Merge pull request #1251 from phoenixking25/second-ns

[MTB] refactored code and added other ns flag

Author: k8s-ci-robot

benchmarks/kubectl-mtb/internal/kubectl-mtb/run.go

@@ -102,7 +102,7 @@ func reportSuiteDidEnd(suiteSummary *reporter.SuiteSummary, reportersArray []rep
 }
 
 func removeBenchmarksWithIDs(ids []string) {
-	temp := []*benchmark.Benchmark{}
+	var temp []*benchmark.Benchmark
 	for _, benchmark := range benchmarks {
 		found := false
 		for _, id := range ids {
@@ -143,22 +143,78 @@ func validateFlags(cmd *cobra.Command) error {
 	return nil
 }
 
-func runTests(cmd *cobra.Command, args []string) error {
-
-	benchmarkRunOptions.Label, _ = cmd.Flags().GetString("labels")
-	// Get log level
+func setupLogger(cmd *cobra.Command) {
 	debug, _ := cmd.Flags().GetBool("debug")
 	if debug {
 		benchmarkRunOptions.Logger = log.GetLogger(true)
 	} else {
 		// default mode production
 		benchmarkRunOptions.Logger = log.GetLogger(false)
 	}
+}
 
+func setupReporters(cmd *cobra.Command) ([]reporter.Reporter, error) {
 	// Get reporters from the user
 	reporterFlag, _ := cmd.Flags().GetString("out")
 	reporters := strings.Split(reporterFlag, ",")
-	reportersArray, err := reporter.GetReporters(reporters)
+	return reporter.GetReporters(reporters)
+}
+
+func executePreRun(b *benchmark.Benchmark, suiteSummary *reporter.SuiteSummary, ts *reporter.TestSummary) {
+	err := b.PreRun(benchmarkRunOptions)
+	if err != nil {
+		benchmarkRunOptions.Logger.Debug(err.Error())
+		suiteSummary.NumberOfFailedValidations++
+		ts.Validation = false
+		ts.ValidationError = err
+		b.Status = "Error"
+	}
+}
+
+func executeRun(b *benchmark.Benchmark, suiteSummary *reporter.SuiteSummary, ts *reporter.TestSummary) {
+	if ts.Validation {
+		err := b.Run(benchmarkRunOptions)
+		if err != nil {
+			benchmarkRunOptions.Logger.Debug(err.Error())
+			suiteSummary.NumberOfFailedTests++
+			ts.Test = false
+			ts.TestError = err
+			b.Status = "Fail"
+		} else {
+			suiteSummary.NumberOfPassedTests++
+			b.Status = "Pass"
+		}
+	}
+}
+
+func executePostRun(b *benchmark.Benchmark, suiteSummary *reporter.SuiteSummary, ts *reporter.TestSummary) {
+	if ts.Test {
+		if b.PostRun != nil {
+			err := b.PostRun(benchmarkRunOptions)
+			if err != nil {
+				fmt.Print(err.Error())
+			}
+		}
+	}
+}
+
+func shouldSkipTest(b *benchmark.Benchmark, suiteSummary *reporter.SuiteSummary, ts *reporter.TestSummary) bool {
+	if b.NamespaceRequired > 1 {
+		if benchmarkRunOptions.OtherNamespace != "" && benchmarkRunOptions.OtherTenant != "" {
+			return false
+		}
+		return true
+	}
+	return false
+}
+
+func runTests(cmd *cobra.Command, args []string) error {
+
+	benchmarkRunOptions.Label, _ = cmd.Flags().GetString("labels")
+	// Get log level
+	setupLogger(cmd)
+
+	reportersArray, err := setupReporters(cmd)
 	if err != nil {
 		return err
 	}
@@ -192,40 +248,17 @@ func runTests(cmd *cobra.Command, args []string) error {
 
 		startTest := time.Now()
 
-		//Run Prerun
-		err = b.PreRun(benchmarkRunOptions)
-		if err != nil {
-			benchmarkRunOptions.Logger.Debug(err.Error())
-			suiteSummary.NumberOfFailedValidations++
-			ts.Validation = false
-			ts.ValidationError = err
-			b.Status = "Error"
+		if shouldSkipTest(b, suiteSummary, ts) {
+			continue
 		}
 
-		// Check PreRun status
-		if ts.Validation {
-			err = b.Run(benchmarkRunOptions)
-			if err != nil {
-				benchmarkRunOptions.Logger.Debug(err.Error())
-				suiteSummary.NumberOfFailedTests++
-				ts.Test = false
-				ts.TestError = err
-				b.Status = "Fail"
-			} else {
-				suiteSummary.NumberOfPassedTests++
-				b.Status = "Pass"
-			}
-		}
+		// Lifecycles
+		executePreRun(b, suiteSummary, ts)
+
+		executeRun(b, suiteSummary, ts)
+
+		executePostRun(b, suiteSummary, ts)
 
-		// Check Run status
-		if ts.Test {
-			if b.PostRun != nil {
-				err = b.PostRun(benchmarkRunOptions)
-				if err != nil {
-					fmt.Print(err.Error())
-				}
-			}
-		}
 		elapsed := time.Since(startTest)
 		ts.RunTime = elapsed
 		reportTestWillRun(ts, reportersArray)
@@ -245,6 +278,8 @@ func newRunCmd() *cobra.Command {
 	runCmd.Flags().String("as", "", "(required) user name to impersonate")
 	runCmd.Flags().StringP("out", "o", "default", "(optional) output reporters (default, policyreport)")
 	runCmd.Flags().StringP("skip", "s", "", "(optional) benchmark IDs to skip")
+	runCmd.Flags().String("other-namespace", "", "(optional) other tenant namespace")
+	runCmd.Flags().String("other-tenant-admin","", "(optional) other tenant admin")
 	runCmd.Flags().StringP("labels", "l", "", "(optional) labels")
 
 	return runCmd

benchmarks/kubectl-mtb/pkg/benchmark/benchmark.go

@@ -19,6 +19,7 @@ type Benchmark struct {
 	Status        string `yaml:"status"`
 	Rationale     string `yaml:"rationale"`
 	Audit         string `yaml:"audit"`
+	NamespaceRequired int `yaml:"namespaceRequired"`
 	PreRun        func(types.RunOptions) error
 	Run           func(types.RunOptions) error
 	PostRun       func(types.RunOptions) error

benchmarks/kubectl-mtb/test/benchmarks/block_access_to_cluster_resources/README.md

@@ -33,3 +33,8 @@ kubectl --kubeconfig tenant-a auth can-i verb resource
 Each command must return 'no'
 
 
+
+**namespaceRequired:** 
+
+1
+

benchmarks/kubectl-mtb/test/benchmarks/block_access_to_cluster_resources/config.yaml

@@ -5,6 +5,7 @@ category: Control Plane Isolation
 description: Tenants should not be able to view, edit, create, or delete cluster (non-namespaced) resources such Node, ClusterRole, ClusterRoleBinding, etc.
 remediation:
 profileLevel: 1
+namespaceRequired: 1
 rationale: Access controls should be configured for tenants so that a tenant cannot list, create, modify or delete cluster resources
 audit: | 
  Run the following commands to retrieve the list of non-namespaced resources

benchmarks/kubectl-mtb/test/benchmarks/block_add_capabilities/README.md

@@ -28,3 +28,8 @@ Create a pod or container that adds new `capabilities` in its `securityContext`.
 
 Define a `PodSecurityPolicy` with `allowedCapabilities` and map the policy to each tenant namespace, or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to enforce new capabilities cannot be added. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies).
 
+
+**namespaceRequired:** 
+
+1
+

benchmarks/kubectl-mtb/test/benchmarks/block_add_capabilities/config.yaml

@@ -6,4 +6,5 @@ description: Linux
 remediation: Define a `PodSecurityPolicy` with `allowedCapabilities` and map the policy to each tenant namespace, or use a policy engine such as [OPA/Gatekeeper](https://github.com/open-policy-agent/gatekeeper) or [Kyverno](https://kyverno.io) to enforce new capabilities cannot be added. You can use the policies present [here](https://github.com/kubernetes-sigs/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/policies).
 rationale: Linux allows defining fine-grained permissions using capabilities. With Kubernetes, it is possible to add capabilities for pods that escalate the level of kernel access and allow other potentially dangerous behaviors.
 profileLevel: 1
+namespaceRequired: 1
 audit: Create a pod or container that adds new `capabilities` in its `securityContext`. The pod creation must fail.

benchmarks/kubectl-mtb/test/benchmarks/block_multitenant_resources/README.md

@@ -30,3 +30,8 @@ For each returned by the first command verify that the resource cannot be modifi
 
 Each command must return 403 FORBIDDEN
 
+
+**namespaceRequired:** 
+
+1
+

benchmarks/kubectl-mtb/test/benchmarks/block_multitenant_resources/config.yaml

@@ -5,6 +5,7 @@ category: Tenant Isolation
 description: Each tenant namespace may contain resources setup by the cluster administrator for multi-tenancy, such as role bindings, and network policies. Tenants should not be allowed to modify the namespaced resources created by the cluster administrator for multi-tenancy. However, for some resources such as network policies, tenants can configure additional instances of the resource for their workloads.
 remediation: 
 profileLevel: 1
+namespaceRequired: 1
 rationale: Tenants can escalate priviliges and impact other tenants if they are able to delete or modify required multi-tenancy resources such as namespace resource quotas or default network policy.
 audit: |
  The resources managed by the cluster administrator and that cannot be modified by tenant administrator can be identified by a label configured in the benchmarks configuration YAML file. If no label is provided, then this test looks for any existing network policy and role binding (resource quotas are handled by a separate test) and tries to modify and delete them. Run the following commands to retrieve the list of resources managed by the cluster administrator

benchmarks/kubectl-mtb/test/benchmarks/block_ns_quota/README.md

@@ -32,3 +32,8 @@ kubectl --kubeconfig=tenant-a -n a1 auth can-i deletecollection quota
 ```
 Each command must return 'no'"
 
+
+**namespaceRequired:** 
+
+1
+

benchmarks/kubectl-mtb/test/benchmarks/block_ns_quota/config.yaml

@@ -5,6 +5,7 @@ category: Tenant Isolation
 description: Tenants should not be able to modify the resource quotas defined in their namespaces
 remediation: 
 profileLevel: 1
+namespaceRequired: 1
 rationale: Resource quotas must be configured for isolation and fairness between tenants. Tenants should not be able to modify existing resource quotas as they may exhaust cluster resources and impact other tenants.
 audit: |
  Run the following commands to check for permissions to manage quotas in the tenant namespace: