Add new templates/checks based on Docker CIS benchmarks (#170)

docs/generated/checks.md

@@ -2,6 +2,22 @@
 
 KubeLinter includes the following built-in checks:
 
+## cluster-admin-role-binding
+
+**Enabled by default**: No
+
+**Description**: CIS Benchmark 5.1.1 Ensure that the cluster-admin role is only used where required
+
+**Remediation**: Create and assign a separate role that has access to specific resources/actions needed for the service account.
+
+**Template**: [cluster-admin-role-binding](generated/templates.md#cluster-admin-role-binding)
+
+**Parameters**:
+
+```json
+{}
+```
+
 ## dangling-service
 
 **Enabled by default**: Yes
@@ -50,6 +66,22 @@ KubeLinter includes the following built-in checks:
 {}
 ```
 
+## docker-sock
+
+**Enabled by default**: Yes
+
+**Description**: Alert on deployments with docker.sock mounted in containers. 
+
+**Remediation**: Ensure the Docker socket is not mounted inside any containers by removing the associated  Volume and VolumeMount in deployment yaml specification. If the Docker socket is mounted inside a container it could allow processes running within  the container to execute Docker commands which would effectively allow for full control of the host.
+
+**Template**: [host-mounts](generated/templates.md#host-mounts)
+
+**Parameters**:
+
+```json
+{"dirs":["docker.sock$"]}
+```
+
 ## drop-net-raw-capability
 
 **Enabled by default**: Yes
@@ -82,6 +114,70 @@ KubeLinter includes the following built-in checks:
 {"name":"(?i).*secret.*","value":".+"}
 ```
 
+## exposed-services
+
+**Enabled by default**: No
+
+**Description**: Alert on services for forbidden types
+
+**Remediation**: Ensure containers are not exposed through a forbidden service type such as NodePort or LoadBalancer.
+
+**Template**: [forbidden-service-types](generated/templates.md#forbidden-service-types)
+
+**Parameters**:
+
+```json
+{"forbiddenServiceTypes":["NodePort","LoadBalancer"]}
+```
+
+## host-ipc
+
+**Enabled by default**: Yes
+
+**Description**: Alert on pods/deployment-likes with sharing host's IPC namespace
+
+**Remediation**: Ensure the host's IPC namespace is not shared.
+
+**Template**: [host-ipc](generated/templates.md#host-ipc)
+
+**Parameters**:
+
+```json
+{}
+```
+
+## host-network
+
+**Enabled by default**: Yes
+
+**Description**: Alert on pods/deployment-likes with sharing host's network namespace
+
+**Remediation**: Ensure the host's network namespace is not shared.
+
+**Template**: [host-network](generated/templates.md#host-network)
+
+**Parameters**:
+
+```json
+{}
+```
+
+## host-pid
+
+**Enabled by default**: Yes
+
+**Description**: Alert on pods/deployment-likes with sharing host's process namespace
+
+**Remediation**: Ensure the host's process namespace is not shared.
+
+**Template**: [host-pid](generated/templates.md#host-pid)
+
+**Parameters**:
+
+```json
+{}
+```
+
 ## mismatching-selector
 
 **Enabled by default**: Yes
@@ -194,6 +290,22 @@ KubeLinter includes the following built-in checks:
 {}
 ```
 
+## privilege-escalation-container
+
+**Enabled by default**: Yes
+
+**Description**: Alert on containers of allowing privilege escalation that could gain more privileges than its parent process.
+
+**Remediation**: Ensure containers do not allow privilege escalation by setting allowPrivilegeEscalation=false." See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ for more details.
+
+**Template**: [privilege-escalation-container](generated/templates.md#privilege-escalation-on-containers)
+
+**Parameters**:
+
+```json
+{}
+```
+
 ## privileged-container
 
 **Enabled by default**: Yes
@@ -210,6 +322,22 @@ KubeLinter includes the following built-in checks:
 {}
 ```
 
+## privileged-ports
+
+**Enabled by default**: No
+
+**Description**: Alert on deployments with privileged ports mapped in containers
+
+**Remediation**: Ensure privileged ports [0, 1024] are not mapped within containers.
+
+**Template**: [privileged-ports](generated/templates.md#privileged-ports)
+
+**Parameters**:
+
+```json
+{}
+```
+
 ## required-annotation-email
 
 **Enabled by default**: No
@@ -258,6 +386,22 @@ KubeLinter includes the following built-in checks:
 {}
 ```
 
+## sensitive-host-mounts
+
+**Enabled by default**: Yes
+
+**Description**: Alert on deployments with sensitive host system directories mounted in containers
+
+**Remediation**: Ensure sensitive host system directories are not mounted in containers by removing those Volumes and VolumeMounts.
+
+**Template**: [host-mounts](generated/templates.md#host-mounts)
+
+**Parameters**:
+
+```json
+{"dirs":["^/$","^/boot$","^/dev$","^/etc$","^/lib$","^/proc$","^/sys$","^/usr$"]}
+```
+
 ## ssh-port
 
 **Enabled by default**: Yes
@@ -274,6 +418,38 @@ KubeLinter includes the following built-in checks:
 {"port":22,"protocol":"TCP"}
 ```
 
+## unsafe-proc-mount
+
+**Enabled by default**: No
+
+**Description**: Alert on deployments with unsafe /proc mount (procMount=Unmasked) that will bypass the default masking behavior of the container runtime
+
+**Remediation**: Ensure container does not unsafely exposes parts of /proc by setting procMount=Default.  Unmasked ProcMount bypasses the default masking behavior of the container runtime. See https://kubernetes.io/docs/concepts/security/pod-security-standards/ for more details.
+
+**Template**: [unsafe-proc-mount](generated/templates.md#unsafe-proc-mount)
+
+**Parameters**:
+
+```json
+{}
+```
+
+## unsafe-sysctls
+
+**Enabled by default**: Yes
+
+**Description**: Alert on deployments specifying unsafe sysctls that may lead to severe problems like wrong behavior of containers
+
+**Remediation**: Ensure container does not allow unsafe allocation of system resources by removing unsafe sysctls configurations. For more details see https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/ https://docs.docker.com/engine/reference/commandline/run/#configure-namespaced-kernel-parameters-sysctls-at-runtime.
+
+**Template**: [unsafe-sysctls](generated/templates.md#unsafe-sysctls)
+
+**Parameters**:
+
+```json
+{"unsafeSysCtls":["kernel.msg","kernel.sem","kernel.shm","fs.mqueue.","net."]}
+```
+
 ## unset-cpu-requirements
 
 **Enabled by default**: Yes