id: benchmark/caring/kubernetes-rbac/caring-mapping title: Kubernetes RBAC To CARING Mapping status: candidate benchmark: benchmark/caring/kubernetes-rbac namespace_tenant_boundary_warning: true mappings: - native_concept: Role caring_dimension: capability_profile canon_targets: - standard/caring:CARINGCapabilityProfile - model/access-control:Permission - model/governance:Policy mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names. - native_concept: ClusterRole caring_dimension: capability_profile canon_targets: - standard/caring:CARINGCapabilityProfile - model/access-control:Permission - model/governance:Policy mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility. - native_concept: RoleBinding caring_dimension: declared_access canon_targets: - standard/caring:CARINGDeclaredAccessMap - model/access-control:Grant - model/governance:Decision mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace. - native_concept: ClusterRoleBinding caring_dimension: declared_access canon_targets: - standard/caring:CARINGDeclaredAccessMap - model/access-control:Grant - model/governance:Decision mapping_rule: Bind subject to a ClusterRole at cluster scope. - native_concept: ServiceAccount caring_dimension: subject canon_targets: - model/access-control:Subject - model/devsecops:WorkloadIdentity - model/organization:Service mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access. - native_concept: Namespace caring_dimension: scope canon_targets: - model/access-control:ResourceScope - model/landscape:RuntimeContainment - model/network:SegmentationContext mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary. - native_concept: Verb caring_dimension: capability canon_targets: - model/access-control:Action - standard/caring:CARINGCapabilityProfile mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences. - native_concept: Resource caring_dimension: scope canon_targets: - model/access-control:Resource - model/landscape:RuntimeResource - model/security:ExposureTarget mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane. - native_concept: Scope caring_dimension: scope canon_targets: - model/access-control:ResourceScope - model/landscape:LandscapeScope - model/governance:GovernanceScope mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets. analysis_rules: - id: native-role-warning rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale. - id: declared-to-effective rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access. - id: derived-workload-execution rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities. - id: secret-exposure rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review. - id: namespace-tenant-boundary rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership.