Files
info-tech-canon/infospace/standards/caring/benchmarks/kubernetes-rbac/native-concepts.yaml

88 lines
3.6 KiB
YAML

id: benchmark/caring/kubernetes-rbac/native-concepts
title: Kubernetes RBAC Native Concept Map
status: candidate
benchmark: benchmark/caring/kubernetes-rbac
namespace_tenant_boundary_warning: true
concepts:
- native: Role
category: rule-bundle
native_scope: namespace
caring_mapping: CARINGCapabilityProfile
canon_mappings:
- model/access-control:PermissionSet
- model/governance:Policy
notes: A Role defines permissions within one namespace and is not automatically a CARINGCanonicalRole.
- native: ClusterRole
category: rule-bundle
native_scope: cluster
caring_mapping: CARINGCapabilityProfile
canon_mappings:
- model/access-control:PermissionSet
- model/governance:Policy
notes: A ClusterRole can define cluster-scoped permissions or reusable rule bundles for namespace bindings.
- native: RoleBinding
category: assignment
native_scope: namespace
caring_mapping: CARINGDeclaredAccessMap
canon_mappings:
- model/access-control:Grant
- model/governance:AssignmentDecision
notes: A RoleBinding grants a Role or ClusterRole to subjects within a namespace.
- native: ClusterRoleBinding
category: assignment
native_scope: cluster
caring_mapping: CARINGDeclaredAccessMap
canon_mappings:
- model/access-control:Grant
- model/governance:AssignmentDecision
notes: A ClusterRoleBinding grants a ClusterRole across cluster scope.
- native: ServiceAccount
category: service-subject
native_scope: namespace
caring_mapping: Subject
canon_mappings:
- model/access-control:Subject
- model/organization:Service
- model/devsecops:WorkloadIdentity
notes: A ServiceAccount is a service subject and workload identity anchor, not a human actor.
- native: Namespace
category: scope-signal
native_scope: namespace
caring_mapping: Scope
canon_mappings:
- model/landscape:RuntimeContainment
- model/access-control:ResourceScope
- model/network:SegmentationContext
notes: A Namespace is not automatically a tenant boundary; tenant isolation needs supporting access, network, data, and governance evidence.
- native: Verb
category: action
native_scope: rule
caring_mapping: Capability
canon_mappings:
- model/access-control:Action
- standard/caring:CARINGCapabilityProfile
notes: Verbs such as get, list, watch, create, update, patch, delete, bind, impersonate, and escalate must be interpreted by resource and scope.
- native: Resource
category: target
native_scope: api-group
caring_mapping: Scope
canon_mappings:
- model/access-control:Resource
- model/landscape:RuntimeResource
- model/data:ProtectedInformationAsset
notes: Resources such as pods, secrets, roles, rolebindings, and serviceaccounts carry different exposure and derived-capability implications.
- native: Scope
category: boundary
native_scope: namespace-or-cluster
caring_mapping: Scope
canon_mappings:
- model/access-control:ResourceScope
- model/landscape:LandscapeScope
- model/governance:GovernanceScope
notes: Kubernetes scope must be declared explicitly as namespace, cluster, API group, resource, and optionally tenant claim with evidence.
mapping_constraints:
- Kubernetes native names are preserved as source semantics.
- CARING canonical roles are assigned only after analyzing lifecycle responsibility posture.
- Namespace tenancy is a reviewable claim, not a default mapping.
- Effective access must include controller-mediated and workload-mediated paths where relevant.