feat: added restrict-resource-quota-changes for multitenancy-benchmark category

multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-enforce-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-resource-quota-changes
+spec:
+  validationFailureAction: Enforce

multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-policy-assert.yaml

@@ -0,0 +1,6 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-resource-quota-changes
+status:
+  ready: true

multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/chainsaw-test.yaml

@@ -0,0 +1,35 @@
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  creationTimestamp: null
+  name: restrict-resource-quota-changes
+spec:
+  steps:
+  - name: test-restrict-resource-quota-changes
+    try:
+    - apply:
+        file: ../restrict-resource-quota-changes.yaml
+    - assert:
+        file: chainsaw-policy-assert.yaml
+    - apply:
+        file: rq-good.yaml
+    - patch:
+        resource:
+          apiVersion: kyverno.io/v1
+          kind: ClusterPolicy
+          metadata:
+            name: restrict-resource-quota-changes
+          spec:
+            validationFailureAction: Enforce
+    - assert:
+        file: chainsaw-enforce-assert.yaml
+    - apply:
+        expect:
+        - check:
+            ($error != null): true
+        file: rq-bad.yaml
+    - delete:
+        ref:
+          apiVersion: v1
+          kind: namespace
+          name: chainsaw-test

multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-bad.yaml

@@ -0,0 +1,27 @@
+# create-resource-quota
+
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: create-resource-quota
+  namespace: chainsaw-test
+spec:
+  hard:
+    limits.cpu: "2"
+    limits.memory: 2Gi
+    requests.cpu: "1"
+    requests.memory: 1Gi
+
+---
+
+# Update ResourceQuota
+
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: create-resource-quota
+  namespace: chainsaw-test
+spec:
+  hard:
+    limits.cpu: "2"
+    limits.memory: 2Gi

multitenancy-benchmarks/restrict-resource-quota-changes/.chainsaw-test/rq-good.yaml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: chainsaw-test
+spec: {}

multitenancy-benchmarks/restrict-resource-quota-changes/README.md

@@ -0,0 +1,66 @@
+# Cluster Policy - Restrict Resource Quota Changes Policy
+
+## Policy Overview
+The `restrict-resource-quota-changes` policy ensures that tenants within Kubernetes namespaces cannot perform actions such as creating, updating, patching, deleting, or bulk-deleting operations on resource quotas. This restriction serves as a security measure to maintain control over resource management and prevent tenants from inadvertently exceeding their allocated resources or interfering with cluster stability.
+
+**Importance**
+
+This policy holds significance in enhancing the security and stability of Kubernetes clusters, particularly in multitenant environments. By limiting the ability to modify resource quotas, it helps maintain isolation between tenants and promotes fair resource usage, thereby mitigating the risk of resource exhaustion and ensuring consistent performance for all users.
+
+**Key Annotations:**
+- **Title:** Restrict Resource Quota Changes
+- **Category:** Multitenancy Benchmarks
+- **Severity:** High
+- **Subject:** ResourceQuota
+
+**Policy Configuration:**
+- **Validation Failure Action:** Audit (Enforce rejection on failure)
+- **Rules:**
+  - **Name:** restrict-resource-quota-changes
+  - **Match Conditions:** Applicable to resource quota modification operations within namespaces
+  - **Validation Message:** "ResourceQuota changes are restricted"
+  - **Validation Pattern:**
+    - Enforces restrictions on actions such as creation, updating, patching, deletion, or bulk-deletion operations on resource quotas within namespaces.
+
+## Finding Violations
+
+To identify violations of the `restrict-resource-quota-changes` policy, follow these steps:
+
+1. **Check Policy Status:**
+   - Use the following command to view the READY status of Kyverno policies in your cluster:
+     ```bash
+     kubectl get cpol
+     ```
+   - Look for the status of the `restrict-resource-quota-changes` policy. If READY status shows `True` or the MESSAGE shows `Ready` your policy is up and running!
+
+2. **Check Policy Report:**
+   - Use the following command to view the violations if any:
+     ```bash
+     kubectl get cpolr
+     ```
+   - Look for the status of the "require-quota-for-all-objects" policy. If it shows any violations, note the namespace(s) where the violations occurred.
+
+3. **Inspect ResourceQuotas:**
+   - Use the following command to list ResourceQuotas in the namespaces where violations were detected:
+     ```bash
+     kubectl get resourcequota -n <namespace>
+     ```
+   - Review the ResourceQuotas to identify any missing quotas for objects such as Pods, Services, Secrets, ConfigMaps, etc., listed in the policy.
+
+## Chainsaw Test
+
+To apply chainsaw test, run the following command
+   ```bash
+   chainsaw test .
+   ```
+
+## How to Fix It
+
+To address violations of the `restrict-resource-quota-changes` policy, take the following corrective actions:
+
+1. **Revoke Unauthorized Permissions:**
+   - Adjust Kubernetes RBAC (Role-Based Access Control) settings to revoke permissions that allow tenants to modify resource quotas within namespaces.
+
+2. **References:**
+   - Refer to the Kubernetes documentation on [Role-Based Access Control (RBAC)](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) for guidance on configuring permissions.
+   - Explore additional [security best practices for Kubernetes clusters](https://github.com/kubernetes-retired/multi-tenancy/tree/master/benchmarks/kubectl-mtb/test/benchmarks/block_ns_quota) to enhance overall governance and compliance.

multitenancy-benchmarks/restrict-resource-quota-changes/restrict-resource-quota-changes.yaml

@@ -0,0 +1,37 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: restrict-resource-quota-changes
+  annotations:
+    policies.kyverno.io/title: Restrict Resource Quota Changes
+    policies.kyverno.io/category: Multitenancy Benchmarks
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: ResourceQuota
+    policies.kyverno.io/description: >-
+      This policy verifies that tenants cannot create, update, patch, delete, or perform 
+      bulk-deletion operations on resource quotas within their namespaces. 
+      This could be a security measure to prevent tenants from interfering with 
+      resource management or exceeding their allocated resources.
+spec:
+  background: false
+  validationFailureAction: Enforce
+  rules:
+  - name: restrict-resource-quota-changes
+    match:
+      any:
+        - resources:
+            kinds:
+            - ResourceQuota        
+    validate:
+      message: "ResourceQuota changes are restricted"
+      deny:
+        conditions:
+          any:
+            - key: "{{request.operation || 'BACKGROUND'}}"
+              operator: AnyIn
+              value:
+              - CREATE
+              - UPDATE
+              - DELETE
+              - PATCH
+              - DELETECOLLECTION