Merge branch 'master' of https://github.com/kubernetes-sigs/multi-ten…

…ancy into default-deny-conn
kubernetes-retired · Jun 5, 2020 · 606c114 · 606c114
2 parents 5d69ce8 + c6b9e17
commit 606c114
Show file tree

Hide file tree

Showing 251 changed files with 6,855 additions and 3,146 deletions.
diff --git a/benchmarks/documentation/categories.md b/benchmarks/documentation/categories.md
@@ -2,37 +2,35 @@
 
 ## Control Plane Isolation (CPI)
 
-Checks for cluster configuration settings and runtime isolation and protection of cluster resources. These checks require access to the API Server process settings via mounted host directories, assuming the cluster components are installed directly on the host. 
+Checks for cluster configuration settings and runtime isolation and protection of cluster resources. These checks require access to the API Server process settings via mounted host directories, assuming the cluster components are installed directly on the host.
 
 ## Tenant Isolation (TI)
 
 Checks for required namespace configuration settings and isolation across tenants. These checks require cluster-admin access to the namespaces under test.
 
-
 ## Network Isolation (NI)
 
 Checks for network security to provide isolation across tenant namespaces for ingress and egress traffic.
 
-
 ## Host Isolation (HI)
 
 Checks to ensure that container hosts are protected from tenant workloads.
 
-
 ## Data Isolation (DI)
 
-Checks to ensure that tenant data, including volumes and secrets, cannot be accessed by other tenants. 
-
+Checks to ensure that tenant data, including volumes and secrets, cannot be accessed by other tenants.
 
 ## Fairness (FNS)
 
 Checks to ensure fair usage of shared resources.
 
-
 ## Self-Service Operations (OPS)
 
-Checks to verify if a tenant administrator can create new namespaces and manage tenant-specific resources for these namespaces e.g. adding new network policies. 
+Checks to verify if a tenant administrator can create new namespaces and manage tenant-specific resources for these namespaces e.g. adding new network policies.
+
+## Control Plane Virtualization (CPV)
 
+Checks to verify if a tenant administrator can create new CRDs as different tenants.
 
 <br/><br/>
-*Read Next >> [Running validation tests](run.md)*
+_Read Next >> [Running validation tests](run.md)_
diff --git a/benchmarks/e2e/tests/block_add_capabilities/block_add_capabilities.go b/benchmarks/e2e/tests/block_add_capabilities/block_add_capabilities.go
@@ -1,22 +1,22 @@
 package tenantaccess
 
 import (
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"strings"
+
 	"github.com/onsi/ginkgo"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/kubernetes/test/e2e/framework"
-	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
 	imageutils "k8s.io/kubernetes/test/utils/image"
-
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
 )
 
 const (
 	expectedVal = "capability may not be added"
 )
 
-var _ = framework.KubeDescribe("Tenants should unable to add linux capabilities for pods", func() {
+var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] Tenants should unable to add linux capabilities for pods", func() {
 	var config *configutil.BenchmarkConfig
 	var tenantA configutil.TenantSpec
 	var user string
@@ -62,7 +62,7 @@ var _ = framework.KubeDescribe("Tenants should unable to add linux capabilities
 			},
 		}
 		_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(podSpec)
-		if !strings.Contains(err.Error(),expectedVal) {
+		if !strings.Contains(err.Error(), expectedVal) {
 			framework.Failf("%s must be unable to create pod with add capabilities", user)
 		}
 	})

diff --git a/benchmarks/e2e/tests/block_host_ipc/block_host_ipc.go b/benchmarks/e2e/tests/block_host_ipc/block_host_ipc.go
@@ -5,16 +5,16 @@ import (
 	"strings"
 
 	"github.com/onsi/ginkgo"
-	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
 	"k8s.io/kubernetes/test/e2e/framework"
 	e2epod "k8s.io/kubernetes/test/e2e/framework/pod"
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
 )
 
 const (
 	expectedVal = "Host IPC is not allowed to be used"
 )
 
-var _ = framework.KubeDescribe("Tenants should not be allowed to share the HostIPC namespace.", func() {
+var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] Tenants should not be allowed to share the HostIPC namespace.", func() {
 	var config *configutil.BenchmarkConfig
 	var tenantA configutil.TenantSpec
 	var user string
@@ -35,7 +35,7 @@ var _ = framework.KubeDescribe("Tenants should not be allowed to share the HostI
 		// HostIPC set to true so that pod creation would fail
 		pod := e2epod.MakeSecPod(tenantA.Namespace, nil, nil, false, "", true, false, nil, nil)
 		_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod)
-		if !strings.Contains(err.Error(),expectedVal) {
+		if !strings.Contains(err.Error(), expectedVal) {
 			framework.Failf("%s must be unable to create pod with HostIPC set to true", user)
 		}
 	})

diff --git a/benchmarks/e2e/tests/block_nodeports/block_nodeports.go b/benchmarks/e2e/tests/block_nodeports/block_nodeports.go
@@ -0,0 +1,76 @@
+package block_nodeports
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/kubernetes/test/e2e/framework"
+	e2edeployment "k8s.io/kubernetes/test/e2e/framework/deployment"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
+)
+
+const (
+	expectedVal = "Services of type NodePort are not allowed"
+)
+
+func CreateServiceSpec(serviceName string, selector map[string]string) *v1.Service {
+	Service := &v1.Service{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: serviceName,
+		},
+		Spec: v1.ServiceSpec{
+			Selector: selector,
+		},
+	}
+	Service.Spec.Type = "NodePort"
+	Service.Spec.Ports = []v1.ServicePort{
+		{Port: 80, Name: "http", Protocol: v1.ProtocolTCP},
+	}
+	return Service
+}
+
+var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] Tenants should not be able to create services of type NodePort.", func() {
+	var config *configutil.BenchmarkConfig
+	var tenantA configutil.TenantSpec
+	var user string
+	var err error
+	var deploymentName string
+	var imageName string
+	var podLabels = map[string]string{"test": "multi"}
+	var serviceName string
+
+	ginkgo.BeforeEach(func() {
+		config, err = configutil.ReadConfig(configutil.ConfigPath)
+		framework.ExpectNoError(err)
+
+		tenantA, err = config.GetValidTenant()
+		framework.ExpectNoError(err)
+
+		user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig)
+		deploymentName = "deployment-" + string(uuid.NewUUID())
+		imageName = "image-" + string(uuid.NewUUID())
+		serviceName = "image-" + string(uuid.NewUUID())
+	})
+
+	ginkgo.It("Tenants should not be able to create services of type NodePort.", func() {
+		ginkgo.By(fmt.Sprintf("Tenant %s should not be able to create services of type NodePort.", user))
+
+		deployment := e2edeployment.NewDeployment(deploymentName, 1, podLabels, imageName, imageutils.GetE2EImage(imageutils.Nginx), "Recreate")
+
+		kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig)
+		_, err = kclient.AppsV1().Deployments(tenantA.Namespace).Create(deployment)
+		framework.ExpectNoError(err)
+
+		svc := CreateServiceSpec(serviceName, podLabels)
+		_, err = kclient.CoreV1().Services(tenantA.Namespace).Create(svc)
+
+		if !strings.Contains(err.Error(), expectedVal) {
+			framework.Failf("%s must be unable to create service of type NodePort", user)
+		}
+	})
+})
diff --git a/benchmarks/e2e/tests/block_privilege_escalation/block_privilege_escalation.go b/benchmarks/e2e/tests/block_privilege_escalation/block_privilege_escalation.go
@@ -0,0 +1,77 @@
+package block_privilege_escalation
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/onsi/ginkgo"
+	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/uuid"
+	"k8s.io/kubernetes/test/e2e/framework"
+	imageutils "k8s.io/kubernetes/test/utils/image"
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
+)
+
+const (
+	expectedVal = "Allowing privilege escalation for containers is not allowed"
+)
+
+func MakeSecPod(Namespace string, AllowPrivilegeEscalation bool) *v1.Pod {
+	podName := "security-context-" + string(uuid.NewUUID())
+	podSpec := &v1.Pod{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Pod",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      podName,
+			Namespace: Namespace,
+		},
+		Spec: v1.PodSpec{
+			Containers: []v1.Container{
+				{
+					Name:    "write-pod",
+					Image:   imageutils.GetE2EImage(imageutils.BusyBox),
+					Command: []string{"/bin/sh"},
+					Args:    []string{"-c", ""},
+					SecurityContext: &v1.SecurityContext{
+						AllowPrivilegeEscalation: &AllowPrivilegeEscalation,
+					},
+				},
+			},
+			RestartPolicy: v1.RestartPolicyOnFailure,
+		},
+	}
+	return podSpec
+}
+
+var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] Processes in tenant containers should not be allowed to gain additional priviliges", func() {
+	var config *configutil.BenchmarkConfig
+	var tenantA configutil.TenantSpec
+	var user string
+	var err error
+
+	ginkgo.BeforeEach(func() {
+		config, err = configutil.ReadConfig(configutil.ConfigPath)
+		framework.ExpectNoError(err)
+
+		tenantA, err = config.GetValidTenant()
+		framework.ExpectNoError(err)
+
+		user = configutil.GetContextFromKubeconfig(tenantA.Kubeconfig)
+	})
+
+	ginkgo.It("Validate tenants can not create pods/container with allowedprivilege set to true", func() {
+		ginkgo.By(fmt.Sprintf("tenant %s cannot create pod/container with with allowedprivilege set to true", user))
+
+		kclient := configutil.NewKubeClientWithKubeconfig(tenantA.Kubeconfig)
+
+		pod := MakeSecPod(tenantA.Namespace, true)
+		_, err = kclient.CoreV1().Pods(tenantA.Namespace).Create(pod)
+
+		if !strings.Contains(err.Error(), expectedVal) {
+			framework.Failf("%s must be unable to create pod/container that sets allowedprivileged to true", user)
+		}
+	})
+})
diff --git a/benchmarks/e2e/tests/configure_ns_object_quotas/configure_ns_object_quotas.go b/benchmarks/e2e/tests/configure_ns_object_quotas/configure_ns_object_quotas.go
@@ -14,7 +14,7 @@ const (
 	expectedVal = "Error from server (Forbidden)"
 )
 
-var _ = framework.KubeDescribe("A tenant namespace must have object resource quotas", func() {
+var _ = framework.KubeDescribe("[PL1] [PL2] [PL3] A tenant namespace must have object resource quotas", func() {
 	var config *configutil.BenchmarkConfig
 	var tenantA configutil.TenantSpec
 	var user string
@@ -62,4 +62,4 @@ func getTenantResoureQuotas(t configutil.TenantSpec) []string {
 	}
 
 	return tenantResourceQuotas
-}
+}
diff --git a/benchmarks/e2e/tests/create_network_policies/README.md b/benchmarks/e2e/tests/create_network_policies/README.md
@@ -0,0 +1,31 @@
+# [MTB-PL2-BC-OPS-4] Create Network Policies
+
+**Profile Applicability:**
+
+Level 2
+
+**Type:**
+
+Behavioral
+
+**Category:**
+
+Self-Service Operations
+
+**Description:**
+
+Tenants should be able to perform self-service operations by creating own network policies in their namespaces.
+
+Tenants
+
+**Rationale:**
+
+Enables self-service management of network-policies.
+
+**Audit:**
+
+Run the following commands to check for permissions to manage `network-policy` for each verb(get, create, update, patch, delete, and deletecollection) in the tenant namespace:
+
+    kubectl --kubeconfig=tenant-a -n a1 auth can-i <verb> networkpolicy
+
+Each command must return 'yes'
diff --git a/benchmarks/e2e/tests/create_network_policies/create_network_policies.go b/benchmarks/e2e/tests/create_network_policies/create_network_policies.go
@@ -0,0 +1,56 @@
+package create_network_policies
+
+import (
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/onsi/ginkgo"
+	"k8s.io/kubernetes/test/e2e/framework"
+	configutil "sigs.k8s.io/multi-tenancy/benchmarks/e2e/config"
+)
+
+const (
+	expectedVal = "yes"
+)
+
+var _ = framework.KubeDescribe("[PL2] [PL3] Test tenant's network-policy management permissions", func() {
+	var config *configutil.BenchmarkConfig
+	var tenantkubeconfig configutil.TenantSpec
+	var err error
+
+	ginkgo.BeforeEach(func() {
+		config, err = configutil.ReadConfig(configutil.ConfigPath)
+		framework.ExpectNoError(err)
+	})
+
+	framework.KubeDescribe("Tenant has RBAC privileges for Network-policies", func() {
+		var user string
+		var verbs = []string{"get", "list", "create", "update", "patch", "watch", "delete", "deletecollection"}
+		var namespaceflag = "-n"
+
+		ginkgo.BeforeEach(func() {
+			tenantkubeconfig, err = config.GetValidTenant()
+			framework.ExpectNoError(err)
+
+			os.Setenv("KUBECONFIG", tenantkubeconfig.Kubeconfig)
+			user = configutil.GetContextFromKubeconfig(tenantkubeconfig.Kubeconfig)
+		})
+
+		ginkgo.It("Tenant has RBAC privileges for Network-policies", func() {
+			ginkgo.By(fmt.Sprintf("Tenant %s can modify Network-policies for its namespace", user))
+
+			for _, verb := range verbs {
+				_, errNew := framework.LookForString(expectedVal, time.Minute, func() string {
+					output, err := framework.RunKubectl("auth", "can-i", verb, "networkpolicy", namespaceflag, tenantkubeconfig.Namespace)
+					if err != nil {
+						return err.Error()
+					}
+					return output
+				})
+
+				framework.ExpectNoError(errNew)
+			}
+		})
+	})
+})