generated from coulomb/repo-seed
88 lines
3.6 KiB
YAML
88 lines
3.6 KiB
YAML
id: benchmark/caring/kubernetes-rbac/native-concepts
|
|
title: Kubernetes RBAC Native Concept Map
|
|
status: candidate
|
|
benchmark: benchmark/caring/kubernetes-rbac
|
|
namespace_tenant_boundary_warning: true
|
|
concepts:
|
|
- native: Role
|
|
category: rule-bundle
|
|
native_scope: namespace
|
|
caring_mapping: CARINGCapabilityProfile
|
|
canon_mappings:
|
|
- model/access-control:PermissionSet
|
|
- model/governance:Policy
|
|
notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole.
|
|
- native: ClusterRole
|
|
category: rule-bundle
|
|
native_scope: cluster
|
|
caring_mapping: CARINGCapabilityProfile
|
|
canon_mappings:
|
|
- model/access-control:PermissionSet
|
|
- model/governance:Policy
|
|
notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings.
|
|
- native: RoleBinding
|
|
category: assignment
|
|
native_scope: namespace
|
|
caring_mapping: CARINGDeclaredAccessMap
|
|
canon_mappings:
|
|
- model/access-control:Grant
|
|
- model/governance:AssignmentDecision
|
|
notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace.
|
|
- native: ClusterRoleBinding
|
|
category: assignment
|
|
native_scope: cluster
|
|
caring_mapping: CARINGDeclaredAccessMap
|
|
canon_mappings:
|
|
- model/access-control:Grant
|
|
- model/governance:AssignmentDecision
|
|
notes: A ClusterRoleBinding grants a ClusterRole across cluster scope.
|
|
- native: ServiceAccount
|
|
category: service-subject
|
|
native_scope: namespace
|
|
caring_mapping: Subject
|
|
canon_mappings:
|
|
- model/access-control:Subject
|
|
- model/organization:Service
|
|
- model/devsecops:WorkloadIdentity
|
|
notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor.
|
|
- native: Namespace
|
|
category: scope-signal
|
|
native_scope: namespace
|
|
caring_mapping: Scope
|
|
canon_mappings:
|
|
- model/landscape:RuntimeContainment
|
|
- model/access-control:ResourceScope
|
|
- model/network:SegmentationContext
|
|
notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence.
|
|
- native: Verb
|
|
category: action
|
|
native_scope: rule
|
|
caring_mapping: Capability
|
|
canon_mappings:
|
|
- model/access-control:Action
|
|
- standard/caring:CARINGCapabilityProfile
|
|
notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope.
|
|
- native: Resource
|
|
category: target
|
|
native_scope: api-group
|
|
caring_mapping: Scope
|
|
canon_mappings:
|
|
- model/access-control:Resource
|
|
- model/landscape:RuntimeResource
|
|
- model/data:ProtectedInformationAsset
|
|
notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications.
|
|
- native: Scope
|
|
category: boundary
|
|
native_scope: namespace-or-cluster
|
|
caring_mapping: Scope
|
|
canon_mappings:
|
|
- model/access-control:ResourceScope
|
|
- model/landscape:LandscapeScope
|
|
- model/governance:GovernanceScope
|
|
notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence.
|
|
mapping_constraints:
|
|
- Kubernetes native names are preserved as source semantics.
|
|
- CARING canonical roles are assigned only after analyzing lifecycle responsibility posture.
|
|
- Namespace tenancy is a reviewable claim, not a default mapping.
|
|
- Effective access must include controller-mediated and workload-mediated paths where relevant.
|