--- id: ITC-WP-0010 type: workplan title: "CARING Kubernetes RBAC Benchmark" domain: canon repo: info-tech-canon status: proposed priority: medium created: "2026-05-23" updated: "2026-05-23" depends_on_workplans: - ITC-WP-0003 - ITC-WP-0005 state_hub_workstream_id: "b64f0fc9-8668-4c02-8247-67a41660bdeb" --- # ITC-WP-0010 - CARING Kubernetes RBAC Benchmark ## Goal Create a distinct benchmark workplan for analyzing Kubernetes RBAC through CARING and the wider InfoTechCanon kernel. ## Intent This is deliberately separate from the small SaaS proof. The benchmark is more ambitious and should stress orthogonality across Access Control, Organization, Governance, Security, Network, DevSecOps, Observability, Task, and Tagging. ## Tasks ### T01 - Benchmark workspace ```task id: ITC-WP-0010-T01 status: todo priority: high state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4" ``` - Create `infospace/standards/caring/benchmarks/kubernetes-rbac/`. - Define source corpus, cases, expected outputs, and review criteria. ### T02 - RBAC assimilation ```task id: ITC-WP-0010-T02 status: todo priority: high state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442" ``` - Map Kubernetes Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, Namespace, verbs, resources, and scopes. - Preserve the warning that Namespace is not automatically a tenant boundary. ### T03 - CARING access descriptors ```task id: ITC-WP-0010-T03 status: todo priority: high state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83" ``` - Express benchmark cases as CARING access descriptors. - Distinguish declared access, effective access, derived capability, and induced access. ### T04 - Findings and canon pressure ```task id: ITC-WP-0010-T04 status: todo priority: medium state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42" ``` - Produce gaps, conflicts, mappings, and proposed canon changes. - Feed stable findings back into models and standards through explicit tasks. ## Acceptance - Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile. - CARING descriptor shape is tested with practical examples. - Benchmark findings produce explicit canon change proposals.