Updates to repo and rule documentation (#26)

Author: BernieWhite

.markdownlint.json

@@ -0,0 +1,67 @@
+{
+    "default": true,
+    "header-increment": true,
+    "first-header-h1": {
+        "level": 1
+    },
+    "header-style": {
+        "style": "atx"
+    },
+    "ul-style": {
+        "style": "dash"
+    },
+    "list-indent": true,
+    "ul-start-left": true,
+    "ul-indent": {
+        "indent": 2
+    },
+    "no-trailing-spaces": true,
+    "no-hard-tabs": true,
+    "no-reversed-links": true,
+    "no-multiple-blanks": true,
+    "line-length": {
+        "line_length": 100,
+        "code_blocks": false,
+        "tables": false,
+        "headers": true
+    },
+    "commands-show-output": true,
+    "no-missing-space-atx": true,
+    "no-multiple-space-atx": true,
+    "no-missing-space-closed-atx": true,
+    "no-multiple-space-closed-atx": true,
+    "blanks-around-headers": true,
+    "header-start-left": true,
+    "no-duplicate-header": true,
+    "single-h1": true,
+    "no-trailing-punctuation": {
+        "punctuation": ".,;:!"
+    },
+    "no-multiple-space-blockquote": true,
+    "no-blanks-blockquote": true,
+    "ol-prefix": {
+        "style": "one_or_ordered"
+    },
+    "list-marker-space": true,
+    "blanks-around-fences": true,
+    "blanks-around-lists": true,
+    "no-bare-urls": true,
+    "hr-style": {
+        "style": "---"
+    },
+    "no-emphasis-as-header": true,
+    "no-space-in-emphasis": true,
+    "no-space-in-code": true,
+    "no-space-in-links": true,
+    "fenced-code-language": false,
+    "first-line-h1": false,
+    "no-empty-links": true,
+    "proper-names": {
+        "names": [
+            "PowerShell",
+            "JavaScript"
+        ],
+        "code_blocks": false
+    },
+    "no-alt-text": true
+}

.vscode/settings.json

@@ -18,7 +18,8 @@
         "**/.azure-pipelines/*.yaml": "azure-pipelines"
     },
     "cSpell.words": [
-        "Kubernetes"
+        "Kubernetes",
+        "setuid"
     ],
     "cSpell.enabledLanguageIds": [
         "csharp",

README.md

@@ -10,11 +10,11 @@ This project is to be considered a **proof-of-concept** and **not a supported pr
 
 For issues with rules and documentation please check our GitHub [issues](https://github.com/BernieWhite/PSRule.Rules.Kubernetes/issues) page. If you do not see your problem captured, please file a new issue and follow the provided template.
 
-If you have any problems with the [PSRule][project] engine, please check the project GitHub [issues](https://github.com/BernieWhite/PSRule/issues) page instead.
+If you have any problems with the [PSRule][project] engine, please check the project GitHub [issues](https://github.com/Microsoft/PSRule/issues) page instead.
 
 ## Getting the modules
 
-This project requires the PowerShell module PSRule.
+This project requires the `PSRule` PowerShell module.
 
 You can download and install these modules from the PowerShell Gallery.
 
@@ -24,25 +24,123 @@ PSRule.Rules.Kubernetes | Validate Kubernetes resources | [latest][module] / [in
 
 ## Getting started
 
+PSRule for Kubernetes provides two methods for analyzing Kubernetes resources:
+
+- _Pre-flight_ - Before resources are deployed from a YAML manifest file.
+- _In-flight_ - After resources are deployed to a Kubernetes cluster.
+
 ### Offline with a manifest
 
-Kubernetes resources can be evaluated within a YAML manifest file.
+Kubernetes resources can be validated within a YAML manifest file.
+To validate Kubernetes resources use the `Invoke-PSRule` cmdlet. PSRule natively supports reading objects from YAML files using the `-InputPath` parameter.
+The `-InputPath` parameter can be abbreviated to `-f`.
+
+For example:
+
+```powershell
+Invoke-PSRule -f service.yaml -Module PSRule.Rules.Kubernetes;
+```
+
+The input path can be also be a URL to a YAML file. For example:
 
 ```powershell
-Invoke-PSRule -Module PSRule.Rules.Kubernetes -InputPath .\service.yaml;
+$sourceUrl = 'https://raw.githubusercontent.com/Azure-Samples/azure-voting-app-redis/master/azure-vote-all-in-one-redis.yaml';
+Invoke-PSRule -f $sourceUrl -Module PSRule.Rules.Kubernetes;
+```
+
+The output of this example is:
+
+```text
+   TargetName: azure-vote-back
+
+RuleName                            Outcome    Recommendation
+--------                            -------    --------------
+Kubernetes.API.Removal              Fail       Consider updating resource deployments to use newer API endpoints prior…
+Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…
+Kubernetes.Pod.PrivilegeEscalation  Fail       Containers should deny privilege escalation.
+Kubernetes.Pod.Latest               Fail       Deployments or pods should identify a specific tag to use for container…
+Kubernetes.Pod.Resources            Fail       Resource requirements are set for each container.
+Kubernetes.Pod.Secrets              Pass       Use Kubernetes secrets to store information such as passwords or connec…
+Kubernetes.Pod.Health               Fail       Containers should use liveness and readiness probes.
+Kubernetes.Pod.Replicas             Fail       Consider increasing replicas to two or more to provide high availabilit…
+Kubernetes.AKS.PublicLB             Pass       Consider creating services with an internal load balancer instead of a …
+Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…
+
+   TargetName: azure-vote-front
+
+RuleName                            Outcome    Recommendation
+--------                            -------    --------------
+Kubernetes.API.Removal              Fail       Consider updating resource deployments to use newer API endpoints prior…
+Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…
+Kubernetes.Pod.PrivilegeEscalation  Fail       Containers should deny privilege escalation.
+Kubernetes.Pod.Latest               Pass       Deployments or pods should identify a specific tag to use for container…
+Kubernetes.Pod.Resources            Fail       Resource requirements are set for each container.
+Kubernetes.Pod.Secrets              Pass       Use Kubernetes secrets to store information such as passwords or connec…
+Kubernetes.Pod.Health               Fail       Containers should use liveness and readiness probes.
+Kubernetes.Pod.Replicas             Fail       Consider increasing replicas to two or more to provide high availabilit…
+Kubernetes.AKS.PublicLB             Fail       Consider creating services with an internal load balancer instead of a …
+Kubernetes.Metadata                 Fail       Consider applying recommended labels defined by Kubernetes.…
 ```
 
 ### Online with kubectl
 
+Kubernetes resources can be validated directly from a cluster using the output from `kubectl`.
+To validate resources using `kubectl`, return the output as YAML with the `-o yaml` parameter.
+
+For example:
+
+```powershell
+kubectl get services -o yaml | Out-String | Invoke-PSRule -Format Yaml -ObjectPath items -Module PSRule.Rules.Kubernetes;
+```
+
+In the example above:
+
+- `Out-String` - is used to concatenate the output into a single string object.
+- `-Format Yaml` - indicates that the input is YAML.
+- `-ObjectPath items` - indicates that the input nests objects to evaluate under the `items` property.
+
+### Additional options
+
+To filter results to only failed rules, use `Invoke-PSRule -Outcome Fail`.
+Passed, failed and error results are shown by default.
+
+For example:
+
 ```powershell
-Invoke-PSRule -Module PSRule.Rules.Kubernetes -InputObject (kubectl get services -o yaml | Out-String) -Format Yaml -ObjectPath items;
+# Only show failed results
+Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -Outcome Fail;
+```
+
+A summary of results can be displayed by using `Invoke-PSRule -As Summary`.
+
+For example:
+
+```powershell
+# Display as summary results
+Invoke-PSRule -f $sourceUrl -Module 'PSRule.Rules.Kubernetes' -As Summary;
+```
+
+The output of this example is:
+
+```text
+RuleName                            Pass  Fail  Outcome
+--------                            ----  ----  -------
+Kubernetes.AKS.PublicLB             1     1     Fail
+Kubernetes.API.Removal              0     2     Fail
+Kubernetes.Metadata                 0     4     Fail
+Kubernetes.Pod.PrivilegeEscalation  0     2     Fail
+Kubernetes.Pod.Latest               1     1     Fail
+Kubernetes.Pod.Resources            0     2     Fail
+Kubernetes.Pod.Secrets              2     0     Pass
+Kubernetes.Pod.Health               0     2     Fail
+Kubernetes.Pod.Replicas             0     2     Fail
 ```
 
 ## Rule reference
 
-The following rules are included in the `PSRule.Rules.Kubernetes` module:
+For a list of rules included in the `PSRule.Rules.Kubernetes` module see:
 
-- [PSRule.Rules.Kubernetes](docs/rules/en-US/module.md)
+- [Module rule reference](docs/rules/en-US/module.md)
 
 ## Changes and versioning
 
@@ -61,4 +159,4 @@ This project is [licensed under the MIT License](LICENSE).
 [install]: docs/scenarios/install-instructions.md
 [ci-badge]: https://dev.azure.com/bewhite/PSRule.Rules.Kubernetes/_apis/build/status/PSRule.Rules.Kubernetes-CI?branchName=master
 [module]: https://www.powershellgallery.com/packages/PSRule.Rules.Kubernetes
-[project]: https://github.com/BernieWhite/PSRule
+[project]: https://github.com/Microsoft/PSRule

RuleToc.Doc.ps1

@@ -1,21 +1,31 @@
 
 Document 'module' {
-    Title 'Module rules'
+    Title 'Module rule reference'
 
     Import-Module .\out\modules\PSRule.Rules.Kubernetes
-    $rules = Get-PSRule -Module PSRule.Rules.Kubernetes -WarningAction SilentlyContinue
+    $rules = Get-PSRule -Module PSRule.Rules.Kubernetes -WarningAction SilentlyContinue |
+        Add-Member -MemberType ScriptProperty -Name Category -Value { $this.Info.Annotations.category } -PassThru |
+        Sort-Object -Property Category;
 
     Section 'Baselines' {
-        # 'The following baselines are included in `PSRule.Rules.Kubernetes`.'
+        # 'The following baselines are included within `PSRule.Rules.Kubernetes`.'
     }
 
     Section 'Rules' {
-        'The following rules are included in `PSRule.Rules.Kubernetes`.'
+        'The following rules are included within `PSRule.Rules.Kubernetes`.'
 
-        $rules | Table -Property @{ Name = 'RuleName'; Expression = {
-            "[$($_.RuleName)]($($_.RuleName).md)"
-        }}, Description, @{ Name = 'Category'; Expression = {
-            $_.Tag.category
-        }}
+        $categories = $rules | Group-Object -Property Category;
+
+        foreach ($category in $categories) {
+            Section "$($category.Name)" {
+                $category.Group |
+                    Sort-Object -Property RuleName |
+                    Table -Property @{ Name = 'Name'; Expression = {
+                        "[$($_.RuleName)]($($_.RuleName).md)"
+                    }}, Synopsis, @{ Name = 'Severity'; Expression = {
+                        $_.Info.Annotations.severity
+                    }}
+            }
+        }
     }
 }

docs/rules/en-US/Kubernetes.AKS.PublicLB.md

@@ -1,6 +1,6 @@
 ---
 severity: Critical
-category: Service exposure
+category: Security
 online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.AKS.PublicLB.md
 ---
 
@@ -21,3 +21,7 @@ When this annotation is used on a load balanced service, the Azure load balancer
 ## RECOMMENDATION
 
 Consider creating services with an internal load balancer instead of a public load balancer.
+
+## LINKS
+
+- [Use an internal load balancer with Azure Kubernetes Service (AKS)](https://docs.microsoft.com/en-us/azure/aks/internal-lb#create-an-internal-load-balancer)

docs/rules/en-US/Kubernetes.API.Removal.md

@@ -1,6 +1,6 @@
 ---
 severity: Important
-category: Resource APIs
+category: API
 online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.API.Removal.md
 ---
 

docs/rules/en-US/Kubernetes.Metadata.md

@@ -1,6 +1,6 @@
 ---
-severity: Important
-category: Resource management
+severity: Awareness
+category: Management
 online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Metadata.md
 ---
 
@@ -19,4 +19,6 @@ These labels should be used to consistently apply standard metadata.
 
 Consider applying recommended labels defined by Kubernetes.
 
-For more information see [Recommended Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/).
+## LINKS
+
+- [Recommended Labels](https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/)

docs/rules/en-US/Kubernetes.Pod.Health.md

@@ -1,5 +1,6 @@
 ---
 severity: Important
+category: Reliability
 online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Health.md
 ---
 
@@ -17,7 +18,7 @@ This is accomplished through liveness and readiness probes.
 
 ## RECOMMENDATION
 
-Containers should use liveness and readiness probes.
+Consider configuring liveness and readiness probes for pod containers.
 
 ## LINKS
 

docs/rules/en-US/Kubernetes.Pod.Latest.md

@@ -1,6 +1,6 @@
 ---
-severity: Critical
-category: Pod security
+severity: Important
+category: Security
 online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.Latest.md
 ---
 
@@ -19,6 +19,6 @@ Containers should use specific tags instead of latest.
 Deployments or pods should identify a specific tag to use for container images instead of latest.
 When latest is used it may be hard to determine which version of the image is running.
 
-When using variable tags such as v1.0 (which may refer to v1.0.0 or v1.0.1) consider using imagePullPolicy: Always to ensure that the an out-of-date cached image is not used.
+When using variable tags such as v1.0 (which may refer to v1.0.0 or v1.0.1) consider using `imagePullPolicy: Always` to ensure that the an out-of-date cached image is not used.
 
-The latest tag automatically uses imagePullPolicy: Always instead of the default imagePullPolicy: IfNotPresent.
+The latest tag automatically uses `imagePullPolicy: Always` instead of the default `imagePullPolicy: IfNotPresent`.

docs/rules/en-US/Kubernetes.Pod.PrivilegeEscalation.md

@@ -1,6 +1,6 @@
 ---
 severity: Critical
-category: Pod security
+category: Security
 online version: https://github.com/BernieWhite/PSRule.Rules.Kubernetes/blob/master/docs/rules/en-US/Kubernetes.Pod.PriviledgeEscalation.md
 ---
 
@@ -12,8 +12,16 @@ Containers should deny privilege escalation.
 
 ## DESCRIPTION
 
-Containers should deny privilege escalation.
+In the default configuration, container processes are permitted to change the effective user ID through the _setuid_ binary.
+Changing the effective user ID could allow a malicious or vulnerable process to gain a higher level of permission then intended.
+To prevent this, explicitly set the `securityContext.allowPrivilegeEscalation` option to `false` on pod containers.
 
 ## RECOMMENDATION
 
-Containers should deny privilege escalation.
+Consider explicitly setting the `securityContext.allowPrivilegeEscalation` option to `false` on pod containers.
+
+## LINKS
+
+- [Secure container access to resources](https://docs.microsoft.com/en-us/azure/aks/operator-best-practices-cluster-security#secure-container-access-to-resources)
+- [Set the security context for a Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container)
+- [Privilege Escalation](https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation)