Files
info-tech-canon/infospace/standards/caring/benchmarks/kubernetes-rbac/access-descriptors.yaml

165 lines
5.7 KiB
YAML

id: benchmark/caring/kubernetes-rbac/access-descriptors
title: Kubernetes RBAC CARING Access Descriptors
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
descriptor_classes:
- declared_access
- effective_access
- derived_capability
- induced_access
descriptors:
- id: descriptor/namespace-pod-reader/declared
case_id: namespace-pod-reader
descriptor_class: declared_access
subject: serviceaccount:tenant-a:report-viewer
organization_relation: customer-operated-service
canonical_role: Viewer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- get pods
- list pods
- watch pods
exposure_mode: metadata-and-runtime-state
lifecycle_state: steady-state-observation
conditions:
- bound by RoleBinding in namespace tenant-a
restrictions:
- no pod mutation
- no secret read
- namespace is not accepted as tenant boundary without additional evidence
native_evidence:
- Role/report-viewer
- RoleBinding/report-viewer-binding
- ServiceAccount/report-viewer
- id: descriptor/workload-creator/declared
case_id: workload-creator-derived-execution
descriptor_class: declared_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- create pods
- get pods
- delete pods
exposure_mode: workload-specification-control
lifecycle_state: job-execution
conditions:
- bound by RoleBinding in namespace tenant-a
restrictions:
- no direct secret get/list/watch declared
native_evidence:
- Role/job-runner
- RoleBinding/job-runner-binding
- ServiceAccount/job-runner
- id: descriptor/workload-creator/effective
case_id: workload-creator-derived-execution
descriptor_class: effective_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- create workload
- select pod service account
- influence mounted volumes
- execute container image
exposure_mode: mediated-runtime-execution
lifecycle_state: job-execution
conditions:
- pod admission and service-account mount behavior determine actual reach
restrictions:
- effective access must be checked against admission policy and service-account permissions
native_evidence:
- create pods verb
- pod spec serviceAccountName
- projected service account token behavior
- id: descriptor/workload-creator/derived
case_id: workload-creator-derived-execution
descriptor_class: derived_capability
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Runtime
capabilities:
- execute arbitrary workload image
- use mounted service account identity
- read mounted runtime inputs
exposure_mode: derived-execution-and-identity-use
lifecycle_state: job-execution
conditions:
- derived from create pods permission
restrictions:
- must be bounded by admission controls, image policy, and service-account selection rules
native_evidence:
- Role/job-runner create pods
- id: descriptor/workload-creator/induced
case_id: workload-creator-derived-execution
descriptor_class: induced_access
subject: serviceaccount:tenant-a:job-runner
organization_relation: customer-operated-automation
canonical_role: Doer
scope: namespace:tenant-a
plane: Secret
capabilities:
- potential secret exposure through mounted volumes
- potential token exposure through mounted identity
exposure_mode: induced-secret-and-identity-exposure
lifecycle_state: job-execution
conditions:
- induced path exists only when workload can mount or reach sensitive material
restrictions:
- classify as candidate finding until manifests, admission, and secret references are reviewed
native_evidence:
- pod volume mounts
- service account token projection
- secret references in pod spec
- id: descriptor/cluster-secret-reader/declared
case_id: cluster-secret-reader
descriptor_class: declared_access
subject: serviceaccount:platform:inventory
organization_relation: platform-service-provider
canonical_role: Auditor
scope: cluster
plane: Secret
capabilities:
- get secrets
- list secrets
- watch secrets
exposure_mode: sensitive-data-read
lifecycle_state: operational-inventory
conditions:
- bound by ClusterRoleBinding
restrictions:
- requires governance review and audit evidence
native_evidence:
- ClusterRole/secret-reader
- ClusterRoleBinding/inventory-secret-reader
- ServiceAccount/inventory
- id: descriptor/namespace-boundary/review
case_id: namespace-as-tenant-boundary
descriptor_class: effective_access
subject: tenant-boundary-claim:tenant-a
organization_relation: platform-provider
canonical_role: Governor
scope: namespace:tenant-a
plane: Policy
capabilities:
- claim tenant isolation
- review access and runtime boundaries
exposure_mode: governance-claim
lifecycle_state: design-review
conditions:
- claim must be supported by access, network, runtime, data, and governance evidence
restrictions:
- namespace alone is insufficient evidence
native_evidence:
- Namespace/tenant-a
- RoleBinding set
- NetworkPolicy set
- ResourceQuota set