Skip to content

Commit

Permalink
docs: add further test cases
Browse files Browse the repository at this point in the history
  • Loading branch information
bsctl committed Jul 17, 2021
1 parent 7bd41c9 commit b7b1018
Show file tree
Hide file tree
Showing 20 changed files with 880 additions and 20 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,77 @@
# Allow self-service management of Network Policies

**Profile Applicability:** L2

**Type:** Behavioral

**Category:** Self-Service Operations

**Description:** Tenants should be able to perform self-service operations by creating own network policies in their namespaces.

**Rationale:** Enables self-service management of network-policies.

**Audit:**

As cluster admin, create a tenant

```yaml
kubectl create -f - <<EOF
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: oil
spec:
owners:
- kind: User
name: alice
networkPolicies:
items:
ingress:
- from:
- namespaceSelector:
matchLabels:
capsule.clastix.io/tenant: oil
podSelector: {}
policyTypes:
- Egress
- Ingress
EOF

./create-user.sh alice oil

```

As tenant owner, run the following command to create a namespace in the given tenant

```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```

As tenant owner, retrieve the networkpolicies resources in the tenant namespace

```bash
kubectl --kubeconfig alice get networkpolicies
NAME POD-SELECTOR AGE
capsule-oil-0 <none> 7m5s
```

As tenant owner check for permissions to manage networkpolicy for each verb

```bash
kubectl --kubeconfig alice auth can-i get networkpolicies
kubectl --kubeconfig alice auth can-i create networkpolicies
kubectl --kubeconfig alice auth can-i update networkpolicies
kubectl --kubeconfig alice auth can-i patch networkpolicies
kubectl --kubeconfig alice auth can-i delete networkpolicies
kubectl --kubeconfig alice auth can-i deletecollection networkpolicies
```

Each command must return 'yes'

**Cleanup:**
As cluster admin, delete all the created resources

```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
58 changes: 58 additions & 0 deletions docs/operator/mtb/allow-self-service-management-of-rolebindings.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Allow self-service management of Role Bindings

**Profile Applicability:** L2

**Type:** Behavioral

**Category:** Self-Service Operations

**Description:** Tenants should be able to perform self-service operations by creating own rolebindings in their namespaces.

**Rationale:** Enables self-service management of roles.

**Audit:**

As cluster admin, create a tenant

```yaml
kubectl create -f - <<EOF
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: oil
spec:
owners:
- kind: User
name: alice
EOF

./create-user.sh alice oil

```

As tenant owner, run the following command to create a namespace in the given tenant

```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```

As tenant owner check for permissions to manage rolebindings for each verb

```bash
kubectl --kubeconfig alice auth can-i get rolebindings
kubectl --kubeconfig alice auth can-i create rolebindings
kubectl --kubeconfig alice auth can-i update rolebindings
kubectl --kubeconfig alice auth can-i patch rolebindings
kubectl --kubeconfig alice auth can-i delete rolebindings
kubectl --kubeconfig alice auth can-i deletecollection rolebindings
```

Each command must return 'yes'

**Cleanup:**
As cluster admin, delete all the created resources

```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
58 changes: 58 additions & 0 deletions docs/operator/mtb/allow-self-service-management-of-roles.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# Allow self-service management of Roles

**Profile Applicability:** L2

**Type:** Behavioral

**Category:** Self-Service Operations

**Description:** Tenants should be able to perform self-service operations by creating own roles in their namespaces.

**Rationale:** Enables self-service management of roles.

**Audit:**

As cluster admin, create a tenant

```yaml
kubectl create -f - <<EOF
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: oil
spec:
owners:
- kind: User
name: alice
EOF

./create-user.sh alice oil

```

As tenant owner, run the following command to create a namespace in the given tenant

```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
```

As tenant owner check for permissions to manage roles for each verb

```bash
kubectl --kubeconfig alice auth can-i get roles
kubectl --kubeconfig alice auth can-i create roles
kubectl --kubeconfig alice auth can-i update roles
kubectl --kubeconfig alice auth can-i patch roles
kubectl --kubeconfig alice auth can-i delete roles
kubectl --kubeconfig alice auth can-i deletecollection roles
```

Each command must return 'yes'

**Cleanup:**
As cluster admin, delete all the created resources

```bash
kubectl --kubeconfig cluster-admin delete tenant oil
```
2 changes: 1 addition & 1 deletion docs/operator/mtb/block-access-to-multitenant-resources.md
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ As tenant owner, try to change/delete the rolebindings in order to escalate per
kubectl --kubeconfig alice edit/delete rolebinding namespace:admin
```

You should receive an error message:
You must receive an error message:

```
error: rolebindings.rbac.authorization.k8s.io "namespace:admin" could not be patched:
Expand Down
4 changes: 2 additions & 2 deletions docs/operator/mtb/block-access-to-other-tenant-resources.md
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ As `oil` tenant owner, try to retrieve the resources in the `gas` tenant namespa
kubectl --kubeconfig alice get serviceaccounts --namespace gas-production
```

You should receive an eror message:
You must receive an eror message:

```
Error from server (Forbidden): serviceaccounts is forbidden:
Expand All @@ -82,7 +82,7 @@ As `gas` tenant owner, try to retrieve the resources in the `oil` tenant namespa
kubectl --kubeconfig joe get serviceaccounts --namespace oil-production
```

You should receive an eror message:
You must receive an eror message:

```
Error from server (Forbidden): serviceaccounts is forbidden:
Expand Down
2 changes: 1 addition & 1 deletion docs/operator/mtb/block-add-capabilities.md
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ spec:
EOF
```

You should have the pod blocked by PodSecurityPolicy.
You must have the pod blocked by PodSecurityPolicy.

**Cleanup:**
As cluster admin, delete all the created resources
Expand Down
107 changes: 107 additions & 0 deletions docs/operator/mtb/block-network-access-across-tenant-namespaces.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@
# Block access to multitenant resources

**Profile Applicability:** L1

**Type:** Behavioral

**Category:** Tenant Isolation

**Description:** Block network traffic among namespaces from different tenants.

**Rationale:** Tenants cannot access services and pods in another tenant's namespaces.

**Audit:**

As cluster admin, create a couple of tenants

```yaml
kubectl create -f - <<EOF
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: oil
spec:
owners:
- kind: User
name: alice
networkPolicies:
items:
- ingress:
- from:
- namespaceSelector:
matchLabels:
capsule.clastix.io/tenant: oil
podSelector: {}
policyTypes:
- Ingress
EOF

./create-user.sh alice oil
```

and

```yaml
kubectl create -f - <<EOF
apiVersion: capsule.clastix.io/v1beta1
kind: Tenant
metadata:
name: gas
spec:
owners:
- kind: User
name: joe
networkPolicies:
items:
- ingress:
- from:
- namespaceSelector:
matchLabels:
capsule.clastix.io/tenant: gas
podSelector: {}
policyTypes:
- Ingress
EOF

./create-user.sh joe gas
```

As `oil` tenant owner, run the following commands to create a namespace and resources in the given tenant

```bash
kubectl --kubeconfig alice create ns oil-production
kubectl --kubeconfig alice config set-context --current --namespace oil-production
kubectl --kubeconfig alice run webserver --image nginx:latest
kubectl --kubeconfig alice expose pod webserver --port 80
```

As `gas` tenant owner, run the following commands to create a namespace and resources in the given tenant

```bash
kubectl --kubeconfig joe create ns gas-production
kubectl --kubeconfig joe config set-context --current --namespace gas-production
kubectl --kubeconfig joe run webserver --image nginx:latest
kubectl --kubeconfig joe expose pod webserver --port 80
```

As `oil` tenant owner, verify you can access the service in `oil` tenant namespace but not in the `gas` tenant namespace

```bash
kubectl --kubeconfig alice exec webserver -- curl http://webserver.oil-production.svc.cluster.local
kubectl --kubeconfig alice exec webserver -- curl http://webserver.gas-production.svc.cluster.local
```

Viceversa, as `gas` tenant owner, verify you can access the service in `gas` tenant namespace but not in the `oil` tenant namespace

```bash
kubectl --kubeconfig alice exec webserver -- curl http://webserver.oil-production.svc.cluster.local
kubectl --kubeconfig alice exec webserver -- curl http://webserver.gas-production.svc.cluster.local
```


**Cleanup:**
As cluster admin, delete all the created resources

```bash
kubectl --kubeconfig cluster-admin delete tenants oil gas
```
2 changes: 1 addition & 1 deletion docs/operator/mtb/block-privilege-escalation.md
Original file line number Diff line number Diff line change
Expand Up @@ -103,7 +103,7 @@ spec:
EOF
```

You should have the pod blocked by `PodSecurityPolicy`.
You must have the pod blocked by `PodSecurityPolicy`.

**Cleanup:**
As cluster admin, delete all the created resources
Expand Down
2 changes: 1 addition & 1 deletion docs/operator/mtb/block-privileged-containers.md
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ spec:
EOF
```

You should have the pod blocked by `PodSecurityPolicy`.
You must have the pod blocked by `PodSecurityPolicy`.

**Cleanup:**
As cluster admin, delete all the created resources
Expand Down
Loading

0 comments on commit b7b1018

Please sign in to comment.