Merge pull request #22 from IBM/scc-drop

Scc drop

.gitignore

@@ -0,0 +1 @@
+.DS_Store

samples/utilities/README.md

@@ -20,3 +20,26 @@ Checking PSP configuration for namespace: cert-manager
 ibm-privileged-psp (default)
 ibm-restricted-psp (*, default)
 ```
+
+## getSCCs.sh (Red Hat OpenShift only)
+The getSCCs.sh bash script displays all of the SecurityContextConstraints resources that are 
+mapped to each of the ServiceAccount users in the specified namespace (or project).
+
+Usage:
+1.  Install the `kubectl` Kubernetes CLI.
+2.  Login to your Kubernetes cluster and configure `kubectl` with a user that has sufficient privileges to access the namepace you wish to inspect.
+3.  `./getSCCs.sh <namespace>`
+
+Output:
+The script will show every SCC that is assigned to one or more ServiceAccount in the namespace, and a comma-separated list of service account names within the namespace.  This script also checks for any groups that may also resolve as follows:
+`*sys:sa:ns` - The `system:serviceaccounts:<namespace>` group.  All service accounts in the namespace.
+`*sys:auth` - The `system:authenticated` group.  All authenticated users.
+`*sys:sa` - The `system:serviceaccounts` group.  All service accounts
+
+In the following example, all users are bound to the `ibm-restricted-scc` resource and all service accounts in the `cert-manager` namespace are bound to the `icp-scc` resource.  This means that any pod in the namespace can resolve to either SCC.
+```
+./getSCCs.sh cert-manager
+Checking SCC configuration for namespace: cert-manager
+icp-scc (*sys:sa:ns)
+ibm-restricted-scc (*sys:auth)
+```

samples/utilities/getPSPs.sh

@@ -32,22 +32,19 @@ fi
 # Check each SA against each PSP
 kubectl get psp -o name | sed "s/^.\{29\}//" | while read PSPNAME;do
   PSP=ibm-restricted-psp
-  #echo $PSPNAME
   USERSFILE=$(mktemp)
   trap "rm -f $USERSFILE" EXIT
 
   # Check to see if a non-existing SA is authorized.
   kubectl -n $NAMESPACE --quiet=true auth can-i use podsecuritypolicy/$PSPNAME --as system:serviceaccount:$NAMESPACE:bogussa091209470982
   if [ $? -eq 0 ]; then
     echo -n "*" > $USERSFILE
-    #echo "   Default set"
   fi
 
   # Check each service account to see if it's authorized.
   kubectl -n $NAMESPACE get serviceaccounts -o name |  sed "s/^.\{15\}//" | while read SA;do
     kubectl -n $NAMESPACE --quiet=true auth can-i use podsecuritypolicy/$PSPNAME --as system:serviceaccount:$NAMESPACE:$SA
     if [ $? -eq 0 ]; then
-        #echo "   -$SA"
         if [ -s "$USERSFILE" ]; then
           echo -n ", " >> $USERSFILE
         fi

samples/utilities/getSCCs.sh

@@ -0,0 +1,78 @@
+#!/bin/bash
+# Copyright 2019 IBM Corporation
+# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+#  This script displays all of the SecurityContextConstraints for the specified namespace/project
+#  The output format is:
+#    scc (<sa_name>[, <sa_name>])
+#  where:
+#   sa_name is the service account name in the namespace or * if the SCC applies to all SAs in the namespace
+#   *sys:sa:ns is the system:serviceaccounts:<namespace> group.  All service accounts in the namespace.
+#   *sys:auth the system:authenticated group.  All authenticated users.
+#   *sys:sa the system:serviceaccounts group.  All service accounts
+
+NAMESPACE=$1
+
+if [ -z "$1" ]; then
+  echo "Usage:  getSCCs.sh <namespace>"
+  exit 1
+fi
+
+IFS='
+'
+
+echo "Checking SCC configuration for namespace: $NAMESPACE"
+kubectl get namespace $NAMESPACE &> /dev/null
+if [ $? -ne 0 ]; then
+  echo "Namespace $NAMESPACE does not exist."
+  exit 1
+fi
+
+
+kubectl get scc -o name | while read SCC;do
+  SCCNAME="$(echo $SCC | cut -d'/' -f2)"
+  USERSFILE=$(mktemp)
+  trap "rm -f $USERSFILE" EXIT
+
+
+    # Find all groups from the current SCC
+    kubectl get $SCC -o jsonpath='{range .groups[*]}{@}{"\n"}{end}' | while read line;do 
+      # Check to see if the service account namespace is in the name
+      GROUPNS="$line"
+      if [ "$GROUPNS" = "system:serviceaccounts:$NAMESPACE" ]; then
+        if [ -s "$USERSFILE" ]; then
+          echo -n ", " >> $USERSFILE
+        fi
+        echo -n "*sys:sa:ns" > $USERSFILE
+      elif [ "$GROUPNS" = "system:authenticated" ]; then
+        if [ -s "$USERSFILE" ]; then
+          echo -n ", " >> $USERSFILE
+        fi
+        echo -n "*sys:auth" > $USERSFILE
+      elif [ "$GROUPNS" = "system:serviceaccounts" ]; then
+        if [ -s "$USERSFILE" ]; then
+          echo -n ", " >> $USERSFILE
+        fi
+        echo -n "*sys:sa" > $USERSFILE
+      fi
+    done
+
+    # Find all users from the current SCC
+    kubectl get $SCC -o jsonpath='{range .users[*]}{@}{"\n"}{end}' | while read line;do 
+      # Check to see if the service account namespace is in the name
+      USERNS="$(echo $line | cut -d':' -f1,2,3)"
+      if [ "$USERNS" = "system:serviceaccount:$NAMESPACE" ]; then
+        SA="$(echo $line | cut -d':' -f4)"
+        if [ -s "$USERSFILE" ]; then
+          echo -n ", " >> $USERSFILE
+        fi
+        echo -n "$SA" >> $USERSFILE
+      fi
+    done
+
+    if [ -s "$USERSFILE" ]; then
+      echo "$SCCNAME ($(cat $USERSFILE))"
+    fi
+done

spec/packaging/ibm_cloud_pak/qualification-yaml.md

@@ -2,23 +2,22 @@
 The qualification.yaml file includes the following sections:  
 * [qualification](#qualification-section)
 * [prereq](#prereqs-section)
-* [catalog](#catalog-section)
 
 ## Qualification Section
-The qualification section describes attributes related to the IBM Cloud Pak status.
+The qualification section describes attributes related to the IBM® Cloud Pak status.
 
 Key name:  `qualification`
 
 **Fully Qualified Attribute Name**|**Type**|**Description/Specification**
 -----|-----|-----
-qualification.levelName|String|Value must be: `ibm-cloud-pak`
-qualification.levelDescription|String|Value must be: `IBM Cloud Pak`
+qualification.levelName|String|One of two pre-defined levels (more may be added later): `ibm-cloud-pak`, `certified-ibm-cloud-pak`
+qualification.levelDescription|String|One of following pre-defined level descriptions: `IBM Cloud Pak`, `Certified IBM Cloud Pak`
 qualification.issueDate|String|The date in the format `M/YYYY` which the Cloud Pak was issued.
-qualification.duration|String|The amount of time that the Cloud Pak qualification is valid from date of issue.  Must be no longer than 6 months.  Format is in months:  `nM`
-qualification.terms|String|Value must be: `Valid from date of issue. Security vulnerability management and enhancements are delivered on the latest version of the chart and images`
+qualification.duration|String|The amount of time that the Cloud Pak qualification is valid.  Format is in months:  `nM`
+qualification.terms|String|The terms description.
 
 ## Prereqs Section
-The prerequisites section describes any components, features, configurations that are required in order to install the IBM Cloud Pak.
+The prerequisites section describes any components, features, configurations that are required in order to install the IBM Cloud Pak or Solution Pak.
 
 This section is organized using indented blocks of topics.
 
@@ -32,53 +31,84 @@ This section is organized using indented blocks of products or components.
 Key name: `security`
 
 #### `security.kubernetes` Prerequisite Section
+This section describes any pre-requisites for Kubernetes.  
 * `kubernetes`- Describes any Kubernetes requirements.
-  * `podSecurityPolicy` - Block: Describes any Pod Security Policy requirements.
-    * `name` - String: one of the following pre-defined pod security policy names:
+  * `podSecurityPolicy` - Block: Describes any PodSecurityPolicy requirements (not applicable for Red Hat OpenShift).
+    * `name` - String: one of the following pre-defined PodSecurityPolicy names:
       * `ibm-restricted-psp`
       * `ibm-anyuid-psp`
       * `ibm-anyuid-hostpath-psp`
       * `ibm-anyuid-hostaccess-psp`
       * `ibm-privileged-psp`
 
 #### `security.ibmCloudPrivate` Prerequisite Section
+This section describes any pre-requisites when running on the IBM® Cloud Private.  This section can be omitted if the Cloud Pak does not support IBM Cloud Private.
 * `ibmCloudPrivate` - Describes any IBM Cloud Private product requirements.
   * `installerRole` - Block:  Describes the [IBM Cloud Private Role](https://www.ibm.com/support/knowledgecenter/SSBS6K_3.1.1/user_management/assign_role.html) name required to install the IBM Cloud Pak.
     * `name` - String: one of the IBM Cloud Private roles:
       * `ClusterAdministrator` - The Cluster Administrator role
       * `Administrator` - The Administrator role of a team that includes the target namespace.
       * `Operator` - The Operator role of a team that includes the target namespace.
 
-## Catalog Section
-The catalog section describes how this IBM Cloud Pak should be displayed in a catalog.
-
-For reference, the [IBM Global Catalog](https://console.test.cloud.ibm.com/docs/developing/get-coding/index-rscatalog.html) may be a template for future additions to this section.
-
-This section is organized using indented blocks of topics.
-
-Key name: `catalog`
-
-**Fully Qualified Attribute Name**|**Type**|**Description/Specification**
------|-----|-----
-catalog.visible|boolean|If true (the default) if not present, this IBM Cloud Pak is displayed in the catalog.
+#### `security.openshift` Prerequisite Section
+This section describes any pre-requisites when running on the Red Hat® OpenShift® Kubernetes distribution.  This section can be omitted if the Cloud Pak does not support OpenShift.
+* `openshift`- Describes any Red Hat® OpenShift® requirements.
+  * `securityContextConstraints` - Block: Describes any SecurityContextConstraints requirements.
+    * `name` - String: one of the following pre-defined SecurityContextConstraints names:
+      * `ibm-restricted-scc`
+      * `ibm-anyuid-scc`
+      * `ibm-anyuid-hostpath-scc`
+      * `ibm-anyuid-hostaccess-scc`
+      * `ibm-privileged-scc`
+      * `restricted`
+      * `nonroot`
+      * `anyuid`
+      * `hostmount-anyuid`
+      * `hostnetwork`
+      * `hostaccess`
+      * `privileged`
 
 
 # Examples
 
-## Cloud Pak Example:
+## L1 Cloud Pak Example:
 ```
 qualification:
   levelName: "ibm-cloud-pak"
   levelDescription: "IBM Cloud Pak"
-  issueDate: "01/2019"
+  issueDate: "09/2018"
   duration: "6M"
   terms: "Valid from date of issue. Security vulnerability management and enhancements are delivered on the latest version of the chart and images"
 prereqs:
   security:
     kubernetes:
       podSecurityPolicy:
         name: "ibm-restricted-psp"
+    openshift:
+      securityContextConstraints:
+        name: "ibm-restricted-scc"
     ibmCloudPrivate:
       installerRole:
         name: "Operator"
-```
+```
+
+## L2 Certified IBM Cloud Pak Example:
+```
+qualification:
+  levelName: "certified-ibm-cloud-pak"
+  levelDescription: "Certified IBM Cloud Pak"
+  issueDate: "09/2018"
+  duration: "6M"
+  terms: "Valid from date of issue. Security vulnerability management and enhancements are delivered on the latest version of the chart and images"
+prereqs:
+  security:
+    kubernetes:
+      podSecurityPolicy:
+        name: "ibm-restricted-psp"
+    openshift:
+      securityContextConstraints:
+        name: "ibm-restricted-scc"
+    ibmCloudPrivate:
+      installerRole:
+        name: "ClusterAdministrator"
+```