generated from coulomb/repo-seed
165 lines
5.7 KiB
YAML
165 lines
5.7 KiB
YAML
id: benchmark/caring/kubernetes-rbac/access-descriptors
|
|
title: Kubernetes RBAC CARING Access Descriptors
|
|
status: candidate
|
|
benchmark: benchmark/caring/kubernetes-rbac
|
|
descriptor_classes:
|
|
- declared_access
|
|
- effective_access
|
|
- derived_capability
|
|
- induced_access
|
|
descriptors:
|
|
- id: descriptor/namespace-pod-reader/declared
|
|
case_id: namespace-pod-reader
|
|
descriptor_class: declared_access
|
|
subject: serviceaccount:tenant-a:report-viewer
|
|
organization_relation: customer-operated-service
|
|
canonical_role: Viewer
|
|
scope: namespace:tenant-a
|
|
plane: Runtime
|
|
capabilities:
|
|
- get pods
|
|
- list pods
|
|
- watch pods
|
|
exposure_mode: metadata-and-runtime-state
|
|
lifecycle_state: steady-state-observation
|
|
conditions:
|
|
- bound by RoleBinding in namespace tenant-a
|
|
restrictions:
|
|
- no pod mutation
|
|
- no secret read
|
|
- namespace is not accepted as tenant boundary without additional evidence
|
|
native_evidence:
|
|
- Role/report-viewer
|
|
- RoleBinding/report-viewer-binding
|
|
- ServiceAccount/report-viewer
|
|
- id: descriptor/workload-creator/declared
|
|
case_id: workload-creator-derived-execution
|
|
descriptor_class: declared_access
|
|
subject: serviceaccount:tenant-a:job-runner
|
|
organization_relation: customer-operated-automation
|
|
canonical_role: Doer
|
|
scope: namespace:tenant-a
|
|
plane: Runtime
|
|
capabilities:
|
|
- create pods
|
|
- get pods
|
|
- delete pods
|
|
exposure_mode: workload-specification-control
|
|
lifecycle_state: job-execution
|
|
conditions:
|
|
- bound by RoleBinding in namespace tenant-a
|
|
restrictions:
|
|
- no direct secret get/list/watch declared
|
|
native_evidence:
|
|
- Role/job-runner
|
|
- RoleBinding/job-runner-binding
|
|
- ServiceAccount/job-runner
|
|
- id: descriptor/workload-creator/effective
|
|
case_id: workload-creator-derived-execution
|
|
descriptor_class: effective_access
|
|
subject: serviceaccount:tenant-a:job-runner
|
|
organization_relation: customer-operated-automation
|
|
canonical_role: Doer
|
|
scope: namespace:tenant-a
|
|
plane: Runtime
|
|
capabilities:
|
|
- create workload
|
|
- select pod service account
|
|
- influence mounted volumes
|
|
- execute container image
|
|
exposure_mode: mediated-runtime-execution
|
|
lifecycle_state: job-execution
|
|
conditions:
|
|
- pod admission and service-account mount behavior determine actual reach
|
|
restrictions:
|
|
- effective access must be checked against admission policy and service-account permissions
|
|
native_evidence:
|
|
- create pods verb
|
|
- pod spec serviceAccountName
|
|
- projected service account token behavior
|
|
- id: descriptor/workload-creator/derived
|
|
case_id: workload-creator-derived-execution
|
|
descriptor_class: derived_capability
|
|
subject: serviceaccount:tenant-a:job-runner
|
|
organization_relation: customer-operated-automation
|
|
canonical_role: Doer
|
|
scope: namespace:tenant-a
|
|
plane: Runtime
|
|
capabilities:
|
|
- execute arbitrary workload image
|
|
- use mounted service account identity
|
|
- read mounted runtime inputs
|
|
exposure_mode: derived-execution-and-identity-use
|
|
lifecycle_state: job-execution
|
|
conditions:
|
|
- derived from create pods permission
|
|
restrictions:
|
|
- must be bounded by admission controls, image policy, and service-account selection rules
|
|
native_evidence:
|
|
- Role/job-runner create pods
|
|
- id: descriptor/workload-creator/induced
|
|
case_id: workload-creator-derived-execution
|
|
descriptor_class: induced_access
|
|
subject: serviceaccount:tenant-a:job-runner
|
|
organization_relation: customer-operated-automation
|
|
canonical_role: Doer
|
|
scope: namespace:tenant-a
|
|
plane: Secret
|
|
capabilities:
|
|
- potential secret exposure through mounted volumes
|
|
- potential token exposure through mounted identity
|
|
exposure_mode: induced-secret-and-identity-exposure
|
|
lifecycle_state: job-execution
|
|
conditions:
|
|
- induced path exists only when workload can mount or reach sensitive material
|
|
restrictions:
|
|
- classify as candidate finding until manifests, admission, and secret references are reviewed
|
|
native_evidence:
|
|
- pod volume mounts
|
|
- service account token projection
|
|
- secret references in pod spec
|
|
- id: descriptor/cluster-secret-reader/declared
|
|
case_id: cluster-secret-reader
|
|
descriptor_class: declared_access
|
|
subject: serviceaccount:platform:inventory
|
|
organization_relation: platform-service-provider
|
|
canonical_role: Auditor
|
|
scope: cluster
|
|
plane: Secret
|
|
capabilities:
|
|
- get secrets
|
|
- list secrets
|
|
- watch secrets
|
|
exposure_mode: sensitive-data-read
|
|
lifecycle_state: operational-inventory
|
|
conditions:
|
|
- bound by ClusterRoleBinding
|
|
restrictions:
|
|
- requires governance review and audit evidence
|
|
native_evidence:
|
|
- ClusterRole/secret-reader
|
|
- ClusterRoleBinding/inventory-secret-reader
|
|
- ServiceAccount/inventory
|
|
- id: descriptor/namespace-boundary/review
|
|
case_id: namespace-as-tenant-boundary
|
|
descriptor_class: effective_access
|
|
subject: tenant-boundary-claim:tenant-a
|
|
organization_relation: platform-provider
|
|
canonical_role: Governor
|
|
scope: namespace:tenant-a
|
|
plane: Policy
|
|
capabilities:
|
|
- claim tenant isolation
|
|
- review access and runtime boundaries
|
|
exposure_mode: governance-claim
|
|
lifecycle_state: design-review
|
|
conditions:
|
|
- claim must be supported by access, network, runtime, data, and governance evidence
|
|
restrictions:
|
|
- namespace alone is insufficient evidence
|
|
native_evidence:
|
|
- Namespace/tenant-a
|
|
- RoleBinding set
|
|
- NetworkPolicy set
|
|
- ResourceQuota set
|