id: benchmark/caring/kubernetes-rbac/native-concepts title: Kubernetes RBAC Native Concept Map status: candidate benchmark: benchmark/caring/kubernetes-rbac namespace_tenant_boundary_warning: true concepts: - native: Role category: rule-bundle native_scope: namespace caring_mapping: CARINGCapabilityProfile canon_mappings: - model/access-control:PermissionSet - model/governance:Policy notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole. - native: ClusterRole category: rule-bundle native_scope: cluster caring_mapping: CARINGCapabilityProfile canon_mappings: - model/access-control:PermissionSet - model/governance:Policy notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings. - native: RoleBinding category: assignment native_scope: namespace caring_mapping: CARINGDeclaredAccessMap canon_mappings: - model/access-control:Grant - model/governance:AssignmentDecision notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace. - native: ClusterRoleBinding category: assignment native_scope: cluster caring_mapping: CARINGDeclaredAccessMap canon_mappings: - model/access-control:Grant - model/governance:AssignmentDecision notes: A ClusterRoleBinding grants a ClusterRole across cluster scope. - native: ServiceAccount category: service-subject native_scope: namespace caring_mapping: Subject canon_mappings: - model/access-control:Subject - model/organization:Service - model/devsecops:WorkloadIdentity notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor. - native: Namespace category: scope-signal native_scope: namespace caring_mapping: Scope canon_mappings: - model/landscape:RuntimeContainment - model/access-control:ResourceScope - model/network:SegmentationContext notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence. - native: Verb category: action native_scope: rule caring_mapping: Capability canon_mappings: - model/access-control:Action - standard/caring:CARINGCapabilityProfile notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope. - native: Resource category: target native_scope: api-group caring_mapping: Scope canon_mappings: - model/access-control:Resource - model/landscape:RuntimeResource - model/data:ProtectedInformationAsset notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications. - native: Scope category: boundary native_scope: namespace-or-cluster caring_mapping: Scope canon_mappings: - model/access-control:ResourceScope - model/landscape:LandscapeScope - model/governance:GovernanceScope notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence. mapping_constraints: - Kubernetes native names are preserved as source semantics. - CARING canonical roles are assigned only after analyzing lifecycle responsibility posture. - Namespace tenancy is a reviewable claim, not a default mapping. - Effective access must include controller-mediated and workload-mediated paths where relevant.