northfleet-eng/itsg33-kubernetes-protected-b-mapping

# ITSG-33 to Kubernetes Protected B mapping An open-source mapping of CCCS ITSG-33 Annex 4A Profile 1 (Protected B / Medium Integrity / Medium Availability) security controls to the Kubernetes mechanisms that address them. ## What this is - **Admin-implemented** — cluster administrator configures upstream Kubernetes primitives (RBAC, NetworkPolicy, audit policy, etc.) - **Workload-implemented** — the application or container image itself provides the mechanism - **External** — upstream Kubernetes alone is insufficient and an additional component is required The third category is the gap analysis. It is where vendor evaluations diverge. ## Why this exists ## Files in this repository - [`itsg33-kubernetes-mapping.md`](itsg33-kubernetes-mapping.md) — the main mapping. Controls bucketed by admin / workload / external, with K8s mechanism for each. - [`itsg33-kubernetes-mapping.csv`](itsg33-kubernetes-mapping.csv) — same content as CSV for spreadsheet import. - [`SOURCES.md`](SOURCES.md) — canonical CCCS source URLs, cross-reference mappings, and the NIST SP 800-53 relationship. - [`LICENSE`](LICENSE) — Apache License 2.0. ## Scope This repository covers the procurement-relevant subset of Profile 1: approximately 30 to 50 controls where the Kubernetes side of the mapping is non-obvious or carries material gap. Profile 1 in full contains approximately 295 base controls and enhancements; the full enumeration is in the canonical sources linked in [`SOURCES.md`](SOURCES.md). This repository is a starting point, not a substitute for a formal security control assessment. A qualified Canadian accreditor performs the actual assessment against the customer's specific deployment. ## How to use ## Methodology ## Open items Issues and pull requests welcome. ## License Apache License 2.0. See [`LICENSE`](LICENSE). ## Maintained by Northfleet (`https://northfleet.tech`). Issues and pull requests welcome. ## Disclaimer This mapping is provided as-is for evaluation and planning use. It is not a CCCS-endorsed assessment instrument. For authoritative guidance, refer to the source documents in [`SOURCES.md`](SOURCES.md).