-
Notifications
You must be signed in to change notification settings - Fork 163
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
20 changed files
with
880 additions
and
20 deletions.
There are no files selected for viewing
77 changes: 77 additions & 0 deletions
77
docs/operator/mtb/allow-self-service-management-of-network-policies.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,77 @@ | ||
# Allow self-service management of Network Policies | ||
|
||
**Profile Applicability:** L2 | ||
|
||
**Type:** Behavioral | ||
|
||
**Category:** Self-Service Operations | ||
|
||
**Description:** Tenants should be able to perform self-service operations by creating own network policies in their namespaces. | ||
|
||
**Rationale:** Enables self-service management of network-policies. | ||
|
||
**Audit:** | ||
|
||
As cluster admin, create a tenant | ||
|
||
```yaml | ||
kubectl create -f - <<EOF | ||
apiVersion: capsule.clastix.io/v1beta1 | ||
kind: Tenant | ||
metadata: | ||
name: oil | ||
spec: | ||
owners: | ||
- kind: User | ||
name: alice | ||
networkPolicies: | ||
items: | ||
ingress: | ||
- from: | ||
- namespaceSelector: | ||
matchLabels: | ||
capsule.clastix.io/tenant: oil | ||
podSelector: {} | ||
policyTypes: | ||
- Egress | ||
- Ingress | ||
EOF | ||
|
||
./create-user.sh alice oil | ||
|
||
``` | ||
|
||
As tenant owner, run the following command to create a namespace in the given tenant | ||
|
||
```bash | ||
kubectl --kubeconfig alice create ns oil-production | ||
kubectl --kubeconfig alice config set-context --current --namespace oil-production | ||
``` | ||
|
||
As tenant owner, retrieve the networkpolicies resources in the tenant namespace | ||
|
||
```bash | ||
kubectl --kubeconfig alice get networkpolicies | ||
NAME POD-SELECTOR AGE | ||
capsule-oil-0 <none> 7m5s | ||
``` | ||
|
||
As tenant owner check for permissions to manage networkpolicy for each verb | ||
|
||
```bash | ||
kubectl --kubeconfig alice auth can-i get networkpolicies | ||
kubectl --kubeconfig alice auth can-i create networkpolicies | ||
kubectl --kubeconfig alice auth can-i update networkpolicies | ||
kubectl --kubeconfig alice auth can-i patch networkpolicies | ||
kubectl --kubeconfig alice auth can-i delete networkpolicies | ||
kubectl --kubeconfig alice auth can-i deletecollection networkpolicies | ||
``` | ||
|
||
Each command must return 'yes' | ||
|
||
**Cleanup:** | ||
As cluster admin, delete all the created resources | ||
|
||
```bash | ||
kubectl --kubeconfig cluster-admin delete tenant oil | ||
``` |
58 changes: 58 additions & 0 deletions
58
docs/operator/mtb/allow-self-service-management-of-rolebindings.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# Allow self-service management of Role Bindings | ||
|
||
**Profile Applicability:** L2 | ||
|
||
**Type:** Behavioral | ||
|
||
**Category:** Self-Service Operations | ||
|
||
**Description:** Tenants should be able to perform self-service operations by creating own rolebindings in their namespaces. | ||
|
||
**Rationale:** Enables self-service management of roles. | ||
|
||
**Audit:** | ||
|
||
As cluster admin, create a tenant | ||
|
||
```yaml | ||
kubectl create -f - <<EOF | ||
apiVersion: capsule.clastix.io/v1beta1 | ||
kind: Tenant | ||
metadata: | ||
name: oil | ||
spec: | ||
owners: | ||
- kind: User | ||
name: alice | ||
EOF | ||
|
||
./create-user.sh alice oil | ||
|
||
``` | ||
|
||
As tenant owner, run the following command to create a namespace in the given tenant | ||
|
||
```bash | ||
kubectl --kubeconfig alice create ns oil-production | ||
kubectl --kubeconfig alice config set-context --current --namespace oil-production | ||
``` | ||
|
||
As tenant owner check for permissions to manage rolebindings for each verb | ||
|
||
```bash | ||
kubectl --kubeconfig alice auth can-i get rolebindings | ||
kubectl --kubeconfig alice auth can-i create rolebindings | ||
kubectl --kubeconfig alice auth can-i update rolebindings | ||
kubectl --kubeconfig alice auth can-i patch rolebindings | ||
kubectl --kubeconfig alice auth can-i delete rolebindings | ||
kubectl --kubeconfig alice auth can-i deletecollection rolebindings | ||
``` | ||
|
||
Each command must return 'yes' | ||
|
||
**Cleanup:** | ||
As cluster admin, delete all the created resources | ||
|
||
```bash | ||
kubectl --kubeconfig cluster-admin delete tenant oil | ||
``` |
58 changes: 58 additions & 0 deletions
58
docs/operator/mtb/allow-self-service-management-of-roles.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,58 @@ | ||
# Allow self-service management of Roles | ||
|
||
**Profile Applicability:** L2 | ||
|
||
**Type:** Behavioral | ||
|
||
**Category:** Self-Service Operations | ||
|
||
**Description:** Tenants should be able to perform self-service operations by creating own roles in their namespaces. | ||
|
||
**Rationale:** Enables self-service management of roles. | ||
|
||
**Audit:** | ||
|
||
As cluster admin, create a tenant | ||
|
||
```yaml | ||
kubectl create -f - <<EOF | ||
apiVersion: capsule.clastix.io/v1beta1 | ||
kind: Tenant | ||
metadata: | ||
name: oil | ||
spec: | ||
owners: | ||
- kind: User | ||
name: alice | ||
EOF | ||
|
||
./create-user.sh alice oil | ||
|
||
``` | ||
|
||
As tenant owner, run the following command to create a namespace in the given tenant | ||
|
||
```bash | ||
kubectl --kubeconfig alice create ns oil-production | ||
kubectl --kubeconfig alice config set-context --current --namespace oil-production | ||
``` | ||
|
||
As tenant owner check for permissions to manage roles for each verb | ||
|
||
```bash | ||
kubectl --kubeconfig alice auth can-i get roles | ||
kubectl --kubeconfig alice auth can-i create roles | ||
kubectl --kubeconfig alice auth can-i update roles | ||
kubectl --kubeconfig alice auth can-i patch roles | ||
kubectl --kubeconfig alice auth can-i delete roles | ||
kubectl --kubeconfig alice auth can-i deletecollection roles | ||
``` | ||
|
||
Each command must return 'yes' | ||
|
||
**Cleanup:** | ||
As cluster admin, delete all the created resources | ||
|
||
```bash | ||
kubectl --kubeconfig cluster-admin delete tenant oil | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
107 changes: 107 additions & 0 deletions
107
docs/operator/mtb/block-network-access-across-tenant-namespaces.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
# Block access to multitenant resources | ||
|
||
**Profile Applicability:** L1 | ||
|
||
**Type:** Behavioral | ||
|
||
**Category:** Tenant Isolation | ||
|
||
**Description:** Block network traffic among namespaces from different tenants. | ||
|
||
**Rationale:** Tenants cannot access services and pods in another tenant's namespaces. | ||
|
||
**Audit:** | ||
|
||
As cluster admin, create a couple of tenants | ||
|
||
```yaml | ||
kubectl create -f - <<EOF | ||
apiVersion: capsule.clastix.io/v1beta1 | ||
kind: Tenant | ||
metadata: | ||
name: oil | ||
spec: | ||
owners: | ||
- kind: User | ||
name: alice | ||
networkPolicies: | ||
items: | ||
- ingress: | ||
- from: | ||
- namespaceSelector: | ||
matchLabels: | ||
capsule.clastix.io/tenant: oil | ||
podSelector: {} | ||
policyTypes: | ||
- Ingress | ||
EOF | ||
|
||
./create-user.sh alice oil | ||
``` | ||
|
||
and | ||
|
||
```yaml | ||
kubectl create -f - <<EOF | ||
apiVersion: capsule.clastix.io/v1beta1 | ||
kind: Tenant | ||
metadata: | ||
name: gas | ||
spec: | ||
owners: | ||
- kind: User | ||
name: joe | ||
networkPolicies: | ||
items: | ||
- ingress: | ||
- from: | ||
- namespaceSelector: | ||
matchLabels: | ||
capsule.clastix.io/tenant: gas | ||
podSelector: {} | ||
policyTypes: | ||
- Ingress | ||
EOF | ||
|
||
./create-user.sh joe gas | ||
``` | ||
|
||
As `oil` tenant owner, run the following commands to create a namespace and resources in the given tenant | ||
|
||
```bash | ||
kubectl --kubeconfig alice create ns oil-production | ||
kubectl --kubeconfig alice config set-context --current --namespace oil-production | ||
kubectl --kubeconfig alice run webserver --image nginx:latest | ||
kubectl --kubeconfig alice expose pod webserver --port 80 | ||
``` | ||
|
||
As `gas` tenant owner, run the following commands to create a namespace and resources in the given tenant | ||
|
||
```bash | ||
kubectl --kubeconfig joe create ns gas-production | ||
kubectl --kubeconfig joe config set-context --current --namespace gas-production | ||
kubectl --kubeconfig joe run webserver --image nginx:latest | ||
kubectl --kubeconfig joe expose pod webserver --port 80 | ||
``` | ||
|
||
As `oil` tenant owner, verify you can access the service in `oil` tenant namespace but not in the `gas` tenant namespace | ||
|
||
```bash | ||
kubectl --kubeconfig alice exec webserver -- curl http://webserver.oil-production.svc.cluster.local | ||
kubectl --kubeconfig alice exec webserver -- curl http://webserver.gas-production.svc.cluster.local | ||
``` | ||
|
||
Viceversa, as `gas` tenant owner, verify you can access the service in `gas` tenant namespace but not in the `oil` tenant namespace | ||
|
||
```bash | ||
kubectl --kubeconfig alice exec webserver -- curl http://webserver.oil-production.svc.cluster.local | ||
kubectl --kubeconfig alice exec webserver -- curl http://webserver.gas-production.svc.cluster.local | ||
``` | ||
|
||
|
||
**Cleanup:** | ||
As cluster admin, delete all the created resources | ||
|
||
```bash | ||
kubectl --kubeconfig cluster-admin delete tenants oil gas | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.