generated from coulomb/repo-seed
100 lines
2.7 KiB
Markdown
100 lines
2.7 KiB
Markdown
---
|
|
id: ITC-WP-0010
|
|
type: workplan
|
|
title: "CARING Kubernetes RBAC Benchmark"
|
|
domain: canon
|
|
repo: info-tech-canon
|
|
status: finished
|
|
priority: medium
|
|
created: "2026-05-23"
|
|
updated: "2026-05-23"
|
|
depends_on_workplans:
|
|
- ITC-WP-0003
|
|
- ITC-WP-0005
|
|
state_hub_workstream_id: "b64f0fc9-8668-4c02-8247-67a41660bdeb"
|
|
---
|
|
|
|
# ITC-WP-0010 - CARING Kubernetes RBAC Benchmark
|
|
|
|
## Goal
|
|
|
|
Create a distinct benchmark workplan for analyzing Kubernetes RBAC through
|
|
CARING and the wider InfoTechCanon kernel.
|
|
|
|
## Intent
|
|
|
|
This is deliberately separate from the small SaaS proof. The benchmark is more
|
|
ambitious and should stress orthogonality across Access Control, Organization,
|
|
Governance, Security, Network, DevSecOps, Observability, Task, and Tagging.
|
|
|
|
## Tasks
|
|
|
|
### T01 - Benchmark workspace
|
|
|
|
```task
|
|
id: ITC-WP-0010-T01
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "9ad31e13-7dc2-469c-b539-d3375a16c5f4"
|
|
```
|
|
|
|
- Create `infospace/standards/caring/benchmarks/kubernetes-rbac/`.
|
|
- Define source corpus, cases, expected outputs, and review criteria.
|
|
|
|
### T02 - RBAC assimilation
|
|
|
|
```task
|
|
id: ITC-WP-0010-T02
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "180d7ccf-7daa-4f4c-a92a-641ef5d7b442"
|
|
```
|
|
|
|
- Map Kubernetes Role, ClusterRole, RoleBinding, ClusterRoleBinding,
|
|
ServiceAccount, Namespace, verbs, resources, and scopes.
|
|
- Preserve the warning that Namespace is not automatically a tenant boundary.
|
|
|
|
### T03 - CARING access descriptors
|
|
|
|
```task
|
|
id: ITC-WP-0010-T03
|
|
status: done
|
|
priority: high
|
|
state_hub_task_id: "4ffd6643-a7ab-487c-a09a-0fcaf0115c83"
|
|
```
|
|
|
|
- Express benchmark cases as CARING access descriptors.
|
|
- Distinguish declared access, effective access, derived capability, and
|
|
induced access.
|
|
|
|
### T04 - Findings and canon pressure
|
|
|
|
```task
|
|
id: ITC-WP-0010-T04
|
|
status: done
|
|
priority: medium
|
|
state_hub_task_id: "52632a4c-6e03-4212-ad6b-0cbb7b3a6e42"
|
|
```
|
|
|
|
- Produce gaps, conflicts, mappings, and proposed canon changes.
|
|
- Feed stable findings back into models and standards through explicit tasks.
|
|
|
|
## Acceptance
|
|
|
|
- Kubernetes RBAC is analyzed as a benchmark, not as a shortcut profile.
|
|
- CARING descriptor shape is tested with practical examples.
|
|
- Benchmark findings produce explicit canon change proposals.
|
|
|
|
## Implementation Notes
|
|
|
|
- Created `infospace/standards/caring/benchmarks/kubernetes-rbac/` as a
|
|
distinct benchmark workspace.
|
|
- Added benchmark workspace, native concept map, CARING mapping, descriptor
|
|
set, and findings/canon-pressure artifacts.
|
|
- Registered all benchmark artifacts in the artifact index and retrieval
|
|
generation flow.
|
|
- Added structural validation for the benchmark corpus, Kubernetes RBAC native
|
|
concept coverage, namespace tenant-boundary warning, CARING descriptor
|
|
classes, and findings/proposals.
|
|
- Regenerated agent briefs, indexes, tree views, and validation output.
|