tegwick
2be217f51a
Maturity model and schemas for handling necessary privilege escalation across three contexts: OS sudo, Kubernetes RBAC, and CI/CD pipelines. To be applied to the codebase once initial Railiance setup is complete. Files: - privileged-execution-control_v0.2 (standard) - privileged-execution-control-schema_v0.2.1.md (base schema) - privileged-execution-control-schema-os-sudo_v0.2.1.md - privileged-execution-control-schema-kubernetes-rbac_v0.2.1.md - privileged-execution-control-schema-cicd_v0.2.1.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
31 KiB
31 KiB
PecsSchemaKubernetesRbac
PECS profile schema for kubernetes-rbac environments
Below is a second-layer PECS profile schema for kubernetes-rbac environments.
It specializes the generic PECS schema for systems where privileged execution is mediated primarily through:
- Kubernetes RBAC
- ServiceAccounts
- Roles / ClusterRoles
- RoleBindings / ClusterRoleBindings
- controllers, operators, jobs, and CI/CD identities acting against the cluster API
- admission and policy controls associated with cluster privilege
You can store it as pecs-kubernetes-rbac-profile.schema.json.
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://example.org/schemas/pecs-kubernetes-rbac-profile.schema.json",
"title": "PECS Kubernetes-RBAC Profile Schema",
"description": "Second-layer PECS profile schema for Kubernetes environments where privileged execution is mediated through RBAC, service accounts, controllers, and cluster API permissions.",
"allOf": [
{
"$ref": "https://example.org/schemas/pecs.schema.json"
},
{
"type": "object",
"additionalProperties": false,
"required": [
"schemaVersion",
"documentType",
"metadata",
"system",
"privilegedExecutionSurface"
],
"properties": {
"schemaVersion": {
"const": "1.0.0"
},
"documentType": {
"enum": [
"pecs-model",
"pecs-assessment",
"pecs-authorization-artifact",
"pecs-profile",
"pecs-combined"
]
},
"system": {
"$ref": "#/$defs/kubernetesRbacSystem"
},
"privilegedExecutionSurface": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/kubernetesPrivilegedEntryPoint"
}
},
"authorizationArtifacts": {
"type": "array",
"items": {
"$ref": "#/$defs/kubernetesAuthorizationArtifact"
}
},
"implementationMappings": {
"type": "array",
"items": {
"$ref": "#/$defs/kubernetesImplementationMapping"
}
},
"evidence": {
"type": "array",
"items": {
"$ref": "#/$defs/kubernetesEvidence"
}
}
}
}
],
"$defs": {
"nonEmptyString": {
"type": "string",
"minLength": 1
},
"identifier": {
"type": "string",
"pattern": "^[A-Za-z0-9][A-Za-z0-9._:-]{0,127}$"
},
"hashValue": {
"type": "string",
"pattern": "^[A-Fa-f0-9]{64,128}$"
},
"k8sName": {
"type": "string",
"pattern": "^[a-z0-9]([-a-z0-9.]*[a-z0-9])?$"
},
"k8sApiGroup": {
"type": "string"
},
"kubernetesRbacSystem": {
"type": "object",
"additionalProperties": false,
"required": [
"name",
"scope",
"environmentTypes",
"kubernetesRbacProfile"
],
"properties": {
"name": {
"$ref": "#/$defs/nonEmptyString"
},
"description": {
"type": "string"
},
"scope": {
"type": "string"
},
"environmentTypes": {
"type": "array",
"minItems": 1,
"uniqueItems": true,
"items": {
"type": "string",
"enum": [
"kubernetes-rbac",
"ci-cd",
"container-runtime",
"cloud-iam"
]
},
"contains": {
"const": "kubernetes-rbac"
}
},
"criticality": {
"type": "string",
"enum": [
"low",
"moderate",
"high",
"critical"
]
},
"domainProfile": {
"type": "object"
},
"kubernetesRbacProfile": {
"$ref": "#/$defs/kubernetesRbacProfile"
}
}
},
"kubernetesRbacProfile": {
"type": "object",
"additionalProperties": false,
"required": [
"clusterScopeModel",
"rbacPolicyModel",
"privilegedExecutionModel"
],
"properties": {
"clusterScopeModel": {
"type": "string",
"enum": [
"single-cluster",
"multi-cluster",
"fleet-managed",
"other"
]
},
"rbacPolicyModel": {
"type": "string",
"enum": [
"direct-role-binding",
"controller-mediated",
"gitops-mediated",
"mixed"
]
},
"privilegedExecutionModel": {
"type": "string",
"enum": [
"dedicated-privileged-serviceaccounts",
"controller-operator-gateway",
"job-based-privileged-actions",
"mixed"
]
},
"clusterIdentifiers": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"namespacesInScope": {
"type": "array",
"items": {
"$ref": "#/$defs/k8sName"
},
"default": []
},
"policyEngines": {
"type": "array",
"items": {
"type": "string",
"enum": [
"none",
"opa-gatekeeper",
"kyverno",
"validating-admission-policy",
"other"
]
},
"default": []
},
"auditLoggingEnabled": {
"type": "boolean"
},
"serviceAccountTokenPolicy": {
"type": "string",
"enum": [
"bound-tokens",
"legacy-secrets",
"mixed",
"unknown"
]
},
"notes": {
"type": "string"
}
}
},
"kubernetesPrivilegedEntryPoint": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"name",
"kind",
"command",
"privilegeDomain",
"executionContext",
"declaredEffects",
"riskLevel",
"invocationContract",
"kubernetesControls"
],
"properties": {
"id": {
"$ref": "#/$defs/identifier"
},
"name": {
"$ref": "#/$defs/nonEmptyString"
},
"kind": {
"type": "string",
"enum": [
"controller",
"operator",
"job",
"pipeline-step",
"api-call",
"gateway",
"serviceaccount-binding",
"other"
]
},
"path": {
"type": "string"
},
"command": {
"type": "string",
"minLength": 1
},
"privilegeDomain": {
"type": "string",
"enum": [
"kubernetes-rbac",
"kubernetes-admin",
"container-privileged",
"cloud-admin"
]
},
"executionContext": {
"$ref": "#/$defs/kubernetesExecutionContext"
},
"declaredEffects": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"riskLevel": {
"type": "string",
"enum": [
"low",
"moderate",
"high",
"critical"
]
},
"integrityBinding": {
"$ref": "#/$defs/kubernetesIntegrityBinding"
},
"authorizationReference": {
"$ref": "#/$defs/identifier"
},
"invocationContract": {
"$ref": "#/$defs/kubernetesInvocationContract"
},
"reviews": {
"type": "array",
"items": {
"$ref": "#/$defs/kubernetesReviewRecord"
},
"default": []
},
"evidenceRefs": {
"type": "array",
"items": {
"$ref": "#/$defs/identifier"
},
"default": []
},
"kubernetesControls": {
"$ref": "#/$defs/kubernetesControls"
}
},
"allOf": [
{
"if": {
"properties": {
"kind": {
"const": "controller"
}
},
"required": [
"kind"
]
},
"then": {
"properties": {
"kubernetesControls": {
"properties": {
"entryPointModel": {
"enum": [
"controller-gateway",
"operator"
]
}
},
"required": [
"entryPointModel"
]
}
}
}
},
{
"if": {
"properties": {
"kind": {
"const": "serviceaccount-binding"
}
},
"required": [
"kind"
]
},
"then": {
"properties": {
"kubernetesControls": {
"required": [
"rbacBindings"
]
}
}
}
}
]
},
"kubernetesExecutionContext": {
"type": "object",
"additionalProperties": false,
"required": [
"environmentType",
"runAs",
"allowedCallers",
"networkAccess",
"clusterScope"
],
"properties": {
"environmentType": {
"type": "string",
"enum": [
"kubernetes-rbac",
"ci-cd",
"container-runtime",
"cloud-iam"
]
},
"allowedCallers": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"runAs": {
"type": "string",
"enum": [
"serviceaccount",
"user",
"external-ci-identity",
"controller",
"operator"
]
},
"runAsIdentity": {
"type": "string"
},
"clusterScope": {
"type": "string",
"enum": [
"namespace",
"cluster",
"fleet"
]
},
"targetNamespaces": {
"type": "array",
"items": {
"$ref": "#/$defs/k8sName"
},
"default": []
},
"networkAccess": {
"type": "string",
"enum": [
"none",
"restricted",
"full",
"unknown"
]
},
"interactiveAllowed": {
"type": "boolean"
},
"automationAllowed": {
"type": "boolean"
},
"environmentRestrictions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
}
}
},
"kubernetesIntegrityBinding": {
"type": "object",
"additionalProperties": false,
"required": [
"type"
],
"properties": {
"type": {
"type": "string",
"enum": [
"none",
"manifest-hash",
"image-digest",
"signed-artifact",
"attestation",
"gitops-revision"
]
},
"algorithm": {
"type": "string",
"enum": [
"sha256",
"sha384",
"sha512",
"sigstore",
"x509",
"git-commit",
"other"
]
},
"digest": {
"$ref": "#/$defs/hashValue"
},
"imageRef": {
"type": "string"
},
"gitRevision": {
"type": "string"
},
"attestationRef": {
"type": "string"
},
"signatureRef": {
"type": "string"
},
"verifiedAtAdmission": {
"type": "boolean"
},
"verifiedAtRuntime": {
"type": "boolean"
},
"reviewRenewalRequiredOnChange": {
"type": "boolean"
}
}
},
"kubernetesInvocationContract": {
"type": "object",
"additionalProperties": false,
"required": [
"allowedArgumentsPolicy",
"expectedEffects",
"failureMode",
"privilegeExpectation",
"startupChecks"
],
"properties": {
"allowedArgumentsPolicy": {
"$ref": "#/$defs/kubernetesArgumentsPolicy"
},
"expectedEffects": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"forbiddenEffects": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"preconditions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"postconditions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"failureMode": {
"type": "string",
"enum": [
"fail-closed",
"best-effort"
]
},
"privilegeExpectation": {
"type": "string",
"enum": [
"must-run-under-approved-serviceaccount",
"must-be-admitted-by-policy",
"must-be-invoked-via-approved-controller",
"must-use-approved-kubeconfig"
]
},
"startupChecks": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"enum": [
"check-serviceaccount-identity",
"check-rbac-scope",
"check-target-namespace",
"check-admission-policy-compliance",
"check-image-digest",
"check-gitops-revision",
"check-argument-contract",
"check-caller-identity",
"check-locking",
"check-prerequisite-resources"
]
}
}
}
},
"kubernetesArgumentsPolicy": {
"type": "object",
"additionalProperties": false,
"required": [
"mode"
],
"properties": {
"mode": {
"type": "string",
"enum": [
"none",
"fixed",
"allowlist",
"schema-validated",
"policy-evaluated"
]
},
"fixedArguments": {
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"allowedPatterns": {
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"jsonSchema": {
"type": "object"
},
"notes": {
"type": "string"
}
}
},
"kubernetesControls": {
"type": "object",
"additionalProperties": false,
"required": [
"entryPointModel",
"rbacRestricted",
"namespaceScopedWherePossible",
"serviceAccountDedicated",
"admissionControlled",
"privilegedPodRisk"
],
"properties": {
"entryPointModel": {
"type": "string",
"enum": [
"direct-rbac-bound-identity",
"controller-gateway",
"operator",
"job-runner",
"gitops-controller",
"pipeline-mediated"
]
},
"serviceAccountDedicated": {
"type": "boolean"
},
"rbacRestricted": {
"type": "boolean"
},
"namespaceScopedWherePossible": {
"type": "boolean"
},
"clusterAdminBound": {
"type": "boolean"
},
"admissionControlled": {
"type": "boolean"
},
"policyEngine": {
"type": "string",
"enum": [
"none",
"opa-gatekeeper",
"kyverno",
"validating-admission-policy",
"other"
]
},
"privilegedPodRisk": {
"type": "string",
"enum": [
"none",
"low",
"moderate",
"high",
"unknown"
]
},
"hostAccessRisk": {
"type": "string",
"enum": [
"none",
"low",
"moderate",
"high",
"unknown"
]
},
"tokenExposureRisk": {
"type": "string",
"enum": [
"none",
"low",
"moderate",
"high",
"unknown"
]
},
"requiresDedicatedReview": {
"type": "boolean"
},
"reviewRenewalOnChange": {
"type": "boolean"
},
"rbacBindings": {
"type": "array",
"items": {
"$ref": "#/$defs/rbacBindingReference"
},
"default": []
},
"rbacRules": {
"type": "array",
"items": {
"$ref": "#/$defs/rbacRule"
},
"default": []
}
}
},
"rbacBindingReference": {
"type": "object",
"additionalProperties": false,
"required": [
"kind",
"name"
],
"properties": {
"kind": {
"type": "string",
"enum": [
"RoleBinding",
"ClusterRoleBinding"
]
},
"name": {
"$ref": "#/$defs/k8sName"
},
"namespace": {
"$ref": "#/$defs/k8sName"
},
"roleRefKind": {
"type": "string",
"enum": [
"Role",
"ClusterRole"
]
},
"roleRefName": {
"$ref": "#/$defs/k8sName"
}
}
},
"rbacRule": {
"type": "object",
"additionalProperties": false,
"required": [
"apiGroups",
"resources",
"verbs"
],
"properties": {
"apiGroups": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/k8sApiGroup"
}
},
"resources": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"resourceNames": {
"type": "array",
"items": {
"type": "string"
},
"default": []
},
"verbs": {
"type": "array",
"minItems": 1,
"items": {
"type": "string"
}
},
"nonResourceURLs": {
"type": "array",
"items": {
"type": "string"
},
"default": []
}
}
},
"kubernetesReviewRecord": {
"type": "object",
"additionalProperties": false,
"required": [
"reviewer",
"date",
"reviewType",
"decision"
],
"properties": {
"reviewer": {
"$ref": "#/$defs/nonEmptyString"
},
"date": {
"type": "string",
"format": "date"
},
"reviewType": {
"type": "string",
"enum": [
"code-review",
"security-review",
"risk-review",
"renewal-review",
"rbac-review",
"admission-policy-review",
"exception-review"
]
},
"decision": {
"type": "string",
"enum": [
"approved",
"approved-with-conditions",
"rejected",
"expired"
]
},
"notes": {
"type": "string"
}
}
},
"kubernetesAuthorizationArtifact": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"type",
"entries"
],
"properties": {
"id": {
"$ref": "#/$defs/identifier"
},
"type": {
"type": "string",
"enum": [
"allowlist",
"signed-approval-manifest",
"policy-bundle",
"attestation-set",
"gitops-approval-set"
]
},
"path": {
"type": "string"
},
"signed": {
"type": "boolean"
},
"signatureRef": {
"type": "string"
},
"entries": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/kubernetesAuthorizationEntry"
}
}
}
},
"kubernetesAuthorizationEntry": {
"type": "object",
"additionalProperties": false,
"required": [
"entryId",
"privilegedEntryPointId",
"approvalStatus",
"approvedBy"
],
"properties": {
"entryId": {
"$ref": "#/$defs/identifier"
},
"privilegedEntryPointId": {
"$ref": "#/$defs/identifier"
},
"approvalStatus": {
"type": "string",
"enum": [
"approved",
"conditional",
"revoked",
"expired",
"draft"
]
},
"integrityBinding": {
"$ref": "#/$defs/kubernetesIntegrityBinding"
},
"approvedBy": {
"type": "array",
"minItems": 1,
"items": {
"$ref": "#/$defs/nonEmptyString"
}
},
"approvedAt": {
"type": "string",
"format": "date-time"
},
"expiresAt": {
"type": "string",
"format": "date-time"
},
"conditions": {
"type": "array",
"items": {
"$ref": "#/$defs/nonEmptyString"
},
"default": []
},
"rbacBinding": {
"$ref": "#/$defs/rbacAuthorizationBinding"
},
"policyRef": {
"type": "string"
}
}
},
"rbacAuthorizationBinding": {
"type": "object",
"additionalProperties": false,
"required": [
"subjectKind",
"subjectName",
"bindingKind",
"roleRefKind",
"roleRefName"
],
"properties": {
"subjectKind": {
"type": "string",
"enum": [
"ServiceAccount",
"User",
"Group"
]
},
"subjectName": {
"type": "string"
},
"subjectNamespace": {
"$ref": "#/$defs/k8sName"
},
"bindingKind": {
"type": "string",
"enum": [
"RoleBinding",
"ClusterRoleBinding"
]
},
"bindingName": {
"$ref": "#/$defs/k8sName"
},
"bindingNamespace": {
"$ref": "#/$defs/k8sName"
},
"roleRefKind": {
"type": "string",
"enum": [
"Role",
"ClusterRole"
]
},
"roleRefName": {
"$ref": "#/$defs/k8sName"
}
}
},
"kubernetesImplementationMapping": {
"type": "object",
"additionalProperties": false,
"required": [
"environmentType",
"pattern",
"tooling"
],
"properties": {
"environmentType": {
"type": "string",
"enum": [
"kubernetes-rbac",
"ci-cd",
"container-runtime",
"cloud-iam"
]
},
"pattern": {
"type": "string",
"enum": [
"dedicated-serviceaccount",
"controller-gateway",
"operator-pattern",
"namespace-scoped-rbac",
"cluster-scoped-reviewed-rbac",
"admission-policy-enforced",
"gitops-approved-privileged-change",
"ci-approved-cluster-action"
]
},
"tooling": {
"type": "array",
"minItems": 1,
"items": {
"type": "string",
"enum": [
"kubectl",
"helm",
"kustomize",
"opa-gatekeeper",
"kyverno",
"validating-admission-policy",
"argo-cd",
"flux",
"cosign",
"in-toto",
"trivy",
"stern",
"audit-policy",
"other"
]
}
},
"notes": {
"type": "string"
},
"references": {
"type": "array",
"items": {
"type": "string",
"format": "uri"
},
"default": []
}
}
},
"kubernetesEvidence": {
"type": "object",
"additionalProperties": false,
"required": [
"id",
"type",
"description"
],
"properties": {
"id": {
"$ref": "#/$defs/identifier"
},
"type": {
"type": "string",
"enum": [
"file",
"log",
"review-record",
"policy",
"attestation",
"report",
"rbac-manifest",
"audit-policy",
"image-signature",
"gitops-record",
"other"
]
},
"description": {
"type": "string"
},
"path": {
"type": "string"
},
"uri": {
"type": "string",
"format": "uri"
},
"collectedAt": {
"type": "string",
"format": "date-time"
},
"collectedBy": {
"type": "string"
},
"hash": {
"$ref": "#/$defs/kubernetesIntegrityBinding"
}
}
}
}
}
Here is a minimal valid example instance for this profile:
{
"schemaVersion": "1.0.0",
"documentType": "pecs-combined",
"metadata": {
"id": "backup-controller-k8s-profile",
"title": "Backup Controller Kubernetes RBAC PECS Profile",
"version": "0.1.0",
"status": "draft"
},
"system": {
"name": "backup-controller",
"scope": "Privileged Kubernetes backup control via dedicated service account and reviewed RBAC.",
"environmentTypes": [
"kubernetes-rbac",
"ci-cd"
],
"criticality": "high",
"kubernetesRbacProfile": {
"clusterScopeModel": "single-cluster",
"rbacPolicyModel": "controller-mediated",
"privilegedExecutionModel": "controller-operator-gateway",
"clusterIdentifiers": [
"prod-eu-1"
],
"namespacesInScope": [
"backup-system"
],
"policyEngines": [
"kyverno"
],
"auditLoggingEnabled": true,
"serviceAccountTokenPolicy": "bound-tokens"
}
},
"privilegedExecutionSurface": [
{
"id": "backup-operator",
"name": "backup-operator",
"kind": "controller",
"path": "deploy/backup-operator",
"command": "backup-operator reconcile",
"privilegeDomain": "kubernetes-rbac",
"executionContext": {
"environmentType": "kubernetes-rbac",
"runAs": "serviceaccount",
"runAsIdentity": "system:serviceaccount:backup-system:backup-operator",
"allowedCallers": [
"kube-controller-manager",
"argo-cd"
],
"clusterScope": "namespace",
"targetNamespaces": [
"backup-system"
],
"networkAccess": "restricted",
"interactiveAllowed": false,
"automationAllowed": true
},
"declaredEffects": [
"Create backup jobs in approved namespace",
"Read PVC metadata",
"Write backup status resources"
],
"riskLevel": "high",
"integrityBinding": {
"type": "image-digest",
"algorithm": "sha256",
"digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677",
"imageRef": "registry.example.org/backup-operator@sha256:3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677",
"verifiedAtAdmission": true,
"reviewRenewalRequiredOnChange": true
},
"invocationContract": {
"allowedArgumentsPolicy": {
"mode": "fixed",
"fixedArguments": [
"reconcile"
]
},
"expectedEffects": [
"Operate only in approved namespace and resource scope"
],
"forbiddenEffects": [
"Create cluster-wide RBAC",
"Launch privileged hostPath pods"
],
"failureMode": "fail-closed",
"privilegeExpectation": "must-run-under-approved-serviceaccount",
"startupChecks": [
"check-serviceaccount-identity",
"check-rbac-scope",
"check-target-namespace",
"check-admission-policy-compliance",
"check-image-digest"
]
},
"kubernetesControls": {
"entryPointModel": "controller-gateway",
"serviceAccountDedicated": true,
"rbacRestricted": true,
"namespaceScopedWherePossible": true,
"clusterAdminBound": false,
"admissionControlled": true,
"policyEngine": "kyverno",
"privilegedPodRisk": "low",
"hostAccessRisk": "none",
"tokenExposureRisk": "low",
"requiresDedicatedReview": true,
"reviewRenewalOnChange": true,
"rbacBindings": [
{
"kind": "RoleBinding",
"name": "backup-operator-binding",
"namespace": "backup-system",
"roleRefKind": "Role",
"roleRefName": "backup-operator-role"
}
],
"rbacRules": [
{
"apiGroups": [
"",
"batch"
],
"resources": [
"pods",
"persistentvolumeclaims",
"jobs"
],
"verbs": [
"get",
"list",
"watch",
"create"
]
}
]
}
}
],
"authorizationArtifacts": [
{
"id": "backup-rbac-allowlist",
"type": "signed-approval-manifest",
"path": "security/k8s-privileged-allowlist.yaml",
"signed": true,
"signatureRef": "cosign://backup-rbac-allowlist",
"entries": [
{
"entryId": "backup-operator-approved",
"privilegedEntryPointId": "backup-operator",
"approvalStatus": "approved",
"approvedBy": [
"platform-security"
],
"integrityBinding": {
"type": "image-digest",
"algorithm": "sha256",
"digest": "3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677",
"imageRef": "registry.example.org/backup-operator@sha256:3d9c9c21d0c82a4c9f0aa7b7c8d1d839d6cf4dbf54d4b56caa11223344556677",
"verifiedAtAdmission": true,
"reviewRenewalRequiredOnChange": true
},
"rbacBinding": {
"subjectKind": "ServiceAccount",
"subjectName": "backup-operator",
"subjectNamespace": "backup-system",
"bindingKind": "RoleBinding",
"bindingName": "backup-operator-binding",
"bindingNamespace": "backup-system",
"roleRefKind": "Role",
"roleRefName": "backup-operator-role"
}
}
]
}
]
}
xxx