derived_capability
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Runtime
|
||||
capabilities:
|
||||
- execute arbitrary workload image
|
||||
- use mounted service account identity
|
||||
- read mounted runtime inputs
|
||||
exposure_mode: derived-execution-and-identity-use
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- derived from create pods permission
|
||||
restrictions:
|
||||
- must be bounded by admission controls, image policy, and service-account selection rules
|
||||
native_evidence:
|
||||
- Role/job-runner create pods
|
||||
- id: descriptor/workload-creator/induced
|
||||
case_id: workload-creator-derived-execution
|
||||
descriptor_class: induced_access
|
||||
subject: serviceaccount:tenant-a:job-runner
|
||||
organization_relation: customer-operated-automation
|
||||
canonical_role: Doer
|
||||
scope: namespace:tenant-a
|
||||
plane: Secret
|
||||
capabilities:
|
||||
- potential secret exposure through mounted volumes
|
||||
- potential token exposure through mounted identity
|
||||
exposure_mode: induced-secret-and-identity-exposure
|
||||
lifecycle_state: job-execution
|
||||
conditions:
|
||||
- induced path exists only when workload can mount or reach sensitive material
|
||||
restrictions:
|
||||
- classify as candidate finding until manifests, admission, and secret references are reviewed
|
||||
native_evidence:
|
||||
- pod volume mounts
|
||||
- service account token projection
|
||||
- secret references in pod spec
|
||||
- id: descriptor/cluster-secret-reader/declared
|
||||
case_id: cluster-secret-reader
|
||||
descriptor_class: declared_access
|
||||
subject: serviceaccount:platform:inventory
|
||||
organization_relation: platform-service-provider
|
||||
canonical_role: Auditor
|
||||
scope: cluster
|
||||
plane: Secret
|
||||
capabilities:
|
||||
- get secrets
|
||||
- list secrets
|
||||
- watch secrets
|
||||
exposure_mode: sensitive-data-read
|
||||
lifecycle_state: operational-inventory
|
||||
conditions:
|
||||
- bound by ClusterRoleBinding
|
||||
restrictions:
|
||||
- requires governance review and audit evidence
|
||||
native_evidence:
|
||||
- ClusterRole/secret-reader
|
||||
- ClusterRoleBinding/inventory-secret-reader
|
||||
- ServiceAccount/inventory
|
||||
- id: descriptor/namespace-boundary/review
|
||||
case_id: namespace-as-tenant-boundary
|
||||
descriptor_class: effective_access
|
||||
subject: tenant-boundary-claim:tenant-a
|
||||
organization_relation: platform-provider
|
||||
canonical_role: Governor
|
||||
scope: namespace:tenant-a
|
||||
plane: Policy
|
||||
capabilities:
|
||||
- claim tenant isolation
|
||||
- review access and runtime boundaries
|
||||
exposure_mode: governance-claim
|
||||
lifecycle_state: design-review
|
||||
conditions:
|
||||
- claim must be supported by access, network, runtime, data, and governance evidence
|
||||
restrictions:
|
||||
- namespace alone is insufficient evidence
|
||||
native_evidence:
|
||||
- Namespace/tenant-a
|
||||
- RoleBinding set
|
||||
- NetworkPolicy set
|
||||
- ResourceQuota set
|
||||
Reference in New Issue
Block a user