II.
Definition overview
Reference · livedefinition:krate-identity-model
Krate Identity Model overview
Inspect the raw attributes, linked wiki pages, and inbound or outbound graph edges for definition:krate-identity-model.
Attributes
displayName
Krate Identity Model
authoredAt
2026-05-10T00:00:00Z
text
Krate's identity and access control model built on Kubernetes RBAC
primitives extended with org-scoped semantics:
Organization: Top-level tenant boundary. Cluster-scoped CRD that
owns namespaces and all org-scoped resources.
User: Maps to a Kubernetes user identity (x509 cert or OIDC subject).
Can belong to multiple organizations with different roles in each.
Team: Named group within an org. Supports nested teams, LDAP/SCIM
sync, and team-scoped repository permissions.
ServiceAccount: Bot identities for automation, CI, and agent dispatch.
RBAC: Four-level role hierarchy — GlobalRole (cluster-wide),
OrgRole (org-wide), Role (namespace/repo-scoped), and
RoleBinding at each level. Predefined roles include org-owner,
org-admin, repo-admin, repo-writer, repo-reader, agent-dispatcher.
Authentication flows support OIDC, x509 client certificates,
personal access tokens, and SSH keys. Authorization is evaluated
by the Kubernetes API server using Krate's custom authorizer
webhook, which resolves org membership and team permissions.
status
canonical
Outgoing edges
applies_to2
- domain:platform-engineering·DomainPlatform Engineering
- domain:security·DomainSecurity
supports3
- tool:kubernetes·ToolKubernetes
- skill-area:platform-engineering·SkillArea
- skill-area:k8s-rbac·SkillArea
Incoming edges
None.