PecsSchemaKubernetesRbac *PECS profile schema for `kubernetes-rbac` environments* Below is a **second-layer PECS profile schema for `kubernetes-rbac` environments**. It specializes the generic PECS schema for systems where privileged execution is mediated primarily through: * Kubernetes RBAC * ServiceAccounts * Roles / ClusterRoles * RoleBindings / ClusterRoleBindings * controllers, operators, jobs, and CI/CD identities acting against the cluster API * admission and policy controls associated with cluster privilege You can store it as `pecs-kubernetes-rbac-profile.schema.json`. ```json { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://example.org/schemas/pecs-kubernetes-rbac-profile.schema.json", "title": "PECS Kubernetes-RBAC Profile Schema", "description": "Second-layer PECS profile schema for Kubernetes environments where privileged execution is mediated through RBAC, service accounts, controllers, and cluster API permissions.", "allOf": [ { "$ref": "https://example.org/schemas/pecs.schema.json" }, { "type": "object", "additionalProperties": false, "required": [ "schemaVersion", "documentType", "metadata", "system", "privilegedExecutionSurface" ], "properties": { "schemaVersion": { "const": "1.0.0" }, "documentType": { "enum": [ "pecs-model", "pecs-assessment", "pecs-authorization-artifact", "pecs-profile", "pecs-combined" ] }, "system": { "$ref": "#/$defs/kubernetesRbacSystem" }, "privilegedExecutionSurface": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/kubernetesPrivilegedEntryPoint" } }, "authorizationArtifacts": { "type": "array", "items": { "$ref": "#/$defs/kubernetesAuthorizationArtifact" } }, "implementationMappings": { "type": "array", "items": { "$ref": "#/$defs/kubernetesImplementationMapping" } }, "evidence": { "type": "array", "items": { "$ref": "#/$defs/kubernetesEvidence" } } } } ], "$defs": { "nonEmptyString": { "type": "string", "minLength": 1 }, "identifier": { "type": "string", "pattern": "^[A-Za-z0-9][A-Za-z0-9._:-]{0,127}$" }, "hashValue": { "type": "string", "pattern": "^[A-Fa-f0-9]{64,128}$" }, "k8sName": { "type": "string", "pattern": "^[a-z0-9]([-a-z0-9.]*[a-z0-9])?$" }, "k8sApiGroup": { "type": "string" }, "kubernetesRbacSystem": { "type": "object", "additionalProperties": false, "required": [ "name", "scope", "environmentTypes", "kubernetesRbacProfile" ], "properties": { "name": { "$ref": "#/$defs/nonEmptyString" }, "description": { "type": "string" }, "scope": { "type": "string" }, "environmentTypes": { "type": "array", "minItems": 1, "uniqueItems": true, "items": { "type": "string", "enum": [ "kubernetes-rbac", "ci-cd", "container-runtime", "cloud-iam" ] }, "contains": { "const": "kubernetes-rbac" } }, "criticality": { "type": "string", "enum": [ "low", "moderate", "high", "critical" ] }, "domainProfile": { "type": "object" }, "kubernetesRbacProfile": { "$ref": "#/$defs/kubernetesRbacProfile" } } }, "kubernetesRbacProfile": { "type": "object", "additionalProperties": false, "required": [ "clusterScopeModel", "rbacPolicyModel", "privilegedExecutionModel" ], "properties": { "clusterScopeModel": { "type": "string", "enum": [ "single-cluster", "multi-cluster", "fleet-managed", "other" ] }, "rbacPolicyModel": { "type": "string", "enum": [ "direct-role-binding", "controller-mediated", "gitops-mediated", "mixed" ] }, "privilegedExecutionModel": { "type": "string", "enum": [ "dedicated-privileged-serviceaccounts", "controller-operator-gateway", "job-based-privileged-actions", "mixed" ] }, "clusterIdentifiers": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "namespacesInScope": { "type": "array", "items": { "$ref": "#/$defs/k8sName" }, "default": [] }, "policyEngines": { "type": "array", "items": { "type": "string", "enum": [ "none", "opa-gatekeeper", "kyverno", "validating-admission-policy", "other" ] }, "default": [] }, "auditLoggingEnabled": { "type": "boolean" }, "serviceAccountTokenPolicy": { "type": "string", "enum": [ "bound-tokens", "legacy-secrets", "mixed", "unknown" ] }, "notes": { "type": "string" } } }, "kubernetesPrivilegedEntryPoint": { "type": "object", "additionalProperties": false, "required": [ "id", "name", "kind", "command", "privilegeDomain", "executionContext", "declaredEffects", "riskLevel", "invocationContract", "kubernetesControls" ], "properties": { "id": { "$ref": "#/$defs/identifier" }, "name": { "$ref": "#/$defs/nonEmptyString" }, "kind": { "type": "string", "enum": [ "controller", "operator", "job", "pipeline-step", "api-call", "gateway", "serviceaccount-binding", "other" ] }, "path": { "type": "string" }, "command": { "type": "string", "minLength": 1 }, "privilegeDomain": { "type": "string", "enum": [ "kubernetes-rbac", "kubernetes-admin", "container-privileged", "cloud-admin" ] }, "executionContext": { "$ref": "#/$defs/kubernetesExecutionContext" }, "declaredEffects": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "riskLevel": { "type": "string", "enum": [ "low", "moderate", "high", "critical" ] }, "integrityBinding": { "$ref": "#/$defs/kubernetesIntegrityBinding" }, "authorizationReference": { "$ref": "#/$defs/identifier" }, "invocationContract": { "$ref": "#/$defs/kubernetesInvocationContract" }, "reviews": { "type": "array", "items": { "$ref": "#/$defs/kubernetesReviewRecord" }, "default": [] }, "evidenceRefs": { "type": "array", "items": { "$ref": "#/$defs/identifier" }, "default": [] }, "kubernetesControls": { "$ref": "#/$defs/kubernetesControls" } }, "allOf": [ { "if": { "properties": { "kind": { "const": "controller" } }, "required": [ "kind" ] }, "then": { "properties": { "kubernetesControls": { "properties": { "entryPointModel": { "enum": [ "controller-gateway", "operator" ] } }, "required": [ "entryPointModel" ] } } } }, { "if": { "properties": { "kind": { "const": "serviceaccount-binding" } }, "required": [ "kind" ] }, "then": { "properties": { "kubernetesControls": { "required": [ "rbacBindings" ] } } } } ] }, "kubernetesExecutionContext": { "type": "object", "additionalProperties": false, "required": [ "environmentType", "runAs", "allowedCallers", "networkAccess", "clusterScope" ], "properties": { "environmentType": { "type": "string", "enum": [ "kubernetes-rbac", "ci-cd", "container-runtime", "cloud-iam" ] }, "allowedCallers": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "runAs": { "type": "string", "enum": [ "serviceaccount", "user", "external-ci-identity", "controller", "operator" ] }, "runAsIdentity": { "type": "string" }, "clusterScope": { "type": "string", "enum": [ "namespace", "cluster", "fleet" ] }, "targetNamespaces": { "type": "array", "items": { "$ref": "#/$defs/k8sName" }, "default": [] }, "networkAccess": { "type": "string", "enum": [ "none", "restricted", "full", "unknown" ] }, "interactiveAllowed": { "type": "boolean" }, "automationAllowed": { "type": "boolean" }, "environmentRestrictions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] } } }, "kubernetesIntegrityBinding": { "type": "object", "additionalProperties": false, "required": [ "type" ], "properties": { "type": { "type": "string", "enum": [ "none", "manifest-hash", "image-digest", "signed-artifact", "attestation", "gitops-revision" ] }, "algorithm": { "type": "string", "enum": [ "sha256", "sha384", "sha512", "sigstore", "x509", "git-commit", "other" ] }, "digest": { "$ref": "#/$defs/hashValue" }, "imageRef": { "type": "string" }, "gitRevision": { "type": "string" }, "attestationRef": { "type": "string" }, "signatureRef": { "type": "string" }, "verifiedAtAdmission": { "type": "boolean" }, "verifiedAtRuntime": { "type": "boolean" }, "reviewRenewalRequiredOnChange": { "type": "boolean" } } }, "kubernetesInvocationContract": { "type": "object", "additionalProperties": false, "required": [ "allowedArgumentsPolicy", "expectedEffects", "failureMode", "privilegeExpectation", "startupChecks" ], "properties": { "allowedArgumentsPolicy": { "$ref": "#/$defs/kubernetesArgumentsPolicy" }, "expectedEffects": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "forbiddenEffects": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "preconditions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "postconditions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "failureMode": { "type": "string", "enum": [ "fail-closed", "best-effort" ] }, "privilegeExpectation": { "type": "string", "enum": [ "must-run-under-approved-serviceaccount", "must-be-admitted-by-policy", "must-be-invoked-via-approved-controller", "must-use-approved-kubeconfig" ] }, "startupChecks": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": [ "check-serviceaccount-identity", "check-rbac-scope", "check-target-namespace", "check-admission-policy-compliance", "check-image-digest", "check-gitops-revision", "check-argument-contract", "check-caller-identity", "check-locking", "check-prerequisite-resources" ] } } } }, "kubernetesArgumentsPolicy": { "type": "object", "additionalProperties": false, "required": [ "mode" ], "properties": { "mode": { "type": "string", "enum": [ "none", "fixed", "allowlist", "schema-validated", "policy-evaluated" ] }, "fixedArguments": { "type": "array", "items": { "type": "string" }, "default": [] }, "allowedPatterns": { "type": "array", "items": { "type": "string" }, "default": [] }, "jsonSchema": { "type": "object" }, "notes": { "type": "string" } } }, "kubernetesControls": { "type": "object", "additionalProperties": false, "required": [ "entryPointModel", "rbacRestricted", "namespaceScopedWherePossible", "serviceAccountDedicated", "admissionControlled", "privilegedPodRisk" ], "properties": { "entryPointModel": { "type": "string", "enum": [ "direct-rbac-bound-identity", "controller-gateway", "operator", "job-runner", "gitops-controller", "pipeline-mediated" ] }, "serviceAccountDedicated": { "type": "boolean" }, "rbacRestricted": { "type": "boolean" }, "namespaceScopedWherePossible": { "type": "boolean" }, "clusterAdminBound": { "type": "boolean" }, "admissionControlled": { "type": "boolean" }, "policyEngine": { "type": "string", "enum": [ "none", "opa-gatekeeper", "kyverno", "validating-admission-policy", "other" ] }, "privilegedPodRisk": { "type": "string", "enum": [ "none", "low", "moderate", "high", "unknown" ] }, "hostAccessRisk": { "type": "string", "enum": [ "none", "low", "moderate", "high", "unknown" ] }, "tokenExposureRisk": { "type": "string", "enum": [ "none", "low", "moderate", "high", "unknown" ] }, "requiresDedicatedReview": { "type": "boolean" }, "reviewRenewalOnChange": { "type": "boolean" }, "rbacBindings": { "type": "array", "items": { "$ref": "#/$defs/rbacBindingReference" }, "default": [] }, "rbacRules": { "type": "array", "items": { "$ref": "#/$defs/rbacRule" }, "default": [] } } }, "rbacBindingReference": { "type": "object", "additionalProperties": false, "required": [ "kind", "name" ], "properties": { "kind": { "type": "string", "enum": [ "RoleBinding", "ClusterRoleBinding" ] }, "name": { "$ref": "#/$defs/k8sName" }, "namespace": { "$ref": "#/$defs/k8sName" }, "roleRefKind": { "type": "string", "enum": [ "Role", "ClusterRole" ] }, "roleRefName": { "$ref": "#/$defs/k8sName" } } }, "rbacRule": { "type": "object", "additionalProperties": false, "required": [ "apiGroups", "resources", "verbs" ], "properties": { "apiGroups": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/k8sApiGroup" } }, "resources": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "resourceNames": { "type": "array", "items": { "type": "string" }, "default": [] }, "verbs": { "type": "array", "minItems": 1, "items": { "type": "string" } }, "nonResourceURLs": { "type": "array", "items": { "type": "string" }, "default": [] } } }, "kubernetesReviewRecord": { "type": "object", "additionalProperties": false, "required": [ "reviewer", "date", "reviewType", "decision" ], "properties": { "reviewer": { "$ref": "#/$defs/nonEmptyString" }, "date": { "type": "string", "format": "date" }, "reviewType": { "type": "string", "enum": [ "code-review", "security-review", "risk-review", "renewal-review", "rbac-review", "admission-policy-review", "exception-review" ] }, "decision": { "type": "string", "enum": [ "approved", "approved-with-conditions", "rejected", "expired" ] }, "notes": { "type": "string" } } }, "kubernetesAuthorizationArtifact": { "type": "object", "additionalProperties": false, "required": [ "id", "type", "entries" ], "properties": { "id": { "$ref": "#/$defs/identifier" }, "type": { "type": "string", "enum": [ "allowlist", "signed-approval-manifest", "policy-bundle", "attestation-set", "gitops-approval-set" ] }, "path": { "type": "string" }, "signed": { "type": "boolean" }, "signatureRef": { "type": "string" }, "entries": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/kubernetesAuthorizationEntry" } } } }, "kubernetesAuthorizationEntry": { "type": "object", "additionalProperties": false, "required": [ "entryId", "privilegedEntryPointId", "approvalStatus", "approvedBy" ], "properties": { "entryId": { "$ref": "#/$defs/identifier" }, "privilegedEntryPointId": { "$ref": "#/$defs/identifier" }, "approvalStatus": { "type": "string", "enum": [ "approved", "conditional", "revoked", "expired", "draft" ] }, "integrityBinding": { "$ref": "#/$defs/kubernetesIntegrityBinding" }, "approvedBy": { "type": "array", "minItems": 1, "items": { "$ref": "#/$defs/nonEmptyString" } }, "approvedAt": { "type": "string", "format": "date-time" }, "expiresAt": { "type": "string", "format": "date-time" }, "conditions": { "type": "array", "items": { "$ref": "#/$defs/nonEmptyString" }, "default": [] }, "rbacBinding": { "$ref": "#/$defs/rbacAuthorizationBinding" }, "policyRef": { "type": "string" } } }, "rbacAuthorizationBinding": { "type": "object", "additionalProperties": false, "required": [ "subjectKind", "subjectName", "bindingKind", "roleRefKind", "roleRefName" ], "properties": { "subjectKind": { "type": "string", "enum": [ "ServiceAccount", "User", "Group" ] }, "subjectName": { "type": "string" }, "subjectNamespace": { "$ref": "#/$defs/k8sName" }, "bindingKind": { "type": "string", "enum": [ "RoleBinding", "ClusterRoleBinding" ] }, "bindingName": { "$ref": "#/$defs/k8sName" }, "bindingNamespace": { "$ref": "#/$defs/k8sName" }, "roleRefKind": { "type": "string", "enum": [ "Role", "ClusterRole" ] }, "roleRefName": { "$ref": "#/$defs/k8sName" } } }, "kubernetesImplementationMapping": { "type": "object", "additionalProperties": false, "required": [ "environmentType", "pattern", "tooling" ], "properties": { "environmentType": { "type": "string", "enum": [ "kubernetes-rbac", "ci-cd", "container-runtime", "cloud-iam" ] }, "pattern": { "type": "string", "enum": [ "dedicated-serviceaccount", "controller-gateway", "operator-pattern", "namespace-scoped-rbac", "cluster-scoped-reviewed-rbac", "admission-policy-enforced", "gitops-approved-privileged-change", "ci-approved-cluster-action" ] }, "tooling": { "type": "array", "minItems": 1, "items": { "type": "string", "enum": [ "kubectl", "helm", "kustomize", "opa-gatekeeper", "kyverno", "validating-admission-policy", "argo-cd", "flux", "cosign", "in-toto", "trivy", "stern", "audit-policy", "other" ] } }, "notes": { "type": "string" }, "references": { "type": "array", "items": { "type": "string", "format": "uri" }, "default": [] } } }, "kubernetesEvidence": { "type": "object", "additionalProperties": false, "required": [ "id", "type", "description" ], "properties": { "id": { "$ref": "#/$defs/identifier" }, "type": { "type": "string", "enum": [ "file", "log", "review-record", "policy", "attestation", "report", "rbac-manifest", "audit-policy", "image-signature", "gitops-record", "other" ] }, "description": { "type": "string" }, "path": { "type": "string" }, "uri": { "type": "string", "format": "uri" }, "collectedAt": { "type": "string", "format": "date-time" }, "collectedBy": { "type": "string" }, "hash": { "$ref": "#/$defs/kubernetesIntegrityBinding" } } } } } ``` Here is a **minimal valid example instance** for this profile: ```json { "schemaVersion": "1.0.0", "documentType": "pecs-combined", "metadata": { "id": "backup-controller-k8s-profile", "title": "Backup Controller Kubernetes RBAC PECS Profile", "version": "0.1.0", "status": "draft" }, "system": { "name": "backup-controller", "scope": "Privileged Kubernetes backup control via dedicated service account and reviewed RBAC.", "environmentTypes": [ "kubernetes-rbac", "ci-cd" ], "criticality": "high", "kubernetesRbacProfile": { "clusterScopeModel": "single-cluster", "rbacPolicyModel": "controller-mediated", "privilegedExecutionModel": "controller-operator-gateway", "clusterIdentifiers": [ "prod-eu-1" ], "namespacesInScope": [ "backup-system" ], "policyEngines": [ "kyverno" ], "auditLoggingEnabled": true, "serviceAccountTokenPolicy": "bound-tokens" } }, "privilegedExecutionSurface": [ { "id": "backup-operator", "name": "backup-operator", "kind": "controller", "path": "deploy/backup-operator", "command": "backup-operator reconcile", "privilegeDomain": "kubernetes-rbac", "executionContext": { "environmentType": "kubernetes-rbac", "runAs": "serviceaccount", "runAsIdentity": "system:serviceaccount:backup-system:backup-operator", "allowedCallers": [ "kube-controller-manager", "argo-cd" ], "clusterScope": "namespace", "targetNamespaces": [ "backup-system" ], "networkAccess": "restricted", "interactiveAllowed": false, "automationAllowed": true }, "declaredEffects": [ "Create backup jobs in approved namespace", "Read PVC metadata", "Write backup status resources" ], "riskLevel": "high", "integrityBinding": { "type": "image-digest", "algorithm": "sha256", "digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677", "imageRef": "registry.example.org/backup-operator@sha256:3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677", "verifiedAtAdmission": true, "reviewRenewalRequiredOnChange": true }, "invocationContract": { "allowedArgumentsPolicy": { "mode": "fixed", "fixedArguments": [ "reconcile" ] }, "expectedEffects": [ "Operate only in approved namespace and resource scope" ], "forbiddenEffects": [ "Create cluster-wide RBAC", "Launch privileged hostPath pods" ], "failureMode": "fail-closed", "privilegeExpectation": "must-run-under-approved-serviceaccount", "startupChecks": [ "check-serviceaccount-identity", "check-rbac-scope", "check-target-namespace", "check-admission-policy-compliance", "check-image-digest" ] }, "kubernetesControls": { "entryPointModel": "controller-gateway", "serviceAccountDedicated": true, "rbacRestricted": true, "namespaceScopedWherePossible": true, "clusterAdminBound": false, "admissionControlled": true, "policyEngine": "kyverno", "privilegedPodRisk": "low", "hostAccessRisk": "none", "tokenExposureRisk": "low", "requiresDedicatedReview": true, "reviewRenewalOnChange": true, "rbacBindings": [ { "kind": "RoleBinding", "name": "backup-operator-binding", "namespace": "backup-system", "roleRefKind": "Role", "roleRefName": "backup-operator-role" } ], "rbacRules": [ { "apiGroups": [ "", "batch" ], "resources": [ "pods", "persistentvolumeclaims", "jobs" ], "verbs": [ "get", "list", "watch", "create" ] } ] } } ], "authorizationArtifacts": [ { "id": "backup-rbac-allowlist", "type": "signed-approval-manifest", "path": "security/k8s-privileged-allowlist.yaml", "signed": true, "signatureRef": "cosign://backup-rbac-allowlist", "entries": [ { "entryId": "backup-operator-approved", "privilegedEntryPointId": "backup-operator", "approvalStatus": "approved", "approvedBy": [ "platform-security" ], "integrityBinding": { "type": "image-digest", "algorithm": "sha256", "digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677", "imageRef": "registry.example.org/backup-operator@sha256:3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677", "verifiedAtAdmission": true, "reviewRenewalRequiredOnChange": true }, "rbacBinding": { "subjectKind": "ServiceAccount", "subjectName": "backup-operator", "subjectNamespace": "backup-system", "bindingKind": "RoleBinding", "bindingName": "backup-operator-binding", "bindingNamespace": "backup-system", "roleRefKind": "Role", "roleRefName": "backup-operator-role" } } ] } ] } ``` xxx