Removal and exchange duplicate test for privileged containers (#2119)

This change removes the Kubescape implementation of test for privileged containers. The reason behind this decision is the absence of functionality to exclude containers from the test. Instead, it has been replaced with an in-house implementation of this test, which has been renamed from "privileged" to "privileged_containers". Implements: #2115 Signed-off-by: horecoli <oliver.horecny@tietoevry.com>
cnti-testcatalog · Aug 7, 2024 · 0a33918 · 0a33918
1 parent 66752b7
commit 0a33918
Show file tree

Hide file tree

Showing 8 changed files with 21 additions and 58 deletions.
diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
@@ -402,7 +402,7 @@ jobs:
         ./cnf-testsuite setup
         wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
         ./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
-        LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~privileged ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
+        LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
     - name: Delete Cluster
       if: ${{ always() }}
       run: |
@@ -477,7 +477,7 @@ jobs:
         ./cnf-testsuite setup
         wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
         ./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
-        LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~privileged ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
+        LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
     - name: Delete Cluster
       if: ${{ always() }}
       run: |

diff --git a/CNF_TESTSUITE_YML_USAGE.md b/CNF_TESTSUITE_YML_USAGE.md
@@ -4,7 +4,7 @@
 The cnf-testsuite.yml is used by `cnf_setup` in order to install the CNF to be tested onto an existing K8s cluster. 
 
 
-The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L196) container test.
+The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged_containers](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L138) container test.
 
 
 ### Table of Contents

diff --git a/docs/TEST_DOCUMENTATION.md b/docs/TEST_DOCUMENTATION.md
@@ -922,7 +922,7 @@ Make sure your CNF doesn't mount `/var/run/docker.sock`, `/var/run/containerd.so
 
 #### Overview
 
-Checks if any containers are running in privileged mode (using [Kubescape](https://hub.armo.cloud/docs/c-0057))
+Checks if any containers are running in privileged mode.
 Expectation: Containers should not run in privileged mode
 
 #### Rationale

diff --git a/embedded_files/points.yml b/embedded_files/points.yml
@@ -53,10 +53,6 @@
 #- name: check_reaped 
 #  tags: state, dynamic, configuration
 
-- name: privileged
-  emoji: "🔓🔑"
-  tags: [security, dynamic, workload]
-  # required: true
 - name: privilege_escalation
   emoji: "🔓🔑"
   tags: [security, dynamic, workload, cert, normal]

diff --git a/spec/utils/cnf_manager_spec.cr b/spec/utils/cnf_manager_spec.cr
@@ -128,7 +128,7 @@ describe "SampleUtils" do
 
   it "'CNFManager::Points.all_task_test_names' should return all tasks names", tags: ["points"] do
     CNFManager::Points.clean_results_yml
-		tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"]
+		tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"]
     (CNFManager::Points.all_task_test_names()).sort.should eq(tags.sort)
   end
 

diff --git a/spec/utils/utils_spec.cr b/spec/utils/utils_spec.cr
@@ -105,9 +105,9 @@ describe "Utils" do
       Log.debug { "violator list: #{violation_list.flatten}" }
       emoji_security=""
       if resource_response 
-        resp = upsert_passed_task("privileged", "✔️  PASSED: No privileged containers", Time.utc)
+        resp = upsert_passed_task("privileged_containers", "✔️  PASSED: No privileged containers", Time.utc)
       else
-        resp = upsert_failed_task("privileged", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
+        resp = upsert_failed_task("privileged_containers", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
       end
       Log.info { resp }
       resp
@@ -156,7 +156,7 @@ describe "Utils" do
       result = ShellCmd.run_testsuite("cnf_setup cnf-path=sample-cnfs/sample_privileged_cnf")
     task_response = CNFManager::Task.all_cnfs_task_runner(my_args) do |args, config|
       Log.info { "all_cnfs_task_runner spec args #{args.inspect}" }
-      Log.for("verbose").info { "privileged" } if check_verbose(args)
+      Log.for("verbose").info { "privileged_containers" } if check_verbose(args)
       white_list_container_names = config.cnf_config[:white_list_container_names]
       Log.for("verbose").info { "white_list_container_names #{white_list_container_names.inspect}" } if check_verbose(args)
       violation_list = [] of String
@@ -178,9 +178,9 @@ describe "Utils" do
       Log.debug { "violator list: #{violation_list.flatten}" }
       emoji_security=""
       if resource_response 
-        resp = upsert_passed_task("privileged", "✔️  PASSED: No privileged containers", Time.utc)
+        resp = upsert_passed_task("privileged_containers", "✔️  PASSED: No privileged containers", Time.utc)
       else
-        resp = upsert_failed_task("privileged", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
+        resp = upsert_failed_task("privileged_containers", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
       end
       resp
     end
@@ -194,7 +194,7 @@ describe "Utils" do
   it "'task_runner' should run a test against a single cnf if passed a cnf-config argument even if there are multiple cnfs installed", tags: ["task_runner"]  do
     result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml")
     result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml")
-    result = ShellCmd.run_testsuite("privileged")
+    result = ShellCmd.run_testsuite("privileged_containers")
     (/(FAILED).*(Found 1 privileged containers)/ =~ result[:output]).should_not be_nil
   ensure
     result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml")

diff --git a/spec/workload/security_spec.cr b/spec/workload/security_spec.cr
@@ -4,42 +4,42 @@ require "../../src/tasks/utils/utils.cr"
 
 describe "Security" do
 
-  it "'privileged' should pass with a non-privileged cnf", tags: ["privileged"]  do
+  it "'privileged_containers' should pass with a non-privileged cnf", tags: ["privileges"]  do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
       Log.debug { result[:output] }
-      result = ShellCmd.run_testsuite("privileged verbose")
+      result = ShellCmd.run_testsuite("privileged_containers verbose")
       result[:status].success?.should be_true
-      (/Found.*privileged containers.*coredns/ =~ result[:output]).should be_nil
+      (/No privileged containers/ =~ result[:output]).should_not be_nil
     ensure
       result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
       Log.debug { result[:output] }
     end
   end
-  it "'privileged' should fail on a non-whitelisted, privileged cnf", tags: ["privileged"] do
+  it "'privileged_containers' should fail on a non-whitelisted, privileged cnf", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
       result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged verbose")
+      result = ShellCmd.run_testsuite("privileged_containers verbose")
       result[:status].success?.should be_true
       (/Found.*privileged containers.*/ =~ result[:output]).should_not be_nil
       (/Privileged container (privileged-coredns) in.*/ =~ result[:output]).should_not be_nil
     ensure
       result = ShellCmd.run_testsuite("sample_privileged_cnf_non_whitelisted_cleanup")
     end
   end
-  it "'privileged' should pass on a whitelisted, privileged cnf", tags: ["privileged"] do
+  it "'privileged_containers' should pass on a whitelisted, privileged cnf", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_whitelisted_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
       result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
+      result = ShellCmd.run_testsuite("privileged_containers cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
       result[:status].success?.should be_true
       (/Found.*privileged containers.*/ =~ result[:output]).should be_nil
     ensure
       result = ShellCmd.run_testsuite("sample_privileged_cnf_whitelisted_cleanup")
     end
   end
-  it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileged"] do
+  it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-privilege-escalation/cnf-testsuite.yml")
       result[:status].success?.should be_true
@@ -51,7 +51,7 @@ describe "Security" do
     end
   end
 
-  it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileged"] do
+  it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-nonroot-containers/cnf-testsuite.yml")
       result[:status].success?.should be_true
@@ -219,18 +219,6 @@ describe "Security" do
     end
   end
 
-  it "'privileged_containers' should pass when the cnf has no privileged containers", tags: ["privileged"] do
-    begin
-      result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")
-      result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged_containers")
-      result[:status].success?.should be_true
-      (/(FAILED).*(Found privileged containers)/ =~ result[:output]).should be_nil
-    ensure
-      result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=./sample-cnfs/sample-coredns-cnf")
-    end
-  end
-
   it "'immutable_file_systems' should fail when the cnf containers with mutable file systems", tags: ["security"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")

diff --git a/src/tasks/workload/security.cr b/src/tasks/workload/security.cr
@@ -7,7 +7,6 @@ require "../utils/utils.cr"
 
 desc "CNF containers should be isolated from one another and the host.  The CNF Test suite uses tools like Sysdig Inspect and gVisor"
 task "security", [
-    "privileged",
     "symlink_file_system",
     "privilege_escalation",
     "insecure_capabilities",
@@ -137,7 +136,7 @@ task "container_sock_mounts" do |t, args|
 end
 
 desc "Check if any containers are running in privileged mode"
-task "privileged" do |t, args|
+task "privileged_containers" do |t, args|
   CNFManager::Task.task_runner(args, task: t) do |args, config|
     white_list_container_names = config.cnf_config[:white_list_container_names]
     VERBOSE_LOGGING.info "white_list_container_names #{white_list_container_names.inspect}" if check_verbose(args)
@@ -397,26 +396,6 @@ task "non_root_containers", ["kubescape_scan"] do |t, args|
   end
 end
 
-desc "Check that privileged containers are not used"
-task "privileged_containers", ["kubescape_scan" ] do |t, args|
-  CNFManager::Task.task_runner(args, task: t) do |args, config|
-    results_json = Kubescape.parse
-    test_json = Kubescape.test_by_test_name(results_json, "Privileged container")
-    test_report = Kubescape.parse_test_report(test_json)
-    resource_keys = CNFManager.workload_resource_keys(args, config)
-    test_report = Kubescape.filter_cnf_resources(test_report, resource_keys)
-
-    #todo whitelist
-    if test_report.failed_resources.size == 0
-      CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "No privileged containers were found")
-    else
-      test_report.failed_resources.map {|r| stdout_failure(r.alert_message) }
-      stdout_failure("Remediation: #{test_report.remediation}")
-      CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Found privileged containers")
-    end
-  end
-end
-
 desc "Check if containers have immutable file systems"
 task "immutable_file_systems", ["kubescape_scan"] do |t, args|
   CNFManager::Task.task_runner(args, task: t) do |args, config|