Files
info-tech-canon/infospace/standards/caring/benchmarks/kubernetes-rbac/caring-mapping.yaml

80 lines
3.8 KiB
YAML

id: benchmark/caring/kubernetes-rbac/caring-mapping
title: Kubernetes RBAC To CARING Mapping
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
namespace_tenant_boundary_warning: true
mappings:
- native_concept: Role
caring_dimension: capability_profile
canon_targets:
- standard/caring:CARINGCapabilityProfile
- model/access-control:Permission
- model/governance:Policy
mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names.
- native_concept: ClusterRole
caring_dimension: capability_profile
canon_targets:
- standard/caring:CARINGCapabilityProfile
- model/access-control:Permission
- model/governance:Policy
mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility.
- native_concept: RoleBinding
caring_dimension: declared_access
canon_targets:
- standard/caring:CARINGDeclaredAccessMap
- model/access-control:Grant
- model/governance:Decision
mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace.
- native_concept: ClusterRoleBinding
caring_dimension: declared_access
canon_targets:
- standard/caring:CARINGDeclaredAccessMap
- model/access-control:Grant
- model/governance:Decision
mapping_rule: Bind subject to a ClusterRole at cluster scope.
- native_concept: ServiceAccount
caring_dimension: subject
canon_targets:
- model/access-control:Subject
- model/devsecops:WorkloadIdentity
- model/organization:Service
mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access.
- native_concept: Namespace
caring_dimension: scope
canon_targets:
- model/access-control:ResourceScope
- model/landscape:RuntimeContainment
- model/network:SegmentationContext
mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary.
- native_concept: Verb
caring_dimension: capability
canon_targets:
- model/access-control:Action
- standard/caring:CARINGCapabilityProfile
mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences.
- native_concept: Resource
caring_dimension: scope
canon_targets:
- model/access-control:Resource
- model/landscape:RuntimeResource
- model/security:ExposureTarget
mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane.
- native_concept: Scope
caring_dimension: scope
canon_targets:
- model/access-control:ResourceScope
- model/landscape:LandscapeScope
- model/governance:GovernanceScope
mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets.
analysis_rules:
- id: native-role-warning
rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale.
- id: declared-to-effective
rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access.
- id: derived-workload-execution
rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities.
- id: secret-exposure
rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review.
- id: namespace-tenant-boundary
rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership.