id: benchmark/caring/kubernetes-rbac/access-descriptors title: Kubernetes RBAC CARING Access Descriptors status: candidate benchmark: benchmark/caring/kubernetes-rbac descriptor_classes: - declared_access - effective_access - derived_capability - induced_access descriptors: - id: descriptor/namespace-pod-reader/declared case_id: namespace-pod-reader descriptor_class: declared_access subject: serviceaccount:tenant-a:report-viewer organization_relation: customer-operated-service canonical_role: Viewer scope: namespace:tenant-a plane: Runtime capabilities: - get pods - list pods - watch pods exposure_mode: metadata-and-runtime-state lifecycle_state: steady-state-observation conditions: - bound by RoleBinding in namespace tenant-a restrictions: - no pod mutation - no secret read - namespace is not accepted as tenant boundary without additional evidence native_evidence: - Role/report-viewer - RoleBinding/report-viewer-binding - ServiceAccount/report-viewer - id: descriptor/workload-creator/declared case_id: workload-creator-derived-execution descriptor_class: declared_access subject: serviceaccount:tenant-a:job-runner organization_relation: customer-operated-automation canonical_role: Doer scope: namespace:tenant-a plane: Runtime capabilities: - create pods - get pods - delete pods exposure_mode: workload-specification-control lifecycle_state: job-execution conditions: - bound by RoleBinding in namespace tenant-a restrictions: - no direct secret get/list/watch declared native_evidence: - Role/job-runner - RoleBinding/job-runner-binding - ServiceAccount/job-runner - id: descriptor/workload-creator/effective case_id: workload-creator-derived-execution descriptor_class: effective_access subject: serviceaccount:tenant-a:job-runner organization_relation: customer-operated-automation canonical_role: Doer scope: namespace:tenant-a plane: Runtime capabilities: - create workload - select pod service account - influence mounted volumes - execute container image exposure_mode: mediated-runtime-execution lifecycle_state: job-execution conditions: - pod admission and service-account mount behavior determine actual reach restrictions: - effective access must be checked against admission policy and service-account permissions native_evidence: - create pods verb - pod spec serviceAccountName - projected service account token behavior - id: descriptor/workload-creator/derived case_id: workload-creator-derived-execution descriptor_class: derived_capability subject: serviceaccount:tenant-a:job-runner organization_relation: customer-operated-automation canonical_role: Doer scope: namespace:tenant-a plane: Runtime capabilities: - execute arbitrary workload image - use mounted service account identity - read mounted runtime inputs exposure_mode: derived-execution-and-identity-use lifecycle_state: job-execution conditions: - derived from create pods permission restrictions: - must be bounded by admission controls, image policy, and service-account selection rules native_evidence: - Role/job-runner create pods - id: descriptor/workload-creator/induced case_id: workload-creator-derived-execution descriptor_class: induced_access subject: serviceaccount:tenant-a:job-runner organization_relation: customer-operated-automation canonical_role: Doer scope: namespace:tenant-a plane: Secret capabilities: - potential secret exposure through mounted volumes - potential token exposure through mounted identity exposure_mode: induced-secret-and-identity-exposure lifecycle_state: job-execution conditions: - induced path exists only when workload can mount or reach sensitive material restrictions: - classify as candidate finding until manifests, admission, and secret references are reviewed native_evidence: - pod volume mounts - service account token projection - secret references in pod spec - id: descriptor/cluster-secret-reader/declared case_id: cluster-secret-reader descriptor_class: declared_access subject: serviceaccount:platform:inventory organization_relation: platform-service-provider canonical_role: Auditor scope: cluster plane: Secret capabilities: - get secrets - list secrets - watch secrets exposure_mode: sensitive-data-read lifecycle_state: operational-inventory conditions: - bound by ClusterRoleBinding restrictions: - requires governance review and audit evidence native_evidence: - ClusterRole/secret-reader - ClusterRoleBinding/inventory-secret-reader - ServiceAccount/inventory - id: descriptor/namespace-boundary/review case_id: namespace-as-tenant-boundary descriptor_class: effective_access subject: tenant-boundary-claim:tenant-a organization_relation: platform-provider canonical_role: Governor scope: namespace:tenant-a plane: Policy capabilities: - claim tenant isolation - review access and runtime boundaries exposure_mode: governance-claim lifecycle_state: design-review conditions: - claim must be supported by access, network, runtime, data, and governance evidence restrictions: - namespace alone is insufficient evidence native_evidence: - Namespace/tenant-a - RoleBinding set - NetworkPolicy set - ResourceQuota set