Config correction

benchmarks/kubectl-mtb/docs/main.go

@@ -27,26 +27,48 @@ type Doc struct {
 	Description     string                 `yaml:"description"`
 	Remediation     string                 `yaml:"remediation"`
 	ProfileLevel    int                    `yaml:"profileLevel"`
+	Rationale       string                 `yaml:"rationale"`
+	Audit           string                 `yaml:"audit"`
 	AdditionalField map[string]interface{} `yaml:"additionalFields"`
 }
 
-// README template
-const templ = `# {{.Title}} <small>[{{.ID}}] </small>
-**Profile Applicability:** 
-{{.ProfileLevel}} <br>
-**Type:** 
-{{.BenchmarkType}} <br>
-**Category:** 
-{{.Category}} <br>
-**Description:** 
-{{.Description}} <br>
-**Remediation:**
-{{.Remediation}} <br>
+func ReadmeTemplate() []byte {
+	return []byte(
+		`# {{.Title}} <small>[{{.ID}}] </small>
+
+**Profile Applicability:**
+
+{{.ProfileLevel}}
+
+**Type:**
+
+{{.BenchmarkType}}
+
+**Category:**
+
+{{.Category}}
+
+**Description:**
+
+{{.Description}}
+
+**Rationale:**
+
+{{.Rationale}}
+
+**Audit:**
+
+{{.Audit}}
+
+{{.Remediation}}
+
 {{ range $key, $value := .AdditionalField }}
 **{{ $key }}:** 
-{{ $value }} <br>
-{{ end }}
-`
+
+{{ $value }}
+
+{{ end }}`)
+}
 
 func exists(path string) (bool, error) {
 	_, err := os.Stat(path)
@@ -110,8 +132,6 @@ func main() {
 				for _, i := range values {
 					deleteFields(i, d.AdditionalField)
 				}
-				t := template.New("README template")
-				t, err = t.Parse(templ)
 
 				// Get directory of the config file
 				dirPath := getDirectory(path, "/")
@@ -122,18 +142,14 @@ func main() {
 					return err
 				}
 
-				f, err := os.Create(dirPath + "/README.md")
-				if err != nil {
-					return err
-				}
-
-				// Write the output to the README file
-				err = t.Execute(f, d)
+				mainFile, err := os.Create(fmt.Sprintf("%s/README.md", dirPath))
 				if err != nil {
 					return err
 				}
+				defer mainFile.Close()
 
-				err = f.Close()
+				mainTemplate := template.Must(template.New("main").Parse(string(ReadmeTemplate())))
+				err = mainTemplate.Execute(mainFile, d)
 				if err != nil {
 					return err
 				}

benchmarks/kubectl-mtb/go.sum

@@ -1489,13 +1489,15 @@ sigs.k8s.io/multi-tenancy v0.0.0-20200713220920-829ca66edf83 h1:Wu4A0FA9gXUxB+BO
 sigs.k8s.io/multi-tenancy v0.0.0-20200714035720-9254d886f1e8 h1:2jvDW9Ut25bjFIsVPj66RNohUl+e3xmlXeKtDM3XLkg=
 sigs.k8s.io/multi-tenancy v0.0.0-20200724204617-6364dbba69da h1:HOR9N89EJFKSyQmD3/x36+FxkYIGMEg/8a4N+IiCUG8=
 sigs.k8s.io/multi-tenancy v0.0.0-20200726013016-97a38fedf0b1 h1:y8ONNC+S0jkxria4hGCq+HXVxbSXK72kKkyR4WK2vfw=
+sigs.k8s.io/multi-tenancy v0.0.0-20200731200539-a59bb770c223 h1:3LVSAKupidlml1n/MbHPbJr5m48kpsOKFVAcsOhXgN0=
 sigs.k8s.io/multi-tenancy v0.0.0-20200801023540-26dab8a69fdf h1:dDCjPiT9NuwVCDq2vrolp4NuMXxxmHnTIL33gS+LgzQ=
 sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200707060558-ea14282f3be6 h1:V4K5fPHAgNnYTFmhKlU4cp03o7/nuZbbVqFnEHvcyHk=
 sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200710152148-20515322b4e5 h1:h21E7xB6JQ19Hy5ypObM90L4xScjwiNQxrOACXJ409w=
 sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200713220920-829ca66edf83 h1:nmcpLotBZVRnlvDDd3q9b2J9VuW2rfkCRBl+1x/0rfk=
 sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200714035720-9254d886f1e8 h1:tLrFy2wLP0LJSQORg9FslngBnoADSEn+uYju2W3eOjk=
 sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200724204617-6364dbba69da h1:sZgkCMXKgOF4Diom1+CeyUNmrtu+9BPV+CV3nMzAfJM=
 sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200726013016-97a38fedf0b1 h1:6shszoTBt41BnJeg6gGyF5phNzfX0CMKJy/Mn71Oz/M=
+sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200731200539-a59bb770c223 h1:fVp4SgTf3sYqwf85QT5CFDblbEqmDgF0pJhHyFRjkCU=
 sigs.k8s.io/multi-tenancy/benchmarks v0.0.0-20200801023540-26dab8a69fdf h1:vcFCmxTMwNH1679Jpdb7Wir0mcMJKyzdaDr0q68nhR0=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0-20200116222232-67a7b8c61874/go.mod h1:PlARxl6Hbt/+BC80dRLi1qAmnMqwqDg62YvvVkZjemw=
 sigs.k8s.io/structured-merge-diff/v3 v3.0.0 h1:dOmIZBMfhcHS09XZkMyUgkq5trg3/jRyJYFZUiaOp8E=

benchmarks/kubectl-mtb/pkg/benchmark/benchmark.go

@@ -16,6 +16,8 @@ type Benchmark struct {
 	Description   string `yaml:"description"`
 	Remediation   string `yaml:"remediation"`
 	ProfileLevel  int    `yaml:"profileLevel"`
+	Rationale     string `yaml:"rationale"`
+	Audit         string `yaml:"audit"`
 	PreRun        func(types.RunOptions) error
 	Run           func(types.RunOptions) error
 	PostRun       func(types.RunOptions) error

benchmarks/kubectl-mtb/test/benchmarks/block_access_to_cluster_resources/README.md

@@ -1,12 +1,37 @@
 # Block access to cluster resources <small>[MTB-PL1-CC-CPI-1] </small>
-**Profile Applicability:** 
-1 <br>
-**Type:** 
-Configuration Check <br>
-**Category:** 
-Control Plane Isolation <br>
-**Description:** 
-Tenants should not be able to view, edit, create, or delete cluster (non-namespaced) resources such Node, ClusterRole, ClusterRoleBinding, etc. <br>
-**Remediation:**
- <br>
+
+**Profile Applicability:**
+
+1
+
+**Type:**
+
+Configuration Check
+
+**Category:**
+
+Control Plane Isolation
+
+**Description:**
+
+Tenants should not be able to view, edit, create, or delete cluster (non-namespaced) resources such Node, ClusterRole, ClusterRoleBinding, etc.
+
+**Rationale:**
+
+Access controls should be configured for tenants so that a tenant cannot list, create, modify or delete cluster resources
+
+**Audit:**
+
+Run the following commands to retrieve the list of non-namespaced resources
+```bash 
+kubectl --kubeconfig cluster-admin api-resources --namespaced=false
+```
+For all non-namespaced resources, and each verb (get, list, create, update, patch, watch, delete, and deletecollection) issue the following commands
+```bash 
+kubectl --kubeconfig tenant-a auth can-i verb resource
+```
+Each command must return &#39;no&#39;
+
+
+
 

benchmarks/kubectl-mtb/test/benchmarks/block_access_to_cluster_resources/config.yaml

@@ -5,3 +5,14 @@ category: Control Plane Isolation
 description: Tenants should not be able to view, edit, create, or delete cluster (non-namespaced) resources such Node, ClusterRole, ClusterRoleBinding, etc.
 remediation:
 profileLevel: 1
+rationale: Access controls should be configured for tenants so that a tenant cannot list, create, modify or delete cluster resources
+audit: | 
+ Run the following commands to retrieve the list of non-namespaced resources
+ ```bash 
+ kubectl --kubeconfig cluster-admin api-resources --namespaced=false
+ ```
+ For all non-namespaced resources, and each verb (get, list, create, update, patch, watch, delete, and deletecollection) issue the following commands
+ ```bash 
+ kubectl --kubeconfig tenant-a auth can-i verb resource
+ ```
+ Each command must return 'no'

benchmarks/kubectl-mtb/test/benchmarks/block_add_capabilities/README.md

@@ -1,12 +1,28 @@
 # Block add capabilities <small>[MTB-PL1-BC-CPI-3] </small>
-**Profile Applicability:** 
-1 <br>
-**Type:** 
-Behavioral Check <br>
-**Category:** 
-Control Plane Isolation <br>
-**Description:** 
-Linux allows defining fine-grained permissions using capabilities. With Kubernetes, it is possible to add capabilities for pods that escalate the level of kernel access and allow other potentially dangerous behaviors. <br>
-**Remediation:**
-Define a `PodSecurityPolicy` with `allowedCapabilities` and map the policy to each tenant namespace, or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to enforce new capabilities cannot be added. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies). <br>
+
+**Profile Applicability:**
+
+1
+
+**Type:**
+
+Behavioral Check
+
+**Category:**
+
+Control Plane Isolation
+
+**Description:**
+
+Linux
+
+**Rationale:**
+
+Linux allows defining fine-grained permissions using capabilities. With Kubernetes, it is possible to add capabilities for pods that escalate the level of kernel access and allow other potentially dangerous behaviors.
+
+**Audit:**
+
+Create a pod or container that adds new `capabilities` in its `securityContext`. The pod creation must fail.
+
+Define a `PodSecurityPolicy` with `allowedCapabilities` and map the policy to each tenant namespace, or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to enforce new capabilities cannot be added. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies).
 

benchmarks/kubectl-mtb/test/benchmarks/block_add_capabilities/config.yaml

@@ -2,6 +2,8 @@ id: MTB-PL1-BC-CPI-3
 title: Block add capabilities
 benchmarkType: Behavioral Check
 category: Control Plane Isolation
-description: Linux allows defining fine-grained permissions using capabilities. With Kubernetes, it is possible to add capabilities for pods that escalate the level of kernel access and allow other potentially dangerous behaviors.
+description: Linux 
 remediation: Define a `PodSecurityPolicy` with `allowedCapabilities` and map the policy to each tenant namespace, or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to enforce new capabilities cannot be added. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies).
-profileLevel: 1
+rationale: Linux allows defining fine-grained permissions using capabilities. With Kubernetes, it is possible to add capabilities for pods that escalate the level of kernel access and allow other potentially dangerous behaviors.
+profileLevel: 1
+audit: Create a pod or container that adds new `capabilities` in its `securityContext`. The pod creation must fail.

benchmarks/kubectl-mtb/test/benchmarks/block_ns_quota/README.md

@@ -1,12 +1,36 @@
 # Block modification of resource quotas <small>[MTB-PL1-CC-TI-1] </small>
-**Profile Applicability:** 
-1 <br>
-**Type:** 
-Behavioral Check <br>
-**Category:** 
-Tenant Isolation <br>
-**Description:** 
-Tenants should not be able to modify the resource quotas defined in their namespaces <br>
-**Remediation:**
- <br>
+
+**Profile Applicability:**
+
+1
+
+**Type:**
+
+Behavioral Check
+
+**Category:**
+
+Tenant Isolation
+
+**Description:**
+
+Tenants should not be able to modify the resource quotas defined in their namespaces
+
+**Rationale:**
+
+Resource quotas must be configured for isolation and fairness between tenants. Tenants should not be able to modify existing resource quotas as they may exhaust cluster resources and impact other tenants.
+
+**Audit:**
+
+Run the following commands to check for permissions to manage quotas in the tenant namespace:
+```shell
+kubectl --kubeconfig=tenant-a -n a1 auth can-i create quota
+kubectl --kubeconfig=tenant-a -n a1 auth can-i update quota
+kubectl --kubeconfig=tenant-a -n a1 auth can-i patch quota
+kubectl --kubeconfig=tenant-a -n a1 auth can-i delete quota
+kubectl --kubeconfig=tenant-a -n a1 auth can-i deletecollection quota
+```
+Each command must return &#39;no&#39;&#34;
+
+
 

benchmarks/kubectl-mtb/test/benchmarks/block_ns_quota/config.yaml

@@ -4,4 +4,15 @@ benchmarkType: Behavioral Check
 category: Tenant Isolation
 description: Tenants should not be able to modify the resource quotas defined in their namespaces
 remediation: 
-profileLevel: 1
+profileLevel: 1
+rationale: Resource quotas must be configured for isolation and fairness between tenants. Tenants should not be able to modify existing resource quotas as they may exhaust cluster resources and impact other tenants.
+audit: |
+ Run the following commands to check for permissions to manage quotas in the tenant namespace:
+ ```shell
+ kubectl --kubeconfig=tenant-a -n a1 auth can-i create quota
+ kubectl --kubeconfig=tenant-a -n a1 auth can-i update quota
+ kubectl --kubeconfig=tenant-a -n a1 auth can-i patch quota
+ kubectl --kubeconfig=tenant-a -n a1 auth can-i delete quota
+ kubectl --kubeconfig=tenant-a -n a1 auth can-i deletecollection quota
+ ```
+ Each command must return 'no'"

benchmarks/kubectl-mtb/test/benchmarks/block_privilege_escalation/README.md

@@ -1,12 +1,28 @@
 # Block privilege escalation <small>[MTB-PL1-BC-CPI-6] </small>
-**Profile Applicability:** 
-1 <br>
-**Type:** 
-Behavioral Check <br>
-**Category:** 
-Control Plane Isolation <br>
-**Description:** 
-The `securityContext.allowPrivilegeEscalation` setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges. <br>
-**Remediation:**
-Define a `PodSecurityPolicy` with `allowPrivilegeEscalation` set to `false` and map the policy to each tenant&#39;s namespace,  or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to prevent privilege escalation. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies). <br>
+
+**Profile Applicability:**
+
+1
+
+**Type:**
+
+Behavioral Check
+
+**Category:**
+
+Control Plane Isolation
+
+**Description:**
+
+The `securityContext.allowPrivilegeEscalation` setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges.
+
+**Rationale:**
+
+The `securityContext.allowPrivilegeEscalation` setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges.
+
+**Audit:**
+
+Create a pod or container that sets `allowPrivilegeEscalation` to `true` in its `securityContext`. The pod creation must fail.
+
+Define a `PodSecurityPolicy` with `allowPrivilegeEscalation` set to `false` and map the policy to each tenant&#39;s namespace,  or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to prevent privilege escalation. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies).
 

benchmarks/kubectl-mtb/test/benchmarks/block_privilege_escalation/config.yaml

@@ -4,4 +4,6 @@ benchmarkType: Behavioral Check
 category: Control Plane Isolation
 description: The `securityContext.allowPrivilegeEscalation` setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges.
 remediation: Define a `PodSecurityPolicy` with `allowPrivilegeEscalation` set to `false` and map the policy to each tenant's namespace,  or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to prevent privilege escalation. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies).
-profileLevel: 1
+profileLevel: 1
+audit: Create a pod or container that sets `allowPrivilegeEscalation` to `true` in its `securityContext`. The pod creation must fail.
+rationale: The `securityContext.allowPrivilegeEscalation` setting allows a process to gain more privileges from its parent process. Processes in tenant containers should not be allowed to gain additional priviliges.

benchmarks/kubectl-mtb/test/benchmarks/block_privileged_containers/README.md

@@ -1,12 +1,28 @@
 # Block privileged containers <small>[MTB-PL1-BC-CPI-5] </small>
-**Profile Applicability:** 
-1 <br>
-**Type:** 
-Behavioral Check <br>
-**Category:** 
-Control Plane Isolation <br>
-**Description:** 
-By default a container is not allowed to access any devices on the host, but a “privileged” container can access all devices on the host. A process within a privileged container can also get unrestricted host access. Hence, tenants should not be allowed to run privileged containers. <br>
-**Remediation:**
-Define a `PodSecurityPolicy` with `privileged` set to `false` and map the policy to each tenant&#39;s namespace, or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to prevent tenants from running privileged containers. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies). <br>
+
+**Profile Applicability:**
+
+1
+
+**Type:**
+
+Behavioral Check
+
+**Category:**
+
+Control Plane Isolation
+
+**Description:**
+
+Linux
+
+**Rationale:**
+
+By default a container is not allowed to access any devices on the host, but a “privileged” container can access all devices on the host. A process within a privileged container can also get unrestricted host access. Hence, tenants should not be allowed to run privileged containers.
+
+**Audit:**
+
+Create a pod or container that sets `privileged` to `true` in its `securityContext`. The pod creation must fail.
+
+Define a `PodSecurityPolicy` with `privileged` set to `false` and map the policy to each tenant&#39;s namespace, or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to prevent tenants from running privileged containers. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies).