{
  "id": "definition:krate-identity-model",
  "_kind": "Definition",
  "_file": "domain/products/krate.yaml",
  "_cluster": "domain",
  "attributes": {
    "displayName": "Krate Identity Model",
    "authoredAt": "2026-05-10T00:00:00Z",
    "text": "Krate's identity and access control model built on Kubernetes RBAC\nprimitives extended with org-scoped semantics:\n\nOrganization: Top-level tenant boundary. Cluster-scoped CRD that\n  owns namespaces and all org-scoped resources.\nUser: Maps to a Kubernetes user identity (x509 cert or OIDC subject).\n  Can belong to multiple organizations with different roles in each.\nTeam: Named group within an org. Supports nested teams, LDAP/SCIM\n  sync, and team-scoped repository permissions.\nServiceAccount: Bot identities for automation, CI, and agent dispatch.\nRBAC: Four-level role hierarchy — GlobalRole (cluster-wide),\n  OrgRole (org-wide), Role (namespace/repo-scoped), and\n  RoleBinding at each level. Predefined roles include org-owner,\n  org-admin, repo-admin, repo-writer, repo-reader, agent-dispatcher.\n\nAuthentication flows support OIDC, x509 client certificates,\npersonal access tokens, and SSH keys. Authorization is evaluated\nby the Kubernetes API server using Krate's custom authorizer\nwebhook, which resolves org membership and team permissions.\n",
    "status": "canonical"
  },
  "outgoingEdges": [
    {
      "from": "definition:krate-identity-model",
      "to": "domain:platform-engineering",
      "kind": "applies_to"
    },
    {
      "from": "definition:krate-identity-model",
      "to": "domain:security",
      "kind": "applies_to"
    },
    {
      "from": "definition:krate-identity-model",
      "to": "tool:kubernetes",
      "kind": "supports"
    },
    {
      "from": "definition:krate-identity-model",
      "to": "skill-area:platform-engineering",
      "kind": "supports"
    },
    {
      "from": "definition:krate-identity-model",
      "to": "skill-area:k8s-rbac",
      "kind": "supports"
    }
  ],
  "incomingEdges": []
}