generated from coulomb/repo-seed
103 lines
4.4 KiB
YAML
103 lines
4.4 KiB
YAML
id: benchmark/caring/kubernetes-rbac
|
|
title: CARING Kubernetes RBAC Benchmark
|
|
status: candidate
|
|
standard: standard/caring
|
|
created_by_workplan: ITC-WP-0010
|
|
purpose: Stress-test CARING descriptor shape against Kubernetes RBAC without treating Kubernetes native names as canon roles.
|
|
source_corpus:
|
|
- id: kubernetes-rbac-reference
|
|
title: Kubernetes RBAC Reference
|
|
source_type: vendor-documentation
|
|
url: https://kubernetes.io/docs/reference/access-authn-authz/rbac/
|
|
role: primary-native-model-reference
|
|
- id: kubernetes-service-account-concepts
|
|
title: Kubernetes Service Accounts
|
|
source_type: vendor-documentation
|
|
url: https://kubernetes.io/docs/concepts/security/service-accounts/
|
|
role: workload-identity-reference
|
|
- id: local-caring-standard
|
|
title: InfoTechCanon CARING Access Governance Standard
|
|
source_type: canon-standard
|
|
path: standards/caring/InfoTechCanonCaringAccessGovernanceStandard.md
|
|
role: descriptor-vocabulary
|
|
cases:
|
|
- id: namespace-pod-reader
|
|
title: Namespace-Scoped Pod Reader
|
|
native_objects:
|
|
- Role
|
|
- RoleBinding
|
|
- ServiceAccount
|
|
- Namespace
|
|
stress_focus:
|
|
- declared-access
|
|
- scope-mapping
|
|
- native-role-warning
|
|
expected_outputs:
|
|
- Role maps to a scoped capability profile over get/list/watch pods.
|
|
- RoleBinding maps to a grant from subject to capability profile.
|
|
- Namespace is recorded as Kubernetes scope, not tenant boundary.
|
|
- id: workload-creator-derived-execution
|
|
title: Workload Creator With Derived Execution Capability
|
|
native_objects:
|
|
- Role
|
|
- RoleBinding
|
|
- ServiceAccount
|
|
- Pod
|
|
- Secret
|
|
stress_focus:
|
|
- declared-access
|
|
- effective-access
|
|
- derived-capability
|
|
- induced-access
|
|
expected_outputs:
|
|
- Create pod is declared as workload creation access.
|
|
- Execute workload is derived from the ability to create pods.
|
|
- Mounted service-account and secret exposure are induced access candidates.
|
|
- id: cluster-secret-reader
|
|
title: ClusterRole Secret Reader
|
|
native_objects:
|
|
- ClusterRole
|
|
- ClusterRoleBinding
|
|
- ServiceAccount
|
|
- Secret
|
|
stress_focus:
|
|
- cluster-scope
|
|
- exposure-mode
|
|
- governance-review
|
|
expected_outputs:
|
|
- ClusterRole maps to cluster-scoped data exposure capability.
|
|
- ClusterRoleBinding broadens scope beyond a namespace.
|
|
- Secret read access produces security and governance findings.
|
|
- id: namespace-as-tenant-boundary
|
|
title: Namespace Used As Tenant Boundary Claim
|
|
native_objects:
|
|
- Namespace
|
|
- Role
|
|
- RoleBinding
|
|
- NetworkPolicy
|
|
- ResourceQuota
|
|
stress_focus:
|
|
- tenant-boundary-warning
|
|
- cross-model-evidence
|
|
- review-criteria
|
|
expected_outputs:
|
|
- Namespace alone cannot prove tenant isolation.
|
|
- Tenant-boundary claim requires access, network, data, runtime, and governance evidence.
|
|
- Missing evidence creates a canon pressure finding instead of an approved boundary claim.
|
|
expected_outputs:
|
|
- Native concept map covering Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount, Namespace, verbs, resources, and scopes.
|
|
- CARING mapping that separates native role objects from canonical roles, capability profiles, grants, scopes, planes, and exposure modes.
|
|
- Access descriptors that distinguish declared access, effective access, derived capability, and induced access.
|
|
- Findings that identify gaps, conflicts, and proposed canon changes without changing standards silently.
|
|
review_criteria:
|
|
- id: descriptor-completeness
|
|
criterion: Every benchmark case has at least one CARING access descriptor with subject, scope, plane, capabilities, exposure mode, lifecycle state, and native evidence.
|
|
- id: native-role-warning
|
|
criterion: Kubernetes Role and ClusterRole are never accepted as CARINGCanonicalRole without an explicit mapping rationale.
|
|
- id: namespace-boundary-check
|
|
criterion: Namespace isolation is treated as a claim requiring evidence, not as a tenant boundary by default.
|
|
- id: effective-access-analysis
|
|
criterion: Create or update workload permissions are reviewed for derived execution, mounted identity, secret, and volume exposure.
|
|
- id: canon-pressure-routing
|
|
criterion: Gaps become reviewable proposed changes, tasks, or open questions rather than immediate model changes.
|