generated from coulomb/repo-seed
Add CARING Kubernetes RBAC benchmark
This commit is contained in:
@@ -99,3 +99,11 @@ current scope, future scope, consumer purposes, review decisions, evidence,
|
|||||||
source observations, utility relationships, scope freshness, and SCOPE.md as an
|
source observations, utility relationships, scope freshness, and SCOPE.md as an
|
||||||
interface profile. The pack is intended to seed the consumer-side repo-scoping
|
interface profile. The pack is intended to seed the consumer-side repo-scoping
|
||||||
workplan while keeping proposed canon extensions reviewable.
|
workplan while keeping proposed canon extensions reviewable.
|
||||||
|
|
||||||
|
## Benchmarks
|
||||||
|
|
||||||
|
CARING benchmark assets live under `infospace/standards/caring/benchmarks/`.
|
||||||
|
The first benchmark is `kubernetes-rbac`, which maps Kubernetes RBAC native
|
||||||
|
constructs into CARING descriptors and records canon pressure around native
|
||||||
|
roles, effective access, derived workload capabilities, induced secret exposure,
|
||||||
|
and the rule that a Namespace is not automatically a tenant boundary.
|
||||||
|
|||||||
@@ -0,0 +1,33 @@
|
|||||||
|
---
|
||||||
|
id: agent-brief/benchmark-caring-kubernetes-rbac-access-descriptors
|
||||||
|
artifact_id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||||
|
source_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||||
|
source_kind: access-descriptor-set
|
||||||
|
generated: true
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||||
|
|
||||||
|
# Agent Brief: Kubernetes RBAC CARING Access Descriptors
|
||||||
|
|
||||||
|
- Artifact ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
|
||||||
|
- Kind: `access-descriptor-set`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||||
|
- Full source: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||||
|
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
|
||||||
|
|
||||||
|
## Retrieval Hints
|
||||||
|
|
||||||
|
Imports and anchors:
|
||||||
|
- `model/access-control`
|
||||||
|
- `model/devsecops`
|
||||||
|
- `model/security`
|
||||||
|
- `standard/caring`
|
||||||
|
|
||||||
|
## Owned Concepts
|
||||||
|
|
||||||
|
- `Kubernetes RBAC CARING Access Descriptors`
|
||||||
|
|
||||||
|
## Related Distinctions
|
||||||
|
|
||||||
|
No common distinction is anchored directly on this artifact.
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
id: agent-brief/benchmark-caring-kubernetes-rbac-caring-mapping
|
||||||
|
artifact_id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||||
|
source_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||||
|
source_kind: caring-mapping
|
||||||
|
generated: true
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||||
|
|
||||||
|
# Agent Brief: Kubernetes RBAC To CARING Mapping
|
||||||
|
|
||||||
|
- Artifact ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
|
||||||
|
- Kind: `caring-mapping`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||||
|
- Full source: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||||
|
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
|
||||||
|
|
||||||
|
## Retrieval Hints
|
||||||
|
|
||||||
|
No imports or anchors recorded.
|
||||||
|
|
||||||
|
## Owned Concepts
|
||||||
|
|
||||||
|
- `Kubernetes RBAC To CARING Mapping`
|
||||||
|
|
||||||
|
## Related Distinctions
|
||||||
|
|
||||||
|
No common distinction is anchored directly on this artifact.
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
id: agent-brief/benchmark-caring-kubernetes-rbac-findings
|
||||||
|
artifact_id: benchmark/caring/kubernetes-rbac/findings
|
||||||
|
source_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||||
|
source_kind: benchmark-findings
|
||||||
|
generated: true
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||||
|
|
||||||
|
# Agent Brief: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||||
|
|
||||||
|
- Artifact ID: `benchmark/caring/kubernetes-rbac/findings`
|
||||||
|
- Kind: `benchmark-findings`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||||
|
- Full source: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||||
|
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
|
||||||
|
|
||||||
|
## Retrieval Hints
|
||||||
|
|
||||||
|
No imports or anchors recorded.
|
||||||
|
|
||||||
|
## Owned Concepts
|
||||||
|
|
||||||
|
- `Kubernetes RBAC Benchmark Findings And Canon Pressure`
|
||||||
|
|
||||||
|
## Related Distinctions
|
||||||
|
|
||||||
|
No common distinction is anchored directly on this artifact.
|
||||||
@@ -0,0 +1,29 @@
|
|||||||
|
---
|
||||||
|
id: agent-brief/benchmark-caring-kubernetes-rbac-native-concepts
|
||||||
|
artifact_id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||||
|
source_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||||
|
source_kind: native-concept-map
|
||||||
|
generated: true
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||||
|
|
||||||
|
# Agent Brief: Kubernetes RBAC Native Concept Map
|
||||||
|
|
||||||
|
- Artifact ID: `benchmark/caring/kubernetes-rbac/native-concepts`
|
||||||
|
- Kind: `native-concept-map`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||||
|
- Full source: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||||
|
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
|
||||||
|
|
||||||
|
## Retrieval Hints
|
||||||
|
|
||||||
|
No imports or anchors recorded.
|
||||||
|
|
||||||
|
## Owned Concepts
|
||||||
|
|
||||||
|
- `Kubernetes RBAC Native Concept Map`
|
||||||
|
|
||||||
|
## Related Distinctions
|
||||||
|
|
||||||
|
No common distinction is anchored directly on this artifact.
|
||||||
31
infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md
Normal file
31
infospace/agent/briefs/benchmark-caring-kubernetes-rbac.md
Normal file
@@ -0,0 +1,31 @@
|
|||||||
|
---
|
||||||
|
id: agent-brief/benchmark-caring-kubernetes-rbac
|
||||||
|
artifact_id: benchmark/caring/kubernetes-rbac
|
||||||
|
source_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||||
|
source_kind: benchmark-workspace
|
||||||
|
generated: true
|
||||||
|
---
|
||||||
|
|
||||||
|
<!-- GENERATED by info_tech_canon; do not edit by hand. -->
|
||||||
|
|
||||||
|
# Agent Brief: CARING Kubernetes RBAC Benchmark
|
||||||
|
|
||||||
|
- Artifact ID: `benchmark/caring/kubernetes-rbac`
|
||||||
|
- Kind: `benchmark-workspace`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||||
|
- Full source: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||||
|
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
|
||||||
|
|
||||||
|
## Retrieval Hints
|
||||||
|
|
||||||
|
Imports and anchors:
|
||||||
|
- `standard/caring`
|
||||||
|
- `standard/tagging`
|
||||||
|
|
||||||
|
## Owned Concepts
|
||||||
|
|
||||||
|
- `CARING Kubernetes RBAC Benchmark`
|
||||||
|
|
||||||
|
## Related Distinctions
|
||||||
|
|
||||||
|
No common distinction is anchored directly on this artifact.
|
||||||
@@ -5,8 +5,8 @@
|
|||||||
This brief summarizes the current canon service surface for agents.
|
This brief summarizes the current canon service surface for agents.
|
||||||
|
|
||||||
- Infospace slug: `canon`
|
- Infospace slug: `canon`
|
||||||
- Artifact count: 49
|
- Artifact count: 54
|
||||||
- Retrieval index items: 49
|
- Retrieval index items: 54
|
||||||
- Primary confidence command: `make validate`
|
- Primary confidence command: `make validate`
|
||||||
- Refresh generated indexes and views with: `make index`
|
- Refresh generated indexes and views with: `make index`
|
||||||
- Refresh agent briefs and interface templates with: `make agent-briefs`
|
- Refresh agent briefs and interface templates with: `make agent-briefs`
|
||||||
|
|||||||
@@ -43,8 +43,195 @@
|
|||||||
}
|
}
|
||||||
],
|
],
|
||||||
"infospace": "canon",
|
"infospace": "canon",
|
||||||
"item_count": 49,
|
"item_count": 54,
|
||||||
"items": [
|
"items": [
|
||||||
|
{
|
||||||
|
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
|
||||||
|
"id": "benchmark/caring/kubernetes-rbac",
|
||||||
|
"imports": [
|
||||||
|
"standard/caring",
|
||||||
|
"standard/tagging"
|
||||||
|
],
|
||||||
|
"kind": "benchmark-workspace",
|
||||||
|
"owned_concepts": [
|
||||||
|
"CARING Kubernetes RBAC Benchmark"
|
||||||
|
],
|
||||||
|
"relationships": [
|
||||||
|
{
|
||||||
|
"target": "standard/caring",
|
||||||
|
"type": "conforms_to"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/access-control",
|
||||||
|
"type": "stress_tests"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/governance",
|
||||||
|
"type": "stress_tests"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/security",
|
||||||
|
"type": "stress_tests"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/devsecops",
|
||||||
|
"type": "stress_tests"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/network",
|
||||||
|
"type": "stress_tests"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/observability",
|
||||||
|
"type": "stress_tests"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "standard/tagging",
|
||||||
|
"type": "uses"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
|
||||||
|
"summary": "Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.",
|
||||||
|
"title": "CARING Kubernetes RBAC Benchmark",
|
||||||
|
"warnings": []
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
|
||||||
|
"id": "benchmark/caring/kubernetes-rbac/access-descriptors",
|
||||||
|
"imports": [
|
||||||
|
"model/access-control",
|
||||||
|
"model/devsecops",
|
||||||
|
"model/security",
|
||||||
|
"standard/caring"
|
||||||
|
],
|
||||||
|
"kind": "access-descriptor-set",
|
||||||
|
"owned_concepts": [
|
||||||
|
"Kubernetes RBAC CARING Access Descriptors"
|
||||||
|
],
|
||||||
|
"relationships": [
|
||||||
|
{
|
||||||
|
"target": "benchmark/caring/kubernetes-rbac",
|
||||||
|
"type": "part_of"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "standard/caring",
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/access-control",
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/security",
|
||||||
|
"type": "uses"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/devsecops",
|
||||||
|
"type": "uses"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
|
||||||
|
"summary": "Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.",
|
||||||
|
"title": "Kubernetes RBAC CARING Access Descriptors",
|
||||||
|
"warnings": []
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
|
||||||
|
"id": "benchmark/caring/kubernetes-rbac/caring-mapping",
|
||||||
|
"imports": [],
|
||||||
|
"kind": "caring-mapping",
|
||||||
|
"owned_concepts": [
|
||||||
|
"Kubernetes RBAC To CARING Mapping"
|
||||||
|
],
|
||||||
|
"relationships": [
|
||||||
|
{
|
||||||
|
"target": "benchmark/caring/kubernetes-rbac",
|
||||||
|
"type": "part_of"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "standard/caring",
|
||||||
|
"type": "maps"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/access-control",
|
||||||
|
"type": "maps"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/governance",
|
||||||
|
"type": "maps"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/security",
|
||||||
|
"type": "maps"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
|
||||||
|
"summary": "Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.",
|
||||||
|
"title": "Kubernetes RBAC To CARING Mapping",
|
||||||
|
"warnings": []
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
|
||||||
|
"id": "benchmark/caring/kubernetes-rbac/findings",
|
||||||
|
"imports": [],
|
||||||
|
"kind": "benchmark-findings",
|
||||||
|
"owned_concepts": [
|
||||||
|
"Kubernetes RBAC Benchmark Findings And Canon Pressure"
|
||||||
|
],
|
||||||
|
"relationships": [
|
||||||
|
{
|
||||||
|
"target": "benchmark/caring/kubernetes-rbac",
|
||||||
|
"type": "part_of"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "standard/caring",
|
||||||
|
"type": "proposes"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/governance",
|
||||||
|
"type": "proposes"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/security",
|
||||||
|
"type": "proposes"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
|
||||||
|
"summary": "Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.",
|
||||||
|
"title": "Kubernetes RBAC Benchmark Findings And Canon Pressure",
|
||||||
|
"warnings": []
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"canonical_path": "standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
|
||||||
|
"id": "benchmark/caring/kubernetes-rbac/native-concepts",
|
||||||
|
"imports": [],
|
||||||
|
"kind": "native-concept-map",
|
||||||
|
"owned_concepts": [
|
||||||
|
"Kubernetes RBAC Native Concept Map"
|
||||||
|
],
|
||||||
|
"relationships": [
|
||||||
|
{
|
||||||
|
"target": "benchmark/caring/kubernetes-rbac",
|
||||||
|
"type": "part_of"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "standard/caring",
|
||||||
|
"type": "maps"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/access-control",
|
||||||
|
"type": "maps"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"target": "model/landscape",
|
||||||
|
"type": "maps"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"source_path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
|
||||||
|
"summary": "Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.",
|
||||||
|
"title": "Kubernetes RBAC Native Concept Map",
|
||||||
|
"warnings": []
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"canonical_path": "evaluations/repo-scoping/canon-benefit-analysis.yaml",
|
"canonical_path": "evaluations/repo-scoping/canon-benefit-analysis.yaml",
|
||||||
"id": "comparison/repo-scoping/canon-benefit-analysis",
|
"id": "comparison/repo-scoping/canon-benefit-analysis",
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
|
|
||||||
Schema: `info-tech-canon.retrieval-index.v1`
|
Schema: `info-tech-canon.retrieval-index.v1`
|
||||||
Infospace: `canon`
|
Infospace: `canon`
|
||||||
Items: **49**
|
Items: **54**
|
||||||
|
|
||||||
## Common Distinctions
|
## Common Distinctions
|
||||||
|
|
||||||
@@ -15,6 +15,56 @@ Items: **49**
|
|||||||
|
|
||||||
## Items
|
## Items
|
||||||
|
|
||||||
|
### CARING Kubernetes RBAC Benchmark
|
||||||
|
|
||||||
|
- ID: `benchmark/caring/kubernetes-rbac`
|
||||||
|
- Kind: `benchmark-workspace`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||||
|
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||||
|
- Summary: Benchmark workspace definition and review criteria: CARING Kubernetes RBAC Benchmark.
|
||||||
|
- Imports and anchors: `standard/caring`, `standard/tagging`
|
||||||
|
- Owned concepts: `CARING Kubernetes RBAC Benchmark`
|
||||||
|
|
||||||
|
### Kubernetes RBAC CARING Access Descriptors
|
||||||
|
|
||||||
|
- ID: `benchmark/caring/kubernetes-rbac/access-descriptors`
|
||||||
|
- Kind: `access-descriptor-set`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||||
|
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||||
|
- Summary: Structured CARING access descriptor set: Kubernetes RBAC CARING Access Descriptors.
|
||||||
|
- Imports and anchors: `model/access-control`, `model/devsecops`, `model/security`, `standard/caring`
|
||||||
|
- Owned concepts: `Kubernetes RBAC CARING Access Descriptors`
|
||||||
|
|
||||||
|
### Kubernetes RBAC To CARING Mapping
|
||||||
|
|
||||||
|
- ID: `benchmark/caring/kubernetes-rbac/caring-mapping`
|
||||||
|
- Kind: `caring-mapping`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||||
|
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||||
|
- Summary: Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.
|
||||||
|
- Imports and anchors: none
|
||||||
|
- Owned concepts: `Kubernetes RBAC To CARING Mapping`
|
||||||
|
|
||||||
|
### Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||||
|
|
||||||
|
- ID: `benchmark/caring/kubernetes-rbac/findings`
|
||||||
|
- Kind: `benchmark-findings`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||||
|
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||||
|
- Summary: Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark Findings And Canon Pressure.
|
||||||
|
- Imports and anchors: none
|
||||||
|
- Owned concepts: `Kubernetes RBAC Benchmark Findings And Canon Pressure`
|
||||||
|
|
||||||
|
### Kubernetes RBAC Native Concept Map
|
||||||
|
|
||||||
|
- ID: `benchmark/caring/kubernetes-rbac/native-concepts`
|
||||||
|
- Kind: `native-concept-map`
|
||||||
|
- Canonical path: `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||||
|
- Source path: `infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||||
|
- Summary: Native source concept map for assimilation or benchmark work: Kubernetes RBAC Native Concept Map.
|
||||||
|
- Imports and anchors: none
|
||||||
|
- Owned concepts: `Kubernetes RBAC Native Concept Map`
|
||||||
|
|
||||||
### Repo Scoping Canon Benefit Analysis
|
### Repo Scoping Canon Benefit Analysis
|
||||||
|
|
||||||
- ID: `comparison/repo-scoping/canon-benefit-analysis`
|
- ID: `comparison/repo-scoping/canon-benefit-analysis`
|
||||||
|
|||||||
@@ -1,7 +1,124 @@
|
|||||||
schema: info-tech-canon.retrieval-index.v1
|
schema: info-tech-canon.retrieval-index.v1
|
||||||
infospace: canon
|
infospace: canon
|
||||||
item_count: 49
|
item_count: 54
|
||||||
items:
|
items:
|
||||||
|
- id: benchmark/caring/kubernetes-rbac
|
||||||
|
kind: benchmark-workspace
|
||||||
|
title: CARING Kubernetes RBAC Benchmark
|
||||||
|
canonical_path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||||
|
summary: 'Benchmark workspace definition and review criteria: CARING Kubernetes
|
||||||
|
RBAC Benchmark.'
|
||||||
|
owned_concepts:
|
||||||
|
- CARING Kubernetes RBAC Benchmark
|
||||||
|
imports:
|
||||||
|
- standard/caring
|
||||||
|
- standard/tagging
|
||||||
|
relationships:
|
||||||
|
- type: conforms_to
|
||||||
|
target: standard/caring
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/access-control
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/governance
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/security
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/devsecops
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/network
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/observability
|
||||||
|
- type: uses
|
||||||
|
target: standard/tagging
|
||||||
|
warnings: []
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||||
|
kind: access-descriptor-set
|
||||||
|
title: Kubernetes RBAC CARING Access Descriptors
|
||||||
|
canonical_path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||||
|
summary: 'Structured CARING access descriptor set: Kubernetes RBAC CARING Access
|
||||||
|
Descriptors.'
|
||||||
|
owned_concepts:
|
||||||
|
- Kubernetes RBAC CARING Access Descriptors
|
||||||
|
imports:
|
||||||
|
- model/access-control
|
||||||
|
- model/devsecops
|
||||||
|
- model/security
|
||||||
|
- standard/caring
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: uses
|
||||||
|
target: standard/caring
|
||||||
|
- type: uses
|
||||||
|
target: model/access-control
|
||||||
|
- type: uses
|
||||||
|
target: model/security
|
||||||
|
- type: uses
|
||||||
|
target: model/devsecops
|
||||||
|
warnings: []
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||||
|
kind: caring-mapping
|
||||||
|
title: Kubernetes RBAC To CARING Mapping
|
||||||
|
canonical_path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||||
|
summary: 'Native access model to CARING mapping: Kubernetes RBAC To CARING Mapping.'
|
||||||
|
owned_concepts:
|
||||||
|
- Kubernetes RBAC To CARING Mapping
|
||||||
|
imports: []
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: maps
|
||||||
|
target: standard/caring
|
||||||
|
- type: maps
|
||||||
|
target: model/access-control
|
||||||
|
- type: maps
|
||||||
|
target: model/governance
|
||||||
|
- type: maps
|
||||||
|
target: model/security
|
||||||
|
warnings: []
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/findings
|
||||||
|
kind: benchmark-findings
|
||||||
|
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||||
|
canonical_path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||||
|
summary: 'Benchmark findings, gaps, and canon pressure: Kubernetes RBAC Benchmark
|
||||||
|
Findings And Canon Pressure.'
|
||||||
|
owned_concepts:
|
||||||
|
- Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||||
|
imports: []
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: proposes
|
||||||
|
target: standard/caring
|
||||||
|
- type: proposes
|
||||||
|
target: model/governance
|
||||||
|
- type: proposes
|
||||||
|
target: model/security
|
||||||
|
warnings: []
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||||
|
kind: native-concept-map
|
||||||
|
title: Kubernetes RBAC Native Concept Map
|
||||||
|
canonical_path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||||
|
summary: 'Native source concept map for assimilation or benchmark work: Kubernetes
|
||||||
|
RBAC Native Concept Map.'
|
||||||
|
owned_concepts:
|
||||||
|
- Kubernetes RBAC Native Concept Map
|
||||||
|
imports: []
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: maps
|
||||||
|
target: standard/caring
|
||||||
|
- type: maps
|
||||||
|
target: model/access-control
|
||||||
|
- type: maps
|
||||||
|
target: model/landscape
|
||||||
|
warnings: []
|
||||||
- id: comparison/repo-scoping/canon-benefit-analysis
|
- id: comparison/repo-scoping/canon-benefit-analysis
|
||||||
kind: benefit-analysis
|
kind: benefit-analysis
|
||||||
title: Repo Scoping Canon Benefit Analysis
|
title: Repo Scoping Canon Benefit Analysis
|
||||||
|
|||||||
@@ -242,6 +242,98 @@ artifacts:
|
|||||||
target: model/task
|
target: model/task
|
||||||
- type: imports
|
- type: imports
|
||||||
target: standard/tagging
|
target: standard/tagging
|
||||||
|
- id: benchmark/caring/kubernetes-rbac
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||||
|
kind: benchmark-workspace
|
||||||
|
title: CARING Kubernetes RBAC Benchmark
|
||||||
|
provenance:
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||||
|
placement_workplan: ITC-WP-0010
|
||||||
|
relationships:
|
||||||
|
- type: conforms_to
|
||||||
|
target: standard/caring
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/access-control
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/governance
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/security
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/devsecops
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/network
|
||||||
|
- type: stress_tests
|
||||||
|
target: model/observability
|
||||||
|
- type: uses
|
||||||
|
target: standard/tagging
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||||
|
kind: native-concept-map
|
||||||
|
title: Kubernetes RBAC Native Concept Map
|
||||||
|
provenance:
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||||
|
placement_workplan: ITC-WP-0010
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: maps
|
||||||
|
target: standard/caring
|
||||||
|
- type: maps
|
||||||
|
target: model/access-control
|
||||||
|
- type: maps
|
||||||
|
target: model/landscape
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||||
|
kind: caring-mapping
|
||||||
|
title: Kubernetes RBAC To CARING Mapping
|
||||||
|
provenance:
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||||
|
placement_workplan: ITC-WP-0010
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: maps
|
||||||
|
target: standard/caring
|
||||||
|
- type: maps
|
||||||
|
target: model/access-control
|
||||||
|
- type: maps
|
||||||
|
target: model/governance
|
||||||
|
- type: maps
|
||||||
|
target: model/security
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||||
|
kind: access-descriptor-set
|
||||||
|
title: Kubernetes RBAC CARING Access Descriptors
|
||||||
|
provenance:
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||||
|
placement_workplan: ITC-WP-0010
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: uses
|
||||||
|
target: standard/caring
|
||||||
|
- type: uses
|
||||||
|
target: model/access-control
|
||||||
|
- type: uses
|
||||||
|
target: model/security
|
||||||
|
- type: uses
|
||||||
|
target: model/devsecops
|
||||||
|
- id: benchmark/caring/kubernetes-rbac/findings
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||||
|
kind: benchmark-findings
|
||||||
|
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||||
|
provenance:
|
||||||
|
source_path: infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||||
|
placement_workplan: ITC-WP-0010
|
||||||
|
relationships:
|
||||||
|
- type: part_of
|
||||||
|
target: benchmark/caring/kubernetes-rbac
|
||||||
|
- type: proposes
|
||||||
|
target: standard/caring
|
||||||
|
- type: proposes
|
||||||
|
target: model/governance
|
||||||
|
- type: proposes
|
||||||
|
target: model/security
|
||||||
- id: profile/small-saas
|
- id: profile/small-saas
|
||||||
path: profiles/small-saas/profile.yaml
|
path: profiles/small-saas/profile.yaml
|
||||||
kind: profile
|
kind: profile
|
||||||
|
|||||||
@@ -1,5 +1,5 @@
|
|||||||
root: infospace
|
root: infospace
|
||||||
file_count: 131
|
file_count: 142
|
||||||
files:
|
files:
|
||||||
- path: README.md
|
- path: README.md
|
||||||
directory: .
|
directory: .
|
||||||
@@ -7,6 +7,21 @@ files:
|
|||||||
- path: agent/README.md
|
- path: agent/README.md
|
||||||
directory: agent
|
directory: agent
|
||||||
name: README.md
|
name: README.md
|
||||||
|
- path: agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md
|
||||||
|
directory: agent/briefs
|
||||||
|
name: benchmark-caring-kubernetes-rbac-access-descriptors.md
|
||||||
|
- path: agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md
|
||||||
|
directory: agent/briefs
|
||||||
|
name: benchmark-caring-kubernetes-rbac-caring-mapping.md
|
||||||
|
- path: agent/briefs/benchmark-caring-kubernetes-rbac-findings.md
|
||||||
|
directory: agent/briefs
|
||||||
|
name: benchmark-caring-kubernetes-rbac-findings.md
|
||||||
|
- path: agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md
|
||||||
|
directory: agent/briefs
|
||||||
|
name: benchmark-caring-kubernetes-rbac-native-concepts.md
|
||||||
|
- path: agent/briefs/benchmark-caring-kubernetes-rbac.md
|
||||||
|
directory: agent/briefs
|
||||||
|
name: benchmark-caring-kubernetes-rbac.md
|
||||||
- path: agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md
|
- path: agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md
|
||||||
directory: agent/briefs
|
directory: agent/briefs
|
||||||
name: comparison-repo-scoping-canon-benefit-analysis.md
|
name: comparison-repo-scoping-canon-benefit-analysis.md
|
||||||
@@ -361,6 +376,24 @@ files:
|
|||||||
- path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
|
- path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
|
||||||
directory: standards/caring
|
directory: standards/caring
|
||||||
name: InfoTechCanonCaringAccessGovernanceStandard.md
|
name: InfoTechCanonCaringAccessGovernanceStandard.md
|
||||||
|
- path: standards/caring/benchmarks/kubernetes-rbac/README.md
|
||||||
|
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||||
|
name: README.md
|
||||||
|
- path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||||
|
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||||
|
name: access-descriptors.yaml
|
||||||
|
- path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||||
|
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||||
|
name: benchmark.yaml
|
||||||
|
- path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||||
|
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||||
|
name: caring-mapping.yaml
|
||||||
|
- path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||||
|
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||||
|
name: findings-and-canon-pressure.yaml
|
||||||
|
- path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||||
|
directory: standards/caring/benchmarks/kubernetes-rbac
|
||||||
|
name: native-concepts.yaml
|
||||||
- path: standards/tagging/InfoTechCanonTaggingStandard.md
|
- path: standards/tagging/InfoTechCanonTaggingStandard.md
|
||||||
directory: standards/tagging
|
directory: standards/tagging
|
||||||
name: InfoTechCanonTaggingStandard.md
|
name: InfoTechCanonTaggingStandard.md
|
||||||
|
|||||||
@@ -1,5 +1,25 @@
|
|||||||
concept_count: 74
|
concept_count: 79
|
||||||
concepts:
|
concepts:
|
||||||
|
- concept: CARING Kubernetes RBAC Benchmark
|
||||||
|
owner: benchmark/caring/kubernetes-rbac
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml
|
||||||
|
source: artifact_title
|
||||||
|
- concept: Kubernetes RBAC CARING Access Descriptors
|
||||||
|
owner: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml
|
||||||
|
source: artifact_title
|
||||||
|
- concept: Kubernetes RBAC To CARING Mapping
|
||||||
|
owner: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml
|
||||||
|
source: artifact_title
|
||||||
|
- concept: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||||
|
owner: benchmark/caring/kubernetes-rbac/findings
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml
|
||||||
|
source: artifact_title
|
||||||
|
- concept: Kubernetes RBAC Native Concept Map
|
||||||
|
owner: benchmark/caring/kubernetes-rbac/native-concepts
|
||||||
|
path: standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml
|
||||||
|
source: artifact_title
|
||||||
- concept: Repo Scoping Canon Benefit Analysis
|
- concept: Repo Scoping Canon Benefit Analysis
|
||||||
owner: comparison/repo-scoping/canon-benefit-analysis
|
owner: comparison/repo-scoping/canon-benefit-analysis
|
||||||
path: evaluations/repo-scoping/canon-benefit-analysis.yaml
|
path: evaluations/repo-scoping/canon-benefit-analysis.yaml
|
||||||
|
|||||||
@@ -1,4 +1,9 @@
|
|||||||
artifacts:
|
artifacts:
|
||||||
|
- benchmark/caring/kubernetes-rbac
|
||||||
|
- benchmark/caring/kubernetes-rbac/access-descriptors
|
||||||
|
- benchmark/caring/kubernetes-rbac/caring-mapping
|
||||||
|
- benchmark/caring/kubernetes-rbac/findings
|
||||||
|
- benchmark/caring/kubernetes-rbac/native-concepts
|
||||||
- comparison/repo-scoping/canon-benefit-analysis
|
- comparison/repo-scoping/canon-benefit-analysis
|
||||||
- comparison/repo-scoping/consumer-workplan-brief
|
- comparison/repo-scoping/consumer-workplan-brief
|
||||||
- comparison/repo-scoping/extension-candidates
|
- comparison/repo-scoping/extension-candidates
|
||||||
@@ -49,6 +54,68 @@ artifacts:
|
|||||||
- standard/caring
|
- standard/caring
|
||||||
- standard/tagging
|
- standard/tagging
|
||||||
rows:
|
rows:
|
||||||
|
- artifact: benchmark/caring/kubernetes-rbac
|
||||||
|
targets:
|
||||||
|
model/access-control:
|
||||||
|
- stress_tests
|
||||||
|
model/devsecops:
|
||||||
|
- stress_tests
|
||||||
|
model/governance:
|
||||||
|
- stress_tests
|
||||||
|
model/network:
|
||||||
|
- stress_tests
|
||||||
|
model/observability:
|
||||||
|
- stress_tests
|
||||||
|
model/security:
|
||||||
|
- stress_tests
|
||||||
|
standard/caring:
|
||||||
|
- conforms_to
|
||||||
|
standard/tagging:
|
||||||
|
- uses
|
||||||
|
- artifact: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||||
|
targets:
|
||||||
|
benchmark/caring/kubernetes-rbac:
|
||||||
|
- part_of
|
||||||
|
model/access-control:
|
||||||
|
- uses
|
||||||
|
model/devsecops:
|
||||||
|
- uses
|
||||||
|
model/security:
|
||||||
|
- uses
|
||||||
|
standard/caring:
|
||||||
|
- uses
|
||||||
|
- artifact: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||||
|
targets:
|
||||||
|
benchmark/caring/kubernetes-rbac:
|
||||||
|
- part_of
|
||||||
|
model/access-control:
|
||||||
|
- maps
|
||||||
|
model/governance:
|
||||||
|
- maps
|
||||||
|
model/security:
|
||||||
|
- maps
|
||||||
|
standard/caring:
|
||||||
|
- maps
|
||||||
|
- artifact: benchmark/caring/kubernetes-rbac/findings
|
||||||
|
targets:
|
||||||
|
benchmark/caring/kubernetes-rbac:
|
||||||
|
- part_of
|
||||||
|
model/governance:
|
||||||
|
- proposes
|
||||||
|
model/security:
|
||||||
|
- proposes
|
||||||
|
standard/caring:
|
||||||
|
- proposes
|
||||||
|
- artifact: benchmark/caring/kubernetes-rbac/native-concepts
|
||||||
|
targets:
|
||||||
|
benchmark/caring/kubernetes-rbac:
|
||||||
|
- part_of
|
||||||
|
model/access-control:
|
||||||
|
- maps
|
||||||
|
model/landscape:
|
||||||
|
- maps
|
||||||
|
standard/caring:
|
||||||
|
- maps
|
||||||
- artifact: comparison/repo-scoping/canon-benefit-analysis
|
- artifact: comparison/repo-scoping/canon-benefit-analysis
|
||||||
targets:
|
targets:
|
||||||
comparison/repo-scoping/report:
|
comparison/repo-scoping/report:
|
||||||
|
|||||||
@@ -0,0 +1,30 @@
|
|||||||
|
---
|
||||||
|
id: benchmark/caring/kubernetes-rbac/readme
|
||||||
|
title: CARING Kubernetes RBAC Benchmark Workspace
|
||||||
|
status: candidate
|
||||||
|
created_by_workplan: ITC-WP-0010
|
||||||
|
---
|
||||||
|
|
||||||
|
# CARING Kubernetes RBAC Benchmark
|
||||||
|
|
||||||
|
This workspace analyzes Kubernetes RBAC as a CARING benchmark, not as a
|
||||||
|
shortcut profile. It is designed to stress access-governance orthogonality
|
||||||
|
across Access Control, Organization, Governance, Security, Landscape,
|
||||||
|
DevSecOps, Network, Observability, Task, and Tagging.
|
||||||
|
|
||||||
|
The benchmark keeps Kubernetes native constructs separate from CARING meaning:
|
||||||
|
|
||||||
|
- `Role` and `ClusterRole` are rule bundles or capability profiles, not
|
||||||
|
automatically CARING canonical roles.
|
||||||
|
- `RoleBinding` and `ClusterRoleBinding` are grants or assignments.
|
||||||
|
- `ServiceAccount` is a service subject and a workload identity anchor.
|
||||||
|
- `Namespace` is a useful scope signal, but it is not automatically a tenant
|
||||||
|
boundary.
|
||||||
|
|
||||||
|
Indexed benchmark artifacts:
|
||||||
|
|
||||||
|
- `benchmark.yaml`
|
||||||
|
- `native-concepts.yaml`
|
||||||
|
- `caring-mapping.yaml`
|
||||||
|
- `access-descriptors.yaml`
|
||||||
|
- `findings-and-canon-pressure.yaml`
|
||||||
@@ -0,0 +1,164 @@
|
|||||||
|
id: benchmark/caring/kubernetes-rbac/access-descriptors
|
||||||
|
title: Kubernetes RBAC CARING Access Descriptors
|
||||||
|
status: candidate
|
||||||
|
benchmark: benchmark/caring/kubernetes-rbac
|
||||||
|
descriptor_classes:
|
||||||
|
- declared_access
|
||||||
|
- effective_access
|
||||||
|
- derived_capability
|
||||||
|
- induced_access
|
||||||
|
descriptors:
|
||||||
|
- id: descriptor/namespace-pod-reader/declared
|
||||||
|
case_id: namespace-pod-reader
|
||||||
|
descriptor_class: declared_access
|
||||||
|
subject: serviceaccount:tenant-a:report-viewer
|
||||||
|
organization_relation: customer-operated-service
|
||||||
|
canonical_role: Viewer
|
||||||
|
scope: namespace:tenant-a
|
||||||
|
plane: Runtime
|
||||||
|
capabilities:
|
||||||
|
- get pods
|
||||||
|
- list pods
|
||||||
|
- watch pods
|
||||||
|
exposure_mode: metadata-and-runtime-state
|
||||||
|
lifecycle_state: steady-state-observation
|
||||||
|
conditions:
|
||||||
|
- bound by RoleBinding in namespace tenant-a
|
||||||
|
restrictions:
|
||||||
|
- no pod mutation
|
||||||
|
- no secret read
|
||||||
|
- namespace is not accepted as tenant boundary without additional evidence
|
||||||
|
native_evidence:
|
||||||
|
- Role/report-viewer
|
||||||
|
- RoleBinding/report-viewer-binding
|
||||||
|
- ServiceAccount/report-viewer
|
||||||
|
- id: descriptor/workload-creator/declared
|
||||||
|
case_id: workload-creator-derived-execution
|
||||||
|
descriptor_class: declared_access
|
||||||
|
subject: serviceaccount:tenant-a:job-runner
|
||||||
|
organization_relation: customer-operated-automation
|
||||||
|
canonical_role: Doer
|
||||||
|
scope: namespace:tenant-a
|
||||||
|
plane: Runtime
|
||||||
|
capabilities:
|
||||||
|
- create pods
|
||||||
|
- get pods
|
||||||
|
- delete pods
|
||||||
|
exposure_mode: workload-specification-control
|
||||||
|
lifecycle_state: job-execution
|
||||||
|
conditions:
|
||||||
|
- bound by RoleBinding in namespace tenant-a
|
||||||
|
restrictions:
|
||||||
|
- no direct secret get/list/watch declared
|
||||||
|
native_evidence:
|
||||||
|
- Role/job-runner
|
||||||
|
- RoleBinding/job-runner-binding
|
||||||
|
- ServiceAccount/job-runner
|
||||||
|
- id: descriptor/workload-creator/effective
|
||||||
|
case_id: workload-creator-derived-execution
|
||||||
|
descriptor_class: effective_access
|
||||||
|
subject: serviceaccount:tenant-a:job-runner
|
||||||
|
organization_relation: customer-operated-automation
|
||||||
|
canonical_role: Doer
|
||||||
|
scope: namespace:tenant-a
|
||||||
|
plane: Runtime
|
||||||
|
capabilities:
|
||||||
|
- create workload
|
||||||
|
- select pod service account
|
||||||
|
- influence mounted volumes
|
||||||
|
- execute container image
|
||||||
|
exposure_mode: mediated-runtime-execution
|
||||||
|
lifecycle_state: job-execution
|
||||||
|
conditions:
|
||||||
|
- pod admission and service-account mount behavior determine actual reach
|
||||||
|
restrictions:
|
||||||
|
- effective access must be checked against admission policy and service-account permissions
|
||||||
|
native_evidence:
|
||||||
|
- create pods verb
|
||||||
|
- pod spec serviceAccountName
|
||||||
|
- projected service account token behavior
|
||||||
|
- id: descriptor/workload-creator/derived
|
||||||
|
case_id: workload-creator-derived-execution
|
||||||
|
descriptor_class: derived_capability
|
||||||
|
subject: serviceaccount:tenant-a:job-runner
|
||||||
|
organization_relation: customer-operated-automation
|
||||||
|
canonical_role: Doer
|
||||||
|
scope: namespace:tenant-a
|
||||||
|
plane: Runtime
|
||||||
|
capabilities:
|
||||||
|
- execute arbitrary workload image
|
||||||
|
- use mounted service account identity
|
||||||
|
- read mounted runtime inputs
|
||||||
|
exposure_mode: derived-execution-and-identity-use
|
||||||
|
lifecycle_state: job-execution
|
||||||
|
conditions:
|
||||||
|
- derived from create pods permission
|
||||||
|
restrictions:
|
||||||
|
- must be bounded by admission controls, image policy, and service-account selection rules
|
||||||
|
native_evidence:
|
||||||
|
- Role/job-runner create pods
|
||||||
|
- id: descriptor/workload-creator/induced
|
||||||
|
case_id: workload-creator-derived-execution
|
||||||
|
descriptor_class: induced_access
|
||||||
|
subject: serviceaccount:tenant-a:job-runner
|
||||||
|
organization_relation: customer-operated-automation
|
||||||
|
canonical_role: Doer
|
||||||
|
scope: namespace:tenant-a
|
||||||
|
plane: Secret
|
||||||
|
capabilities:
|
||||||
|
- potential secret exposure through mounted volumes
|
||||||
|
- potential token exposure through mounted identity
|
||||||
|
exposure_mode: induced-secret-and-identity-exposure
|
||||||
|
lifecycle_state: job-execution
|
||||||
|
conditions:
|
||||||
|
- induced path exists only when workload can mount or reach sensitive material
|
||||||
|
restrictions:
|
||||||
|
- classify as candidate finding until manifests, admission, and secret references are reviewed
|
||||||
|
native_evidence:
|
||||||
|
- pod volume mounts
|
||||||
|
- service account token projection
|
||||||
|
- secret references in pod spec
|
||||||
|
- id: descriptor/cluster-secret-reader/declared
|
||||||
|
case_id: cluster-secret-reader
|
||||||
|
descriptor_class: declared_access
|
||||||
|
subject: serviceaccount:platform:inventory
|
||||||
|
organization_relation: platform-service-provider
|
||||||
|
canonical_role: Auditor
|
||||||
|
scope: cluster
|
||||||
|
plane: Secret
|
||||||
|
capabilities:
|
||||||
|
- get secrets
|
||||||
|
- list secrets
|
||||||
|
- watch secrets
|
||||||
|
exposure_mode: sensitive-data-read
|
||||||
|
lifecycle_state: operational-inventory
|
||||||
|
conditions:
|
||||||
|
- bound by ClusterRoleBinding
|
||||||
|
restrictions:
|
||||||
|
- requires governance review and audit evidence
|
||||||
|
native_evidence:
|
||||||
|
- ClusterRole/secret-reader
|
||||||
|
- ClusterRoleBinding/inventory-secret-reader
|
||||||
|
- ServiceAccount/inventory
|
||||||
|
- id: descriptor/namespace-boundary/review
|
||||||
|
case_id: namespace-as-tenant-boundary
|
||||||
|
descriptor_class: effective_access
|
||||||
|
subject: tenant-boundary-claim:tenant-a
|
||||||
|
organization_relation: platform-provider
|
||||||
|
canonical_role: Governor
|
||||||
|
scope: namespace:tenant-a
|
||||||
|
plane: Policy
|
||||||
|
capabilities:
|
||||||
|
- claim tenant isolation
|
||||||
|
- review access and runtime boundaries
|
||||||
|
exposure_mode: governance-claim
|
||||||
|
lifecycle_state: design-review
|
||||||
|
conditions:
|
||||||
|
- claim must be supported by access, network, runtime, data, and governance evidence
|
||||||
|
restrictions:
|
||||||
|
- namespace alone is insufficient evidence
|
||||||
|
native_evidence:
|
||||||
|
- Namespace/tenant-a
|
||||||
|
- RoleBinding set
|
||||||
|
- NetworkPolicy set
|
||||||
|
- ResourceQuota set
|
||||||
@@ -0,0 +1,102 @@
|
|||||||
|
id: benchmark/caring/kubernetes-rbac
|
||||||
|
title: CARING Kubernetes RBAC Benchmark
|
||||||
|
status: candidate
|
||||||
|
standard: standard/caring
|
||||||
|
created_by_workplan: ITC-WP-0010
|
||||||
|
purpose: Stress-test CARING descriptor shape against Kubernetes RBAC without treating Kubernetes native names as canon roles.
|
||||||
|
source_corpus:
|
||||||
|
- id: kubernetes-rbac-reference
|
||||||
|
title: Kubernetes RBAC Reference
|
||||||
|
source_type: vendor-documentation
|
||||||
|
url: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
||||||
|
role: primary-native-model-reference
|
||||||
|
- id: kubernetes-service-account-concepts
|
||||||
|
title: Kubernetes Service Accounts
|
||||||
|
source_type: vendor-documentation
|
||||||
|
url: https://kubernetes.io/docs/concepts/security/service-accounts/
|
||||||
|
role: workload-identity-reference
|
||||||
|
- id: local-caring-standard
|
||||||
|
title: InfoTechCanon CARING Access Governance Standard
|
||||||
|
source_type: canon-standard
|
||||||
|
path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
|
||||||
|
role: descriptor-vocabulary
|
||||||
|
cases:
|
||||||
|
- id: namespace-pod-reader
|
||||||
|
title: Namespace-Scoped Pod Reader
|
||||||
|
native_objects:
|
||||||
|
- Role
|
||||||
|
- RoleBinding
|
||||||
|
- ServiceAccount
|
||||||
|
- Namespace
|
||||||
|
stress_focus:
|
||||||
|
- declared-access
|
||||||
|
- scope-mapping
|
||||||
|
- native-role-warning
|
||||||
|
expected_outputs:
|
||||||
|
- Role maps to a scoped capability profile over get/list/watch pods.
|
||||||
|
- RoleBinding maps to a grant from subject to capability profile.
|
||||||
|
- Namespace is recorded as Kubernetes scope, not tenant boundary.
|
||||||
|
- id: workload-creator-derived-execution
|
||||||
|
title: Workload Creator With Derived Execution Capability
|
||||||
|
native_objects:
|
||||||
|
- Role
|
||||||
|
- RoleBinding
|
||||||
|
- ServiceAccount
|
||||||
|
- Pod
|
||||||
|
- Secret
|
||||||
|
stress_focus:
|
||||||
|
- declared-access
|
||||||
|
- effective-access
|
||||||
|
- derived-capability
|
||||||
|
- induced-access
|
||||||
|
expected_outputs:
|
||||||
|
- Create pod is declared as workload creation access.
|
||||||
|
- Execute workload is derived from the ability to create pods.
|
||||||
|
- Mounted service-account and secret exposure are induced access candidates.
|
||||||
|
- id: cluster-secret-reader
|
||||||
|
title: ClusterRole Secret Reader
|
||||||
|
native_objects:
|
||||||
|
- ClusterRole
|
||||||
|
- ClusterRoleBinding
|
||||||
|
- ServiceAccount
|
||||||
|
- Secret
|
||||||
|
stress_focus:
|
||||||
|
- cluster-scope
|
||||||
|
- exposure-mode
|
||||||
|
- governance-review
|
||||||
|
expected_outputs:
|
||||||
|
- ClusterRole maps to cluster-scoped data exposure capability.
|
||||||
|
- ClusterRoleBinding broadens scope beyond a namespace.
|
||||||
|
- Secret read access produces security and governance findings.
|
||||||
|
- id: namespace-as-tenant-boundary
|
||||||
|
title: Namespace Used As Tenant Boundary Claim
|
||||||
|
native_objects:
|
||||||
|
- Namespace
|
||||||
|
- Role
|
||||||
|
- RoleBinding
|
||||||
|
- NetworkPolicy
|
||||||
|
- ResourceQuota
|
||||||
|
stress_focus:
|
||||||
|
- tenant-boundary-warning
|
||||||
|
- cross-model-evidence
|
||||||
|
- review-criteria
|
||||||
|
expected_outputs:
|
||||||
|
- Namespace alone cannot prove tenant isolation.
|
||||||
|
- Tenant-boundary claim requires access, network, data, runtime, and governance evidence.
|
||||||
|
- Missing evidence creates a canon pressure finding instead of an approved boundary claim.
|
||||||
|
expected_outputs:
|
||||||
|
- Native concept map covering Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, Namespace, verbs, resources, and scopes.
|
||||||
|
- CARING mapping that separates native role objects from canonical roles, capability profiles, grants, scopes, planes, and exposure modes.
|
||||||
|
- Access descriptors that distinguish declared access, effective access, derived capability, and induced access.
|
||||||
|
- Findings that identify gaps, conflicts, and proposed canon changes without changing standards silently.
|
||||||
|
review_criteria:
|
||||||
|
- id: descriptor-completeness
|
||||||
|
criterion: Every benchmark case has at least one CARING access descriptor with subject, scope, plane, capabilities, exposure mode, lifecycle state, and native evidence.
|
||||||
|
- id: native-role-warning
|
||||||
|
criterion: Kubernetes Role and ClusterRole are never accepted as CARINGCanonicalRole without an explicit mapping rationale.
|
||||||
|
- id: namespace-boundary-check
|
||||||
|
criterion: Namespace isolation is treated as a claim requiring evidence, not as a tenant boundary by default.
|
||||||
|
- id: effective-access-analysis
|
||||||
|
criterion: Create or update workload permissions are reviewed for derived execution, mounted identity, secret, and volume exposure.
|
||||||
|
- id: canon-pressure-routing
|
||||||
|
criterion: Gaps become reviewable proposed changes, tasks, or open questions rather than immediate model changes.
|
||||||
@@ -0,0 +1,79 @@
|
|||||||
|
id: benchmark/caring/kubernetes-rbac/caring-mapping
|
||||||
|
title: Kubernetes RBAC To CARING Mapping
|
||||||
|
status: candidate
|
||||||
|
benchmark: benchmark/caring/kubernetes-rbac
|
||||||
|
namespace_tenant_boundary_warning: true
|
||||||
|
mappings:
|
||||||
|
- native_concept: Role
|
||||||
|
caring_dimension: capability_profile
|
||||||
|
canon_targets:
|
||||||
|
- standard/caring:CARINGCapabilityProfile
|
||||||
|
- model/access-control:Permission
|
||||||
|
- model/governance:Policy
|
||||||
|
mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names.
|
||||||
|
- native_concept: ClusterRole
|
||||||
|
caring_dimension: capability_profile
|
||||||
|
canon_targets:
|
||||||
|
- standard/caring:CARINGCapabilityProfile
|
||||||
|
- model/access-control:Permission
|
||||||
|
- model/governance:Policy
|
||||||
|
mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility.
|
||||||
|
- native_concept: RoleBinding
|
||||||
|
caring_dimension: declared_access
|
||||||
|
canon_targets:
|
||||||
|
- standard/caring:CARINGDeclaredAccessMap
|
||||||
|
- model/access-control:Grant
|
||||||
|
- model/governance:Decision
|
||||||
|
mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace.
|
||||||
|
- native_concept: ClusterRoleBinding
|
||||||
|
caring_dimension: declared_access
|
||||||
|
canon_targets:
|
||||||
|
- standard/caring:CARINGDeclaredAccessMap
|
||||||
|
- model/access-control:Grant
|
||||||
|
- model/governance:Decision
|
||||||
|
mapping_rule: Bind subject to a ClusterRole at cluster scope.
|
||||||
|
- native_concept: ServiceAccount
|
||||||
|
caring_dimension: subject
|
||||||
|
canon_targets:
|
||||||
|
- model/access-control:Subject
|
||||||
|
- model/devsecops:WorkloadIdentity
|
||||||
|
- model/organization:Service
|
||||||
|
mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access.
|
||||||
|
- native_concept: Namespace
|
||||||
|
caring_dimension: scope
|
||||||
|
canon_targets:
|
||||||
|
- model/access-control:ResourceScope
|
||||||
|
- model/landscape:RuntimeContainment
|
||||||
|
- model/network:SegmentationContext
|
||||||
|
mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary.
|
||||||
|
- native_concept: Verb
|
||||||
|
caring_dimension: capability
|
||||||
|
canon_targets:
|
||||||
|
- model/access-control:Action
|
||||||
|
- standard/caring:CARINGCapabilityProfile
|
||||||
|
mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences.
|
||||||
|
- native_concept: Resource
|
||||||
|
caring_dimension: scope
|
||||||
|
canon_targets:
|
||||||
|
- model/access-control:Resource
|
||||||
|
- model/landscape:RuntimeResource
|
||||||
|
- model/security:ExposureTarget
|
||||||
|
mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane.
|
||||||
|
- native_concept: Scope
|
||||||
|
caring_dimension: scope
|
||||||
|
canon_targets:
|
||||||
|
- model/access-control:ResourceScope
|
||||||
|
- model/landscape:LandscapeScope
|
||||||
|
- model/governance:GovernanceScope
|
||||||
|
mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets.
|
||||||
|
analysis_rules:
|
||||||
|
- id: native-role-warning
|
||||||
|
rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale.
|
||||||
|
- id: declared-to-effective
|
||||||
|
rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access.
|
||||||
|
- id: derived-workload-execution
|
||||||
|
rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities.
|
||||||
|
- id: secret-exposure
|
||||||
|
rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review.
|
||||||
|
- id: namespace-tenant-boundary
|
||||||
|
rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership.
|
||||||
@@ -0,0 +1,76 @@
|
|||||||
|
id: benchmark/caring/kubernetes-rbac/findings
|
||||||
|
title: Kubernetes RBAC Benchmark Findings And Canon Pressure
|
||||||
|
status: candidate
|
||||||
|
benchmark: benchmark/caring/kubernetes-rbac
|
||||||
|
stable_findings:
|
||||||
|
- id: finding/native-role-is-rule-bundle
|
||||||
|
severity: high
|
||||||
|
summary: Kubernetes Role and ClusterRole are native rule bundles, not automatically CARING canonical roles.
|
||||||
|
canon_pressure:
|
||||||
|
- Keep the native role warning visible in CARING validation.
|
||||||
|
- Add benchmark assertions that reject direct Role to CARINGCanonicalRole mappings without rationale.
|
||||||
|
- id: finding/namespace-not-tenant-boundary
|
||||||
|
severity: high
|
||||||
|
summary: Namespace is a useful scope signal but does not by itself prove tenant isolation.
|
||||||
|
canon_pressure:
|
||||||
|
- Treat tenant-boundary claims as reviewable evidence bundles across access, network, data, runtime, and governance.
|
||||||
|
- Add a reusable tenant-boundary review pattern if this recurs in other benchmarks.
|
||||||
|
- id: finding/workload-create-derives-execution
|
||||||
|
severity: high
|
||||||
|
summary: Workload creation permissions can derive runtime execution, mounted identity use, volume access, and secret exposure paths.
|
||||||
|
canon_pressure:
|
||||||
|
- Clarify ownership of DerivedCapability between CARING, Access Control, Security, and DevSecOps.
|
||||||
|
- Add effective-access checks for workload-mediated permission paths.
|
||||||
|
- id: finding/serviceaccount-is-service-subject
|
||||||
|
severity: medium
|
||||||
|
summary: ServiceAccount should map to a service subject and workload identity, not to a human actor or organization role.
|
||||||
|
canon_pressure:
|
||||||
|
- Strengthen subject and principal distinctions in access reviews.
|
||||||
|
- Preserve actor, subject, principal, and workload identity as separate concepts.
|
||||||
|
gaps:
|
||||||
|
- id: gap/caring-access-descriptor-schema
|
||||||
|
title: Machine-readable CARING descriptor schema
|
||||||
|
description: The benchmark uses structured descriptors, but there is not yet a formal schema for CARINGAccessDescriptor.
|
||||||
|
proposed_route: Create schema under a future CARING validation workplan.
|
||||||
|
- id: gap/effective-access-calculus
|
||||||
|
title: Effective access derivation rules
|
||||||
|
description: The canon needs reusable derivation rules for workload creation, mounted identities, secrets, impersonation, bind, and escalate.
|
||||||
|
proposed_route: Add validation rules after more benchmark cases are exercised.
|
||||||
|
- id: gap/tenant-boundary-evidence-profile
|
||||||
|
title: Tenant boundary evidence profile
|
||||||
|
description: Namespace boundary claims need a reusable evidence profile spanning access, network, runtime, data, and governance controls.
|
||||||
|
proposed_route: Candidate pattern or profile, not an immediate standard change.
|
||||||
|
conflicts:
|
||||||
|
- id: conflict/native-role-name
|
||||||
|
summary: Kubernetes native Role conflicts with the everyday meaning of role and with CARINGCanonicalRole.
|
||||||
|
resolution: Preserve native construct name and require explicit mapping to capability profile or canonical role.
|
||||||
|
- id: conflict/scope-overload
|
||||||
|
summary: Kubernetes namespace, resource scope, governance scope, tenant scope, and CARING scope can be conflated.
|
||||||
|
resolution: Record scope facets separately and only approve tenant-boundary claims after evidence review.
|
||||||
|
proposed_changes:
|
||||||
|
- id: proposal/caring-descriptor-schema
|
||||||
|
owner: standard/caring
|
||||||
|
change_type: new-schema
|
||||||
|
proposal: Add a CARING access descriptor schema with required fields for subject, organization relation, canonical role, scope, plane, capabilities, exposure mode, lifecycle state, restrictions, descriptor class, and native evidence.
|
||||||
|
- id: proposal/kubernetes-rbac-validation-rules
|
||||||
|
owner: standard/caring
|
||||||
|
change_type: benchmark-validation
|
||||||
|
proposal: Add CARING validation rules for native role warning, namespace tenant-boundary claims, workload-derived execution, and secret exposure.
|
||||||
|
- id: proposal/tenant-boundary-review-pattern
|
||||||
|
owner: model/governance
|
||||||
|
change_type: new-pattern
|
||||||
|
proposal: Add a review pattern for tenant-boundary claims that requires evidence from access control, network, runtime, data, security, and governance.
|
||||||
|
- id: proposal/derived-capability-ownership
|
||||||
|
owner: standard/caring
|
||||||
|
change_type: open-question
|
||||||
|
proposal: Decide whether DerivedCapability remains CARING-owned or becomes shared with Access Control and Security through a model profile.
|
||||||
|
follow_up_tasks:
|
||||||
|
- id: task/formalize-caring-descriptor-schema
|
||||||
|
target_workplan: proposed
|
||||||
|
summary: Create the CARING access descriptor schema and validate this benchmark against it.
|
||||||
|
- id: task/add-kubernetes-rbac-case-corpus
|
||||||
|
target_workplan: proposed
|
||||||
|
summary: Add concrete Kubernetes YAML manifests for the four benchmark cases and expected parsed observations.
|
||||||
|
- id: task/expand-effective-access-engine
|
||||||
|
target_workplan: proposed
|
||||||
|
summary: Prototype derivation rules for pod creation, service-account mounting, secrets, bind, escalate, and impersonate.
|
||||||
@@ -0,0 +1,87 @@
|
|||||||
|
id: benchmark/caring/kubernetes-rbac/native-concepts
|
||||||
|
title: Kubernetes RBAC Native Concept Map
|
||||||
|
status: candidate
|
||||||
|
benchmark: benchmark/caring/kubernetes-rbac
|
||||||
|
namespace_tenant_boundary_warning: true
|
||||||
|
concepts:
|
||||||
|
- native: Role
|
||||||
|
category: rule-bundle
|
||||||
|
native_scope: namespace
|
||||||
|
caring_mapping: CARINGCapabilityProfile
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:PermissionSet
|
||||||
|
- model/governance:Policy
|
||||||
|
notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole.
|
||||||
|
- native: ClusterRole
|
||||||
|
category: rule-bundle
|
||||||
|
native_scope: cluster
|
||||||
|
caring_mapping: CARINGCapabilityProfile
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:PermissionSet
|
||||||
|
- model/governance:Policy
|
||||||
|
notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings.
|
||||||
|
- native: RoleBinding
|
||||||
|
category: assignment
|
||||||
|
native_scope: namespace
|
||||||
|
caring_mapping: CARINGDeclaredAccessMap
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:Grant
|
||||||
|
- model/governance:AssignmentDecision
|
||||||
|
notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace.
|
||||||
|
- native: ClusterRoleBinding
|
||||||
|
category: assignment
|
||||||
|
native_scope: cluster
|
||||||
|
caring_mapping: CARINGDeclaredAccessMap
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:Grant
|
||||||
|
- model/governance:AssignmentDecision
|
||||||
|
notes: A ClusterRoleBinding grants a ClusterRole across cluster scope.
|
||||||
|
- native: ServiceAccount
|
||||||
|
category: service-subject
|
||||||
|
native_scope: namespace
|
||||||
|
caring_mapping: Subject
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:Subject
|
||||||
|
- model/organization:Service
|
||||||
|
- model/devsecops:WorkloadIdentity
|
||||||
|
notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor.
|
||||||
|
- native: Namespace
|
||||||
|
category: scope-signal
|
||||||
|
native_scope: namespace
|
||||||
|
caring_mapping: Scope
|
||||||
|
canon_mappings:
|
||||||
|
- model/landscape:RuntimeContainment
|
||||||
|
- model/access-control:ResourceScope
|
||||||
|
- model/network:SegmentationContext
|
||||||
|
notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence.
|
||||||
|
- native: Verb
|
||||||
|
category: action
|
||||||
|
native_scope: rule
|
||||||
|
caring_mapping: Capability
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:Action
|
||||||
|
- standard/caring:CARINGCapabilityProfile
|
||||||
|
notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope.
|
||||||
|
- native: Resource
|
||||||
|
category: target
|
||||||
|
native_scope: api-group
|
||||||
|
caring_mapping: Scope
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:Resource
|
||||||
|
- model/landscape:RuntimeResource
|
||||||
|
- model/data:ProtectedInformationAsset
|
||||||
|
notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications.
|
||||||
|
- native: Scope
|
||||||
|
category: boundary
|
||||||
|
native_scope: namespace-or-cluster
|
||||||
|
caring_mapping: Scope
|
||||||
|
canon_mappings:
|
||||||
|
- model/access-control:ResourceScope
|
||||||
|
- model/landscape:LandscapeScope
|
||||||
|
- model/governance:GovernanceScope
|
||||||
|
notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence.
|
||||||
|
mapping_constraints:
|
||||||
|
- Kubernetes native names are preserved as source semantics.
|
||||||
|
- CARING canonical roles are assigned only after analyzing lifecycle responsibility posture.
|
||||||
|
- Namespace tenancy is a reviewable claim, not a default mapping.
|
||||||
|
- Effective access must include controller-mediated and workload-mediated paths where relevant.
|
||||||
@@ -1,14 +1,14 @@
|
|||||||
{
|
{
|
||||||
"details": {
|
"details": {
|
||||||
"artifact_count": 49,
|
"artifact_count": 54,
|
||||||
"relationship_count": 212
|
"relationship_count": 238
|
||||||
},
|
},
|
||||||
"errors": [],
|
"errors": [],
|
||||||
"metrics": {
|
"metrics": {
|
||||||
"coherence_components": 1.0,
|
"coherence_components": 1.0,
|
||||||
"consistency_cycles": 0.0,
|
"consistency_cycles": 0.0,
|
||||||
"coverage_ratio": 1.0,
|
"coverage_ratio": 1.0,
|
||||||
"granularity_entropy": 3.6776822595640257,
|
"granularity_entropy": 3.9972143235892474,
|
||||||
"redundancy_ratio": 0.0
|
"redundancy_ratio": 0.0
|
||||||
},
|
},
|
||||||
"ok": true,
|
"ok": true,
|
||||||
|
|||||||
@@ -2,10 +2,15 @@
|
|||||||
|
|
||||||
# By Concept
|
# By Concept
|
||||||
|
|
||||||
Concept count: **74**
|
Concept count: **79**
|
||||||
|
|
||||||
| Concept | Owner | Source |
|
| Concept | Owner | Source |
|
||||||
| --- | --- | --- |
|
| --- | --- | --- |
|
||||||
|
| CARING Kubernetes RBAC Benchmark | `benchmark/caring/kubernetes-rbac` | `artifact_title` |
|
||||||
|
| Kubernetes RBAC CARING Access Descriptors | `benchmark/caring/kubernetes-rbac/access-descriptors` | `artifact_title` |
|
||||||
|
| Kubernetes RBAC To CARING Mapping | `benchmark/caring/kubernetes-rbac/caring-mapping` | `artifact_title` |
|
||||||
|
| Kubernetes RBAC Benchmark Findings And Canon Pressure | `benchmark/caring/kubernetes-rbac/findings` | `artifact_title` |
|
||||||
|
| Kubernetes RBAC Native Concept Map | `benchmark/caring/kubernetes-rbac/native-concepts` | `artifact_title` |
|
||||||
| Repo Scoping Canon Benefit Analysis | `comparison/repo-scoping/canon-benefit-analysis` | `artifact_title` |
|
| Repo Scoping Canon Benefit Analysis | `comparison/repo-scoping/canon-benefit-analysis` | `artifact_title` |
|
||||||
| Repo Scoping Consumer Workplan Brief | `comparison/repo-scoping/consumer-workplan-brief` | `artifact_title` |
|
| Repo Scoping Consumer Workplan Brief | `comparison/repo-scoping/consumer-workplan-brief` | `artifact_title` |
|
||||||
| Repo Scoping Canon Extension Candidates | `comparison/repo-scoping/extension-candidates` | `artifact_title` |
|
| Repo Scoping Canon Extension Candidates | `comparison/repo-scoping/extension-candidates` | `artifact_title` |
|
||||||
|
|||||||
@@ -2,6 +2,13 @@
|
|||||||
|
|
||||||
# By Mapping Target
|
# By Mapping Target
|
||||||
|
|
||||||
|
## `benchmark/caring/kubernetes-rbac`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `part_of`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `part_of`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/findings` via `part_of`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/native-concepts` via `part_of`
|
||||||
|
|
||||||
## `comparison/repo-scoping/report`
|
## `comparison/repo-scoping/report`
|
||||||
|
|
||||||
- `comparison/repo-scoping/canon-benefit-analysis` via `part_of`
|
- `comparison/repo-scoping/canon-benefit-analysis` via `part_of`
|
||||||
@@ -57,6 +64,10 @@
|
|||||||
|
|
||||||
## `model/access-control`
|
## `model/access-control`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
|
||||||
- `evaluation/user-engine` via `uses`
|
- `evaluation/user-engine` via `uses`
|
||||||
- `evaluation/user-engine/questions` via `uses`
|
- `evaluation/user-engine/questions` via `uses`
|
||||||
- `evaluation/user-engine/small-saas-alignment` via `uses`
|
- `evaluation/user-engine/small-saas-alignment` via `uses`
|
||||||
@@ -80,6 +91,8 @@
|
|||||||
|
|
||||||
## `model/devsecops`
|
## `model/devsecops`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||||
- `conformance/railiance-fabric` via `uses`
|
- `conformance/railiance-fabric` via `uses`
|
||||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||||
@@ -90,6 +103,9 @@
|
|||||||
|
|
||||||
## `model/governance`
|
## `model/governance`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
|
||||||
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
|
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
|
||||||
- `comparison/repo-scoping/extension-candidates` via `proposes`
|
- `comparison/repo-scoping/extension-candidates` via `proposes`
|
||||||
- `comparison/repo-scoping/frame` via `uses`
|
- `comparison/repo-scoping/frame` via `uses`
|
||||||
@@ -121,6 +137,7 @@
|
|||||||
|
|
||||||
## `model/landscape`
|
## `model/landscape`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
|
||||||
- `conformance/railiance-fabric` via `uses`
|
- `conformance/railiance-fabric` via `uses`
|
||||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||||
@@ -131,6 +148,7 @@
|
|||||||
|
|
||||||
## `model/network`
|
## `model/network`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||||
- `conformance/railiance-fabric` via `uses`
|
- `conformance/railiance-fabric` via `uses`
|
||||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||||
@@ -141,6 +159,7 @@
|
|||||||
|
|
||||||
## `model/observability`
|
## `model/observability`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||||
- `conformance/railiance-fabric` via `uses`
|
- `conformance/railiance-fabric` via `uses`
|
||||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||||
@@ -184,6 +203,10 @@
|
|||||||
|
|
||||||
## `model/security`
|
## `model/security`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `stress_tests`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
|
||||||
- `conformance/railiance-fabric` via `uses`
|
- `conformance/railiance-fabric` via `uses`
|
||||||
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
- `conformance/railiance-fabric/entity-edge-capture-criteria` via `uses`
|
||||||
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
- `conformance/railiance-fabric/mapping-expectations` via `maps`
|
||||||
@@ -296,6 +319,11 @@
|
|||||||
|
|
||||||
## `standard/caring`
|
## `standard/caring`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `conforms_to`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/access-descriptors` via `uses`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/caring-mapping` via `maps`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/findings` via `proposes`
|
||||||
|
- `benchmark/caring/kubernetes-rbac/native-concepts` via `maps`
|
||||||
- `evaluation/user-engine` via `uses`
|
- `evaluation/user-engine` via `uses`
|
||||||
- `evaluation/user-engine/interface-card-expectations` via `uses`
|
- `evaluation/user-engine/interface-card-expectations` via `uses`
|
||||||
- `kernel/itc-kernel-map` via `maps`
|
- `kernel/itc-kernel-map` via `maps`
|
||||||
@@ -304,6 +332,7 @@
|
|||||||
|
|
||||||
## `standard/tagging`
|
## `standard/tagging`
|
||||||
|
|
||||||
|
- `benchmark/caring/kubernetes-rbac` via `uses`
|
||||||
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
|
- `comparison/repo-scoping/canon-benefit-analysis` via `maps`
|
||||||
- `conformance/railiance-fabric` via `uses`
|
- `conformance/railiance-fabric` via `uses`
|
||||||
- `kernel/itc-kernel-map` via `maps`
|
- `kernel/itc-kernel-map` via `maps`
|
||||||
|
|||||||
@@ -2,54 +2,59 @@
|
|||||||
|
|
||||||
# Import Matrix
|
# Import Matrix
|
||||||
|
|
||||||
| Artifact | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
|
| Artifact | `benchmark/caring/kubernetes-rbac` | `benchmark/caring/kubernetes-rbac/access-descriptors` | `benchmark/caring/kubernetes-rbac/caring-mapping` | `benchmark/caring/kubernetes-rbac/findings` | `benchmark/caring/kubernetes-rbac/native-concepts` | `comparison/repo-scoping/canon-benefit-analysis` | `comparison/repo-scoping/consumer-workplan-brief` | `comparison/repo-scoping/extension-candidates` | `comparison/repo-scoping/frame` | `comparison/repo-scoping/report` | `concept-catalog/purpose-demand` | `conformance/railiance-fabric` | `conformance/railiance-fabric/consumer-workplan-brief` | `conformance/railiance-fabric/entity-edge-capture-criteria` | `conformance/railiance-fabric/mapping-expectations` | `conformance/railiance-fabric/visualization-examples` | `evaluation/user-engine` | `evaluation/user-engine/consumer-workplan-brief` | `evaluation/user-engine/interface-card-expectations` | `evaluation/user-engine/questions` | `evaluation/user-engine/small-saas-alignment` | `example/consumer-purpose-portfolio` | `kernel/itc-core` | `kernel/itc-kernel-map` | `mapping/purpose-demand-governance-candidates` | `model/access-control` | `model/data` | `model/devsecops` | `model/governance` | `model/information-space` | `model/landscape` | `model/network` | `model/observability` | `model/organization` | `model/purpose-demand-extension` | `model/security` | `model/task` | `pattern/intent-scope-purposes` | `profile/small-saas` | `small-saas/control/namespace-per-tenant` | `small-saas/dataset/subscription-ledger` | `small-saas/deployment/production` | `small-saas/evidence/access-review-2026-05` | `small-saas/incident/cross-tenant-access-attempt` | `small-saas/policy/tenant-isolation` | `small-saas/service/billing-portal` | `small-saas/system/billing-system` | `small-saas/task/onboard-tenant` | `small-saas/team/platform` | `small-saas/tenant/acme` | `small-saas/tenant/globex` | `small-saas/user/ada-admin` | `standard/caring` | `standard/tagging` |
|
||||||
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|
| --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- | --- |
|
||||||
| `comparison/repo-scoping/canon-benefit-analysis` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` |
|
| `benchmark/caring/kubernetes-rbac` | | | | | | | | | | | | | | | | | | | | | | | | | | `stress_tests` | | `stress_tests` | `stress_tests` | | | `stress_tests` | `stress_tests` | | | `stress_tests` | | | | | | | | | | | | | | | | | `conforms_to` | `uses` |
|
||||||
| `comparison/repo-scoping/consumer-workplan-brief` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
| `benchmark/caring/kubernetes-rbac/access-descriptors` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `uses` | | | | | | | | `uses` | | | | | | | | | | | | | | | | | `uses` | |
|
||||||
| `comparison/repo-scoping/extension-candidates` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | |
|
| `benchmark/caring/kubernetes-rbac/caring-mapping` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | | | | | | | `maps` | | | | | | | | | | | | | | | | | `maps` | |
|
||||||
| `comparison/repo-scoping/frame` | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | |
|
| `benchmark/caring/kubernetes-rbac/findings` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `proposes` | | | | | | | `proposes` | | | | | | | | | | | | | | | | | `proposes` | |
|
||||||
| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | |
|
| `benchmark/caring/kubernetes-rbac/native-concepts` | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | `maps` | | | | | | | | | | | | | | | | | | | | | | `maps` | |
|
||||||
| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `comparison/repo-scoping/canon-benefit-analysis` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `maps` | `maps` | | | | | `maps` | | `maps` | | | | | | | | | | | | | | | | | `maps` |
|
||||||
| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` |
|
| `comparison/repo-scoping/consumer-workplan-brief` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||||
| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
| `comparison/repo-scoping/extension-candidates` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `proposes` | `proposes` | | | | | `proposes` | | `proposes` | | | | | | | | | | | | | | | | | |
|
||||||
| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
| `comparison/repo-scoping/frame` | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `uses` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||||
| `conformance/railiance-fabric/mapping-expectations` | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | |
|
| `comparison/repo-scoping/report` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | | | | `compares` | | `uses` | `uses` | | | | | | | | | | | | | | | | |
|
||||||
| `conformance/railiance-fabric/visualization-examples` | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `concept-catalog/purpose-demand` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | |
|
| `conformance/railiance-fabric` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | `uses` |
|
||||||
| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
| `conformance/railiance-fabric/consumer-workplan-brief` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||||
| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | |
|
| `conformance/railiance-fabric/entity-edge-capture-criteria` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
||||||
| `evaluation/user-engine/questions` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
| `conformance/railiance-fabric/mapping-expectations` | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | `maps` | `maps` | `maps` | | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | | | |
|
||||||
| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | |
|
| `conformance/railiance-fabric/visualization-examples` | | | | | | | | | | | | `part_of` | | `illustrates` | `illustrates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | |
|
| `evaluation/user-engine` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | `evaluates` | | | | | | | | | | | | | | `uses` | |
|
||||||
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `evaluation/user-engine/consumer-workplan-brief` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | | |
|
||||||
| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` |
|
| `evaluation/user-engine/interface-card-expectations` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | `uses` | |
|
||||||
| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | |
|
| `evaluation/user-engine/questions` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | `uses` | | `uses` | | | | | `uses` | `uses` | `uses` | `uses` | | | | | | | | | | | | | | | | | |
|
||||||
| `model/access-control` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | |
|
| `evaluation/user-engine/small-saas-alignment` | | | | | | | | | | | | | | | | | `part_of` | | | | | | | | | `uses` | | | `uses` | | | | | `uses` | | | | | `evaluates` | | | | | | | | | | | | | | | |
|
||||||
| `model/data` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `example/consumer-purpose-portfolio` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `illustrates` | | | `illustrates` | `uses` | | | | | | | | | | | | | | | |
|
||||||
| `model/devsecops` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
| `kernel/itc-core` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `model/governance` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `kernel/itc-kernel-map` | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | `maps` | | `maps` | `maps` | | | | | | | | | | | | | | | | `maps` | `maps` |
|
||||||
| `model/information-space` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `mapping/purpose-demand-governance-candidates` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `maps` | | | | | | `maps` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||||
| `model/landscape` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `model/access-control` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | `uses` | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `model/network` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
| `model/data` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `model/observability` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
| `model/devsecops` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
||||||
| `model/organization` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `model/governance` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `model/purpose-demand-extension` | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
| `model/information-space` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `model/security` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `model/landscape` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `model/task` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
| `model/network` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | | |
|
||||||
| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | |
|
| `model/observability` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
||||||
| `profile/small-saas` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` |
|
| `model/organization` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
|
| `model/purpose-demand-extension` | | | | | | | | | | | `introduces` | | | | | | | | | | | | `conforms_to` | | | | | | `extends` | `uses` | | | | | | | `uses` | | | | | | | | | | | | | | | | | |
|
||||||
| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
|
| `model/security` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `uses` | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
|
| `model/task` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
||||||
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
| `pattern/intent-scope-purposes` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `implements` | | `uses` | | | | | | | | | | | | | | | | | |
|
||||||
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
|
| `profile/small-saas` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | `requires` | `requires` | | `requires` | `requires` | | | | | | | | | | | | | | | | `requires` | `requires` |
|
||||||
| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
|
| `small-saas/control/namespace-per-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | | | | `evidenced_by` | | | | | | | | | | `uses` | |
|
||||||
| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
|
| `small-saas/dataset/subscription-ledger` | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | | | `instantiates` | | | | | | `governed_by` | `owned_by` | | | | `partitioned_for` | `partitioned_for` | | | |
|
||||||
| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
|
| `small-saas/deployment/production` | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | `uses` | | | | | | | `instantiates` | `implements` | | | | | | `deploys` | | | | `separates` | `separates` | | | |
|
||||||
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
|
| `small-saas/evidence/access-review-2026-05` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
||||||
| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
| `small-saas/incident/cross-tenant-access-attempt` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | `instantiates` | `constrained_by` | | | `evidenced_by` | | | | | | | | | | | |
|
||||||
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
|
| `small-saas/policy/tenant-isolation` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | | | `instantiates` | `requires` | | | `evidenced_by` | | | | | | | | | | | |
|
||||||
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
|
| `small-saas/service/billing-portal` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | `part_of` | | `owned_by` | | | | | |
|
||||||
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
|
| `small-saas/system/billing-system` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `instantiates` | | | | | | | | | | | `serves` | `serves` | | | |
|
||||||
| `standard/caring` | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` |
|
| `small-saas/task/onboard-tenant` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | `instantiates` | | | | | | `governed_by` | | | | `owned_by` | `changes` | | | | |
|
||||||
| `standard/tagging` | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | |
|
| `small-saas/team/platform` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | | | | | | | | | | | | | | | |
|
||||||
|
| `small-saas/tenant/acme` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | `represented_by` | | |
|
||||||
|
| `small-saas/tenant/globex` | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | `instantiates` | `isolated_by` | | | | | | | | | | | | | | |
|
||||||
|
| `small-saas/user/ada-admin` | | | | | | | | | | | | | | | | | | | | | | | | | | `uses` | | | | | | | | `uses` | | | | | `instantiates` | | | | `access_evidenced_by` | | `has_access_under` | | | | `member_of` | | | | | |
|
||||||
|
| `standard/caring` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | `imports` | `imports` | `imports` | `imports` | | | `imports` | `imports` | `imports` | | `imports` | `imports` | | | | | | | | | | | | | | | | | `imports` |
|
||||||
|
| `standard/tagging` | | | | | | | | | | | | | | | | | | | | | | | `conforms_to` | | | | | | | | | | | | | | `imports` | | | | | | | | | | | | | | | | | |
|
||||||
|
|||||||
@@ -3,12 +3,16 @@
|
|||||||
# Kernel Overview
|
# Kernel Overview
|
||||||
|
|
||||||
- Infospace: `canon`
|
- Infospace: `canon`
|
||||||
- Artifacts: 49
|
- Artifacts: 54
|
||||||
|
|
||||||
## Artifact Kinds
|
## Artifact Kinds
|
||||||
|
|
||||||
|
- `access-descriptor-set`: 1
|
||||||
|
- `benchmark-findings`: 1
|
||||||
|
- `benchmark-workspace`: 1
|
||||||
- `benefit-analysis`: 1
|
- `benefit-analysis`: 1
|
||||||
- `capture-criteria`: 1
|
- `capture-criteria`: 1
|
||||||
|
- `caring-mapping`: 1
|
||||||
- `comparison-frame`: 1
|
- `comparison-frame`: 1
|
||||||
- `comparison-report`: 1
|
- `comparison-report`: 1
|
||||||
- `concept-catalog`: 1
|
- `concept-catalog`: 1
|
||||||
@@ -24,6 +28,7 @@
|
|||||||
- `mapping-expectation`: 1
|
- `mapping-expectation`: 1
|
||||||
- `model`: 11
|
- `model`: 11
|
||||||
- `model-extension`: 1
|
- `model-extension`: 1
|
||||||
|
- `native-concept-map`: 1
|
||||||
- `pattern`: 1
|
- `pattern`: 1
|
||||||
- `profile`: 1
|
- `profile`: 1
|
||||||
- `profile-alignment`: 1
|
- `profile-alignment`: 1
|
||||||
@@ -36,7 +41,7 @@
|
|||||||
- `access_evidenced_by`: 1
|
- `access_evidenced_by`: 1
|
||||||
- `changes`: 1
|
- `changes`: 1
|
||||||
- `compares`: 1
|
- `compares`: 1
|
||||||
- `conforms_to`: 16
|
- `conforms_to`: 17
|
||||||
- `constrained_by`: 1
|
- `constrained_by`: 1
|
||||||
- `deploys`: 1
|
- `deploys`: 1
|
||||||
- `evaluates`: 2
|
- `evaluates`: 2
|
||||||
@@ -50,14 +55,15 @@
|
|||||||
- `instantiates`: 13
|
- `instantiates`: 13
|
||||||
- `introduces`: 1
|
- `introduces`: 1
|
||||||
- `isolated_by`: 2
|
- `isolated_by`: 2
|
||||||
- `maps`: 29
|
- `maps`: 36
|
||||||
- `member_of`: 1
|
- `member_of`: 1
|
||||||
- `owned_by`: 3
|
- `owned_by`: 3
|
||||||
- `part_of`: 13
|
- `part_of`: 17
|
||||||
- `partitioned_for`: 2
|
- `partitioned_for`: 2
|
||||||
- `proposes`: 4
|
- `proposes`: 7
|
||||||
- `represented_by`: 1
|
- `represented_by`: 1
|
||||||
- `requires`: 13
|
- `requires`: 13
|
||||||
- `separates`: 2
|
- `separates`: 2
|
||||||
- `serves`: 2
|
- `serves`: 2
|
||||||
- `uses`: 79
|
- `stress_tests`: 6
|
||||||
|
- `uses`: 84
|
||||||
|
|||||||
@@ -2,10 +2,15 @@
|
|||||||
|
|
||||||
# Repository Tree
|
# Repository Tree
|
||||||
|
|
||||||
File count: **131**
|
File count: **142**
|
||||||
|
|
||||||
- `README.md`
|
- `README.md`
|
||||||
- `agent/README.md`
|
- `agent/README.md`
|
||||||
|
- `agent/briefs/benchmark-caring-kubernetes-rbac-access-descriptors.md`
|
||||||
|
- `agent/briefs/benchmark-caring-kubernetes-rbac-caring-mapping.md`
|
||||||
|
- `agent/briefs/benchmark-caring-kubernetes-rbac-findings.md`
|
||||||
|
- `agent/briefs/benchmark-caring-kubernetes-rbac-native-concepts.md`
|
||||||
|
- `agent/briefs/benchmark-caring-kubernetes-rbac.md`
|
||||||
- `agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md`
|
- `agent/briefs/comparison-repo-scoping-canon-benefit-analysis.md`
|
||||||
- `agent/briefs/comparison-repo-scoping-consumer-workplan-brief.md`
|
- `agent/briefs/comparison-repo-scoping-consumer-workplan-brief.md`
|
||||||
- `agent/briefs/comparison-repo-scoping-extension-candidates.md`
|
- `agent/briefs/comparison-repo-scoping-extension-candidates.md`
|
||||||
@@ -124,6 +129,12 @@ File count: **131**
|
|||||||
- `schemas/standard.schema.yaml`
|
- `schemas/standard.schema.yaml`
|
||||||
- `schemas/workplan.schema.yaml`
|
- `schemas/workplan.schema.yaml`
|
||||||
- `standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md`
|
- `standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md`
|
||||||
|
- `standards/caring/benchmarks/kubernetes-rbac/README.md`
|
||||||
|
- `standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml`
|
||||||
|
- `standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml`
|
||||||
|
- `standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml`
|
||||||
|
- `standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml`
|
||||||
|
- `standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml`
|
||||||
- `standards/tagging/InfoTechCanonTaggingStandard.md`
|
- `standards/tagging/InfoTechCanonTaggingStandard.md`
|
||||||
- `validation/README.md`
|
- `validation/README.md`
|
||||||
- `validation/latest.json`
|
- `validation/latest.json`
|
||||||
|
|||||||
@@ -10,8 +10,12 @@ import yaml
|
|||||||
|
|
||||||
GENERATED_NOTICE = "<!-- GENERATED by info_tech_canon; do not edit by hand. -->"
|
GENERATED_NOTICE = "<!-- GENERATED by info_tech_canon; do not edit by hand. -->"
|
||||||
RETRIEVAL_ARTIFACT_KINDS = {
|
RETRIEVAL_ARTIFACT_KINDS = {
|
||||||
|
"access-descriptor-set",
|
||||||
"benefit-analysis",
|
"benefit-analysis",
|
||||||
|
"benchmark-findings",
|
||||||
|
"benchmark-workspace",
|
||||||
"capture-criteria",
|
"capture-criteria",
|
||||||
|
"caring-mapping",
|
||||||
"comparison-frame",
|
"comparison-frame",
|
||||||
"comparison-report",
|
"comparison-report",
|
||||||
"concept-catalog",
|
"concept-catalog",
|
||||||
@@ -27,6 +31,7 @@ RETRIEVAL_ARTIFACT_KINDS = {
|
|||||||
"mapping-expectation",
|
"mapping-expectation",
|
||||||
"model",
|
"model",
|
||||||
"model-extension",
|
"model-extension",
|
||||||
|
"native-concept-map",
|
||||||
"pattern",
|
"pattern",
|
||||||
"profile-alignment",
|
"profile-alignment",
|
||||||
"profile",
|
"profile",
|
||||||
@@ -869,10 +874,18 @@ def _safe_id(value: str) -> str:
|
|||||||
def _summary_for_artifact(artifact: Any) -> str:
|
def _summary_for_artifact(artifact: Any) -> str:
|
||||||
if artifact.kind == "profile-artifact":
|
if artifact.kind == "profile-artifact":
|
||||||
return f"Example artifact for the {artifact.provenance.get('profile', 'unknown')} profile: {artifact.title}."
|
return f"Example artifact for the {artifact.provenance.get('profile', 'unknown')} profile: {artifact.title}."
|
||||||
|
if artifact.kind == "access-descriptor-set":
|
||||||
|
return f"Structured CARING access descriptor set: {artifact.title}."
|
||||||
if artifact.kind == "benefit-analysis":
|
if artifact.kind == "benefit-analysis":
|
||||||
return f"Consumer benefit analysis against canon surfaces: {artifact.title}."
|
return f"Consumer benefit analysis against canon surfaces: {artifact.title}."
|
||||||
|
if artifact.kind == "benchmark-findings":
|
||||||
|
return f"Benchmark findings, gaps, and canon pressure: {artifact.title}."
|
||||||
|
if artifact.kind == "benchmark-workspace":
|
||||||
|
return f"Benchmark workspace definition and review criteria: {artifact.title}."
|
||||||
if artifact.kind == "capture-criteria":
|
if artifact.kind == "capture-criteria":
|
||||||
return f"Criteria for canonical entity and edge capture: {artifact.title}."
|
return f"Criteria for canonical entity and edge capture: {artifact.title}."
|
||||||
|
if artifact.kind == "caring-mapping":
|
||||||
|
return f"Native access model to CARING mapping: {artifact.title}."
|
||||||
if artifact.kind == "comparison-frame":
|
if artifact.kind == "comparison-frame":
|
||||||
return f"Structured comparison questions and domains: {artifact.title}."
|
return f"Structured comparison questions and domains: {artifact.title}."
|
||||||
if artifact.kind == "comparison-report":
|
if artifact.kind == "comparison-report":
|
||||||
@@ -899,6 +912,8 @@ def _summary_for_artifact(artifact: Any) -> str:
|
|||||||
return f"Expected mappings between consumer graph capture and canon surfaces: {artifact.title}."
|
return f"Expected mappings between consumer graph capture and canon surfaces: {artifact.title}."
|
||||||
if artifact.kind == "model-extension":
|
if artifact.kind == "model-extension":
|
||||||
return f"Candidate extension to an existing canon model: {artifact.title}."
|
return f"Candidate extension to an existing canon model: {artifact.title}."
|
||||||
|
if artifact.kind == "native-concept-map":
|
||||||
|
return f"Native source concept map for assimilation or benchmark work: {artifact.title}."
|
||||||
if artifact.kind == "pattern":
|
if artifact.kind == "pattern":
|
||||||
return f"Reusable canon pattern: {artifact.title}."
|
return f"Reusable canon pattern: {artifact.title}."
|
||||||
if artifact.kind == "profile-alignment":
|
if artifact.kind == "profile-alignment":
|
||||||
|
|||||||
@@ -53,8 +53,12 @@ REQUIRED_SCHEMAS = (
|
|||||||
)
|
)
|
||||||
|
|
||||||
RETRIEVAL_BRIEF_KINDS = {
|
RETRIEVAL_BRIEF_KINDS = {
|
||||||
|
"access-descriptor-set",
|
||||||
"benefit-analysis",
|
"benefit-analysis",
|
||||||
|
"benchmark-findings",
|
||||||
|
"benchmark-workspace",
|
||||||
"capture-criteria",
|
"capture-criteria",
|
||||||
|
"caring-mapping",
|
||||||
"comparison-frame",
|
"comparison-frame",
|
||||||
"comparison-report",
|
"comparison-report",
|
||||||
"concept-catalog",
|
"concept-catalog",
|
||||||
@@ -69,6 +73,7 @@ RETRIEVAL_BRIEF_KINDS = {
|
|||||||
"mapping-expectation",
|
"mapping-expectation",
|
||||||
"model",
|
"model",
|
||||||
"model-extension",
|
"model-extension",
|
||||||
|
"native-concept-map",
|
||||||
"pattern",
|
"pattern",
|
||||||
"profile-alignment",
|
"profile-alignment",
|
||||||
"profile",
|
"profile",
|
||||||
@@ -243,6 +248,40 @@ REPO_SCOPING_REQUIRED_EXTENSION_CANDIDATES = {
|
|||||||
"extension/scope-md-interface",
|
"extension/scope-md-interface",
|
||||||
}
|
}
|
||||||
|
|
||||||
|
CARING_K8S_BENCHMARK_ARTIFACT_IDS = {
|
||||||
|
"benchmark/caring/kubernetes-rbac",
|
||||||
|
"benchmark/caring/kubernetes-rbac/access-descriptors",
|
||||||
|
"benchmark/caring/kubernetes-rbac/caring-mapping",
|
||||||
|
"benchmark/caring/kubernetes-rbac/findings",
|
||||||
|
"benchmark/caring/kubernetes-rbac/native-concepts",
|
||||||
|
}
|
||||||
|
|
||||||
|
CARING_K8S_REQUIRED_NATIVE_CONCEPTS = {
|
||||||
|
"Role",
|
||||||
|
"ClusterRole",
|
||||||
|
"RoleBinding",
|
||||||
|
"ClusterRoleBinding",
|
||||||
|
"ServiceAccount",
|
||||||
|
"Namespace",
|
||||||
|
"Verb",
|
||||||
|
"Resource",
|
||||||
|
"Scope",
|
||||||
|
}
|
||||||
|
|
||||||
|
CARING_K8S_REQUIRED_CASES = {
|
||||||
|
"namespace-pod-reader",
|
||||||
|
"workload-creator-derived-execution",
|
||||||
|
"cluster-secret-reader",
|
||||||
|
"namespace-as-tenant-boundary",
|
||||||
|
}
|
||||||
|
|
||||||
|
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES = {
|
||||||
|
"declared_access",
|
||||||
|
"effective_access",
|
||||||
|
"derived_capability",
|
||||||
|
"induced_access",
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]:
|
def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]:
|
||||||
errors: list[dict[str, Any]] = []
|
errors: list[dict[str, Any]] = []
|
||||||
@@ -270,6 +309,11 @@ def structural_checks(context: Any) -> dict[str, list[dict[str, Any]]]:
|
|||||||
context.infospace.artifacts,
|
context.infospace.artifacts,
|
||||||
errors,
|
errors,
|
||||||
)
|
)
|
||||||
|
_check_caring_kubernetes_rbac_benchmark_assets(
|
||||||
|
context.infospace_root,
|
||||||
|
context.infospace.artifacts,
|
||||||
|
errors,
|
||||||
|
)
|
||||||
_check_optional_assets(context.infospace_root, warnings)
|
_check_optional_assets(context.infospace_root, warnings)
|
||||||
|
|
||||||
return {"errors": errors, "warnings": warnings}
|
return {"errors": errors, "warnings": warnings}
|
||||||
@@ -1167,6 +1211,216 @@ def _check_repo_scoping_comparison_assets(
|
|||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
def _check_caring_kubernetes_rbac_benchmark_assets(
|
||||||
|
infospace_root: Path,
|
||||||
|
artifacts: list[Any],
|
||||||
|
errors: list[dict[str, Any]],
|
||||||
|
) -> None:
|
||||||
|
artifact_ids = {artifact.id for artifact in artifacts}
|
||||||
|
for artifact_id in sorted(CARING_K8S_BENCHMARK_ARTIFACT_IDS - artifact_ids):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_rbac_benchmark_artifact",
|
||||||
|
"artifact_id": artifact_id,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
benchmark_root = infospace_root / "standards" / "caring" / "benchmarks" / "kubernetes-rbac"
|
||||||
|
if not benchmark_root.is_dir():
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_rbac_benchmark_workspace",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
return
|
||||||
|
|
||||||
|
benchmark = _read_yaml(benchmark_root / "benchmark.yaml", errors)
|
||||||
|
if isinstance(benchmark, dict):
|
||||||
|
for field in ("source_corpus", "expected_outputs", "review_criteria"):
|
||||||
|
items = benchmark.get(field) or []
|
||||||
|
if not isinstance(items, list) or not items:
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_benchmark_field",
|
||||||
|
"field": field,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
cases = benchmark.get("cases") or []
|
||||||
|
if not isinstance(cases, list):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "invalid_caring_kubernetes_benchmark_cases",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/benchmark.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
case_ids = {
|
||||||
|
str(case.get("id"))
|
||||||
|
for case in cases
|
||||||
|
if isinstance(case, dict) and case.get("id")
|
||||||
|
}
|
||||||
|
for case_id in sorted(CARING_K8S_REQUIRED_CASES - case_ids):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_benchmark_case",
|
||||||
|
"case": case_id,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
native = _read_yaml(benchmark_root / "native-concepts.yaml", errors)
|
||||||
|
if isinstance(native, dict):
|
||||||
|
if native.get("namespace_tenant_boundary_warning") is not True:
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_namespace_warning",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
concepts = native.get("concepts") or []
|
||||||
|
if not isinstance(concepts, list):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "invalid_caring_kubernetes_native_concepts",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
native_names = {
|
||||||
|
str(concept.get("native"))
|
||||||
|
for concept in concepts
|
||||||
|
if isinstance(concept, dict) and concept.get("native")
|
||||||
|
}
|
||||||
|
for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - native_names):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_native_concept",
|
||||||
|
"concept": concept,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
mapping = _read_yaml(benchmark_root / "caring-mapping.yaml", errors)
|
||||||
|
if isinstance(mapping, dict):
|
||||||
|
if mapping.get("namespace_tenant_boundary_warning") is not True:
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_mapping_namespace_warning",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
mappings = mapping.get("mappings") or []
|
||||||
|
if not isinstance(mappings, list):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "invalid_caring_kubernetes_mappings",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
mapped_names = {
|
||||||
|
str(item.get("native_concept"))
|
||||||
|
for item in mappings
|
||||||
|
if isinstance(item, dict) and item.get("native_concept")
|
||||||
|
}
|
||||||
|
for concept in sorted(CARING_K8S_REQUIRED_NATIVE_CONCEPTS - mapped_names):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_mapping",
|
||||||
|
"concept": concept,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
analysis_rules = mapping.get("analysis_rules") or []
|
||||||
|
if not isinstance(analysis_rules, list) or not analysis_rules:
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_analysis_rules",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
descriptors = _read_yaml(benchmark_root / "access-descriptors.yaml", errors)
|
||||||
|
if isinstance(descriptors, dict):
|
||||||
|
descriptor_classes = set(descriptors.get("descriptor_classes") or [])
|
||||||
|
for descriptor_class in sorted(
|
||||||
|
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - descriptor_classes
|
||||||
|
):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_descriptor_class",
|
||||||
|
"descriptor_class": descriptor_class,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
descriptor_items = descriptors.get("descriptors") or []
|
||||||
|
if not isinstance(descriptor_items, list):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "invalid_caring_kubernetes_descriptors",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
else:
|
||||||
|
used_classes = {
|
||||||
|
str(item.get("descriptor_class"))
|
||||||
|
for item in descriptor_items
|
||||||
|
if isinstance(item, dict) and item.get("descriptor_class")
|
||||||
|
}
|
||||||
|
for descriptor_class in sorted(
|
||||||
|
CARING_K8S_REQUIRED_DESCRIPTOR_CLASSES - used_classes
|
||||||
|
):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_descriptor_example",
|
||||||
|
"descriptor_class": descriptor_class,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
required_fields = (
|
||||||
|
"subject",
|
||||||
|
"scope",
|
||||||
|
"plane",
|
||||||
|
"capabilities",
|
||||||
|
"exposure_mode",
|
||||||
|
"lifecycle_state",
|
||||||
|
"native_evidence",
|
||||||
|
)
|
||||||
|
for item in descriptor_items:
|
||||||
|
if not isinstance(item, dict):
|
||||||
|
continue
|
||||||
|
for field in required_fields:
|
||||||
|
if not item.get(field):
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "incomplete_caring_kubernetes_descriptor",
|
||||||
|
"descriptor": item.get("id"),
|
||||||
|
"field": field,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
findings = _read_yaml(benchmark_root / "findings-and-canon-pressure.yaml", errors)
|
||||||
|
if isinstance(findings, dict):
|
||||||
|
for field in ("stable_findings", "gaps", "conflicts", "proposed_changes"):
|
||||||
|
items = findings.get(field) or []
|
||||||
|
if not isinstance(items, list) or not items:
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_findings_field",
|
||||||
|
"field": field,
|
||||||
|
}
|
||||||
|
)
|
||||||
|
stable_findings = findings.get("stable_findings") or []
|
||||||
|
finding_ids = {
|
||||||
|
str(finding.get("id"))
|
||||||
|
for finding in stable_findings
|
||||||
|
if isinstance(finding, dict) and finding.get("id")
|
||||||
|
}
|
||||||
|
if "finding/namespace-not-tenant-boundary" not in finding_ids:
|
||||||
|
errors.append(
|
||||||
|
{
|
||||||
|
"code": "missing_caring_kubernetes_namespace_finding",
|
||||||
|
"path": "infospace/standards/caring/benchmarks/kubernetes-rbac/findings-and-canon-pressure.yaml",
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
def _artifact_paths_by_path(
|
def _artifact_paths_by_path(
|
||||||
infospace_root: Path,
|
infospace_root: Path,
|
||||||
errors: list[dict[str, Any]],
|
errors: list[dict[str, Any]],
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ def test_cli_inspect_emits_json(capsys) -> None:
|
|||||||
assert exit_code == 0
|
assert exit_code == 0
|
||||||
payload = json.loads(capsys.readouterr().out)
|
payload = json.loads(capsys.readouterr().out)
|
||||||
assert payload["ok"] is True
|
assert payload["ok"] is True
|
||||||
assert payload["infospace"]["artifact_count"] == 49
|
assert payload["infospace"]["artifact_count"] == 54
|
||||||
|
|
||||||
|
|
||||||
def test_cli_missing_profile_uses_structured_error(capsys) -> None:
|
def test_cli_missing_profile_uses_structured_error(capsys) -> None:
|
||||||
|
|||||||
@@ -19,10 +19,14 @@ def test_inspect_canon_counts_artifact_kinds() -> None:
|
|||||||
|
|
||||||
assert payload["ok"] is True
|
assert payload["ok"] is True
|
||||||
assert payload["infospace"]["slug"] == "canon"
|
assert payload["infospace"]["slug"] == "canon"
|
||||||
assert payload["infospace"]["artifact_count"] == 49
|
assert payload["infospace"]["artifact_count"] == 54
|
||||||
assert payload["infospace"]["kinds"] == {
|
assert payload["infospace"]["kinds"] == {
|
||||||
|
"access-descriptor-set": 1,
|
||||||
"benefit-analysis": 1,
|
"benefit-analysis": 1,
|
||||||
|
"benchmark-findings": 1,
|
||||||
|
"benchmark-workspace": 1,
|
||||||
"capture-criteria": 1,
|
"capture-criteria": 1,
|
||||||
|
"caring-mapping": 1,
|
||||||
"comparison-frame": 1,
|
"comparison-frame": 1,
|
||||||
"comparison-report": 1,
|
"comparison-report": 1,
|
||||||
"concept-catalog": 1,
|
"concept-catalog": 1,
|
||||||
@@ -38,6 +42,7 @@ def test_inspect_canon_counts_artifact_kinds() -> None:
|
|||||||
"mapping-expectation": 1,
|
"mapping-expectation": 1,
|
||||||
"model": 11,
|
"model": 11,
|
||||||
"model-extension": 1,
|
"model-extension": 1,
|
||||||
|
"native-concept-map": 1,
|
||||||
"pattern": 1,
|
"pattern": 1,
|
||||||
"profile-alignment": 1,
|
"profile-alignment": 1,
|
||||||
"profile": 1,
|
"profile": 1,
|
||||||
@@ -58,14 +63,14 @@ def test_validate_canon_passes_scaffold() -> None:
|
|||||||
assert payload["ok"] is True
|
assert payload["ok"] is True
|
||||||
assert payload["errors"] == []
|
assert payload["errors"] == []
|
||||||
assert "warnings" in payload
|
assert "warnings" in payload
|
||||||
assert payload["details"]["artifact_count"] == 49
|
assert payload["details"]["artifact_count"] == 54
|
||||||
|
|
||||||
|
|
||||||
def test_graph_exports_relationship_summary() -> None:
|
def test_graph_exports_relationship_summary() -> None:
|
||||||
payload = artifact_graph()
|
payload = artifact_graph()
|
||||||
|
|
||||||
assert payload["ok"] is True
|
assert payload["ok"] is True
|
||||||
assert payload["graph"]["node_count"] == 49
|
assert payload["graph"]["node_count"] == 54
|
||||||
assert payload["graph"]["edge_count"] > 15
|
assert payload["graph"]["edge_count"] > 15
|
||||||
|
|
||||||
|
|
||||||
@@ -115,6 +120,9 @@ def test_generators_write_expected_assets(tmp_path) -> None:
|
|||||||
assert (
|
assert (
|
||||||
root / "agent" / "briefs" / "comparison-repo-scoping-report.md"
|
root / "agent" / "briefs" / "comparison-repo-scoping-report.md"
|
||||||
).is_file()
|
).is_file()
|
||||||
|
assert (
|
||||||
|
root / "agent" / "briefs" / "benchmark-caring-kubernetes-rbac.md"
|
||||||
|
).is_file()
|
||||||
assert (root / "agent" / "briefs" / "pattern-intent-scope-purposes.md").is_file()
|
assert (root / "agent" / "briefs" / "pattern-intent-scope-purposes.md").is_file()
|
||||||
assert (
|
assert (
|
||||||
root / "agent" / "templates" / "canon-interface-card.template.yaml"
|
root / "agent" / "templates" / "canon-interface-card.template.yaml"
|
||||||
|
|||||||
@@ -4,7 +4,7 @@ type: workplan
|
|||||||
title: "CARING Kubernetes RBAC Benchmark"
|
title: "CARING Kubernetes RBAC Benchmark"
|
||||||
domain: canon
|
domain: canon
|
||||||
repo: info-tech-canon
|
repo: info-tech-canon
|
||||||
status: proposed
|
status: finished
|
||||||
priority: medium
|
priority: medium
|
||||||
created: "2026-05-23"
|
created: "2026-05-23"
|
||||||
updated: "2026-05-23"
|
updated: "2026-05-23"
|
||||||
@@ -33,7 +33,7 @@ Governance, Security, Network, DevSecOps, Observability, Task, and Tagging.
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: ITC-WP-0010-T01
|
id: ITC-WP-0010-T01
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
|
state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
|
||||||
```
|
```
|
||||||
@@ -45,7 +45,7 @@ state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: ITC-WP-0010-T02
|
id: ITC-WP-0010-T02
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
|
state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
|
||||||
```
|
```
|
||||||
@@ -58,7 +58,7 @@ state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: ITC-WP-0010-T03
|
id: ITC-WP-0010-T03
|
||||||
status: todo
|
status: done
|
||||||
priority: high
|
priority: high
|
||||||
state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
|
state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
|
||||||
```
|
```
|
||||||
@@ -71,7 +71,7 @@ state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
|
|||||||
|
|
||||||
```task
|
```task
|
||||||
id: ITC-WP-0010-T04
|
id: ITC-WP-0010-T04
|
||||||
status: todo
|
status: done
|
||||||
priority: medium
|
priority: medium
|
||||||
state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
|
state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
|
||||||
```
|
```
|
||||||
@@ -84,3 +84,16 @@ state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
|
|||||||
- Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile.
|
- Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile.
|
||||||
- CARING descriptor shape is tested with practical examples.
|
- CARING descriptor shape is tested with practical examples.
|
||||||
- Benchmark findings produce explicit canon change proposals.
|
- Benchmark findings produce explicit canon change proposals.
|
||||||
|
|
||||||
|
## Implementation Notes
|
||||||
|
|
||||||
|
- Created `infospace/standards/caring/benchmarks/kubernetes-rbac/` as a
|
||||||
|
distinct benchmark workspace.
|
||||||
|
- Added benchmark workspace, native concept map, CARING mapping, descriptor
|
||||||
|
set, and findings/canon-pressure artifacts.
|
||||||
|
- Registered all benchmark artifacts in the artifact index and retrieval
|
||||||
|
generation flow.
|
||||||
|
- Added structural validation for the benchmark corpus, Kubernetes RBAC native
|
||||||
|
concept coverage, namespace tenant-boundary warning, CARING descriptor
|
||||||
|
classes, and findings/proposals.
|
||||||
|
- Regenerated agent briefs, indexes, tree views, and validation output.
|
||||||
|
|||||||
@@ -136,7 +136,7 @@ workplans:
|
|||||||
|
|
||||||
- id: ITC-WP-0010
|
- id: ITC-WP-0010
|
||||||
title: CARING Kubernetes RBAC Benchmark
|
title: CARING Kubernetes RBAC Benchmark
|
||||||
status: proposed
|
status: finished
|
||||||
priority: medium
|
priority: medium
|
||||||
path: workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md
|
path: workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md
|
||||||
depends_on:
|
depends_on:
|
||||||
|
|||||||
Reference in New Issue
Block a user