generated from coulomb/repo-seed
80 lines
3.8 KiB
YAML
80 lines
3.8 KiB
YAML
id: benchmark/caring/kubernetes-rbac/caring-mapping
|
|
title: Kubernetes RBAC To CARING Mapping
|
|
status: candidate
|
|
benchmark: benchmark/caring/kubernetes-rbac
|
|
namespace_tenant_boundary_warning: true
|
|
mappings:
|
|
- native_concept: Role
|
|
caring_dimension: capability_profile
|
|
canon_targets:
|
|
- standard/caring:CARINGCapabilityProfile
|
|
- model/access-control:Permission
|
|
- model/governance:Policy
|
|
mapping_rule: Interpret Role rules as scoped capability bundles over verbs, resources, API groups, and resource names.
|
|
- native_concept: ClusterRole
|
|
caring_dimension: capability_profile
|
|
canon_targets:
|
|
- standard/caring:CARINGCapabilityProfile
|
|
- model/access-control:Permission
|
|
- model/governance:Policy
|
|
mapping_rule: Interpret ClusterRole rules as cluster-scope or reusable capability bundles; do not infer organization responsibility.
|
|
- native_concept: RoleBinding
|
|
caring_dimension: declared_access
|
|
canon_targets:
|
|
- standard/caring:CARINGDeclaredAccessMap
|
|
- model/access-control:Grant
|
|
- model/governance:Decision
|
|
mapping_rule: Bind subject to a Role or ClusterRole within the RoleBinding namespace.
|
|
- native_concept: ClusterRoleBinding
|
|
caring_dimension: declared_access
|
|
canon_targets:
|
|
- standard/caring:CARINGDeclaredAccessMap
|
|
- model/access-control:Grant
|
|
- model/governance:Decision
|
|
mapping_rule: Bind subject to a ClusterRole at cluster scope.
|
|
- native_concept: ServiceAccount
|
|
caring_dimension: subject
|
|
canon_targets:
|
|
- model/access-control:Subject
|
|
- model/devsecops:WorkloadIdentity
|
|
- model/organization:Service
|
|
mapping_rule: Treat ServiceAccount as a service subject; map workload use separately as effective or induced access.
|
|
- native_concept: Namespace
|
|
caring_dimension: scope
|
|
canon_targets:
|
|
- model/access-control:ResourceScope
|
|
- model/landscape:RuntimeContainment
|
|
- model/network:SegmentationContext
|
|
mapping_rule: Use Namespace as a Kubernetes scope signal; require additional evidence before mapping it to TenantBoundary.
|
|
- native_concept: Verb
|
|
caring_dimension: capability
|
|
canon_targets:
|
|
- model/access-control:Action
|
|
- standard/caring:CARINGCapabilityProfile
|
|
mapping_rule: Interpret verbs in combination with resources because create pods and get secrets have different exposure consequences.
|
|
- native_concept: Resource
|
|
caring_dimension: scope
|
|
canon_targets:
|
|
- model/access-control:Resource
|
|
- model/landscape:RuntimeResource
|
|
- model/security:ExposureTarget
|
|
mapping_rule: Map resources to access targets and then evaluate exposure, derived capability, and plane.
|
|
- native_concept: Scope
|
|
caring_dimension: scope
|
|
canon_targets:
|
|
- model/access-control:ResourceScope
|
|
- model/landscape:LandscapeScope
|
|
- model/governance:GovernanceScope
|
|
mapping_rule: Preserve namespace, cluster, API group, resource, and resourceName boundaries as separate scope facets.
|
|
analysis_rules:
|
|
- id: native-role-warning
|
|
rule: Do not map Role or ClusterRole to CARINGCanonicalRole without an explicit lifecycle-responsibility rationale.
|
|
- id: declared-to-effective
|
|
rule: Translate bindings into declared access first, then test workload, controller, service-account, secret, and volume paths for effective access.
|
|
- id: derived-workload-execution
|
|
rule: Permissions that create or update workload specs may imply derived execution and mounted identity capabilities.
|
|
- id: secret-exposure
|
|
rule: Permissions over secrets, pods, serviceaccounts, roles, rolebindings, or escalation verbs require security and governance review.
|
|
- id: namespace-tenant-boundary
|
|
rule: Namespace isolation claims require evidence from access control, runtime configuration, network policy, data isolation, and governance ownership.
|