Files
info-tech-canon/workplans/ITC-WP-0010-caring-kubernetes-rbac-benchmark.md

100 lines
2.7 KiB
Markdown

---
id: ITC-WP-0010
type: workplan
title: "CARING Kubernetes RBAC Benchmark"
domain: canon
repo: info-tech-canon
status: finished
priority: medium
created: "2026-05-23"
updated: "2026-05-23"
depends_on_workplans:
- ITC-WP-0003
- ITC-WP-0005
state_hub_workstream_id: "b64f0fc9-8668-4c02-8247-67a41660bdeb"
---
# ITC-WP-0010 - CARING Kubernetes RBAC Benchmark
## Goal
Create a distinct benchmark workplan for analyzing Kubernetes RBAC through
CARING and the wider InfoTechCanon kernel.
## Intent
This is deliberately separate from the small SaaS proof. The benchmark is more
ambitious and should stress orthogonality across Access Control, Organization,
Governance, Security, Network, DevSecOps, Observability, Task, and Tagging.
## Tasks
### T01 - Benchmark workspace
```task
id: ITC-WP-0010-T01
status: done
priority: high
state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
```
- Create `infospace/standards/caring/benchmarks/kubernetes-rbac/`.
- Define source corpus, cases, expected outputs, and review criteria.
### T02 - RBAC assimilation
```task
id: ITC-WP-0010-T02
status: done
priority: high
state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
```
- Map Kubernetes Role, ClusterRole, RoleBinding, ClusterRoleBinding,
ServiceAccount, Namespace, verbs, resources, and scopes.
- Preserve the warning that Namespace is not automatically a tenant boundary.
### T03 - CARING access descriptors
```task
id: ITC-WP-0010-T03
status: done
priority: high
state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
```
- Express benchmark cases as CARING access descriptors.
- Distinguish declared access, effective access, derived capability, and
induced access.
### T04 - Findings and canon pressure
```task
id: ITC-WP-0010-T04
status: done
priority: medium
state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
```
- Produce gaps, conflicts, mappings, and proposed canon changes.
- Feed stable findings back into models and standards through explicit tasks.
## Acceptance
- Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile.
- CARING descriptor shape is tested with practical examples.
- Benchmark findings produce explicit canon change proposals.
## Implementation Notes
- Created `infospace/standards/caring/benchmarks/kubernetes-rbac/` as a
distinct benchmark workspace.
- Added benchmark workspace, native concept map, CARING mapping, descriptor
set, and findings/canon-pressure artifacts.
- Registered all benchmark artifacts in the artifact index and retrieval
generation flow.
- Added structural validation for the benchmark corpus, Kubernetes RBAC native
concept coverage, namespace tenant-boundary warning, CARING descriptor
classes, and findings/proposals.
- Regenerated agent briefs, indexes, tree views, and validation output.