Skip to content

Commit

Permalink
Removal and exchange duplicate test for privileged containers (#2119)
Browse files Browse the repository at this point in the history
This change removes the Kubescape implementation of test
for privileged containers. The reason behind this decision
is the absence of functionality to exclude containers
from the test. Instead, it has been replaced with an in-house
implementation of this test, which has been renamed
from "privileged" to "privileged_containers".

Implements: #2115

Signed-off-by: horecoli <[email protected]>
  • Loading branch information
horecoli authored Aug 7, 2024
1 parent 66752b7 commit 0a33918
Show file tree
Hide file tree
Showing 8 changed files with 21 additions and 58 deletions.
4 changes: 2 additions & 2 deletions .github/workflows/actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -402,7 +402,7 @@ jobs:
./cnf-testsuite setup
wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~privileged ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
- name: Delete Cluster
if: ${{ always() }}
run: |
Expand Down Expand Up @@ -477,7 +477,7 @@ jobs:
./cnf-testsuite setup
wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~privileged ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
- name: Delete Cluster
if: ${{ always() }}
run: |
Expand Down
2 changes: 1 addition & 1 deletion CNF_TESTSUITE_YML_USAGE.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
The cnf-testsuite.yml is used by `cnf_setup` in order to install the CNF to be tested onto an existing K8s cluster.


The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L196) container test.
The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged_containers](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L138) container test.


### Table of Contents
Expand Down
2 changes: 1 addition & 1 deletion docs/TEST_DOCUMENTATION.md
Original file line number Diff line number Diff line change
Expand Up @@ -922,7 +922,7 @@ Make sure your CNF doesn't mount `/var/run/docker.sock`, `/var/run/containerd.so

#### Overview

Checks if any containers are running in privileged mode (using [Kubescape](https://hub.armo.cloud/docs/c-0057))
Checks if any containers are running in privileged mode.
Expectation: Containers should not run in privileged mode

#### Rationale
Expand Down
4 changes: 0 additions & 4 deletions embedded_files/points.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,10 +53,6 @@
#- name: check_reaped
# tags: state, dynamic, configuration

- name: privileged
emoji: "🔓🔑"
tags: [security, dynamic, workload]
# required: true
- name: privilege_escalation
emoji: "🔓🔑"
tags: [security, dynamic, workload, cert, normal]
Expand Down
2 changes: 1 addition & 1 deletion spec/utils/cnf_manager_spec.cr
Original file line number Diff line number Diff line change
Expand Up @@ -128,7 +128,7 @@ describe "SampleUtils" do

it "'CNFManager::Points.all_task_test_names' should return all tasks names", tags: ["points"] do
CNFManager::Points.clean_results_yml
tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"]
tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"]
(CNFManager::Points.all_task_test_names()).sort.should eq(tags.sort)
end

Expand Down
12 changes: 6 additions & 6 deletions spec/utils/utils_spec.cr
Original file line number Diff line number Diff line change
Expand Up @@ -105,9 +105,9 @@ describe "Utils" do
Log.debug { "violator list: #{violation_list.flatten}" }
emoji_security=""
if resource_response
resp = upsert_passed_task("privileged", "✔️ PASSED: No privileged containers", Time.utc)
resp = upsert_passed_task("privileged_containers", "✔️ PASSED: No privileged containers", Time.utc)
else
resp = upsert_failed_task("privileged", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
resp = upsert_failed_task("privileged_containers", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
end
Log.info { resp }
resp
Expand Down Expand Up @@ -156,7 +156,7 @@ describe "Utils" do
result = ShellCmd.run_testsuite("cnf_setup cnf-path=sample-cnfs/sample_privileged_cnf")
task_response = CNFManager::Task.all_cnfs_task_runner(my_args) do |args, config|
Log.info { "all_cnfs_task_runner spec args #{args.inspect}" }
Log.for("verbose").info { "privileged" } if check_verbose(args)
Log.for("verbose").info { "privileged_containers" } if check_verbose(args)
white_list_container_names = config.cnf_config[:white_list_container_names]
Log.for("verbose").info { "white_list_container_names #{white_list_container_names.inspect}" } if check_verbose(args)
violation_list = [] of String
Expand All @@ -178,9 +178,9 @@ describe "Utils" do
Log.debug { "violator list: #{violation_list.flatten}" }
emoji_security=""
if resource_response
resp = upsert_passed_task("privileged", "✔️ PASSED: No privileged containers", Time.utc)
resp = upsert_passed_task("privileged_containers", "✔️ PASSED: No privileged containers", Time.utc)
else
resp = upsert_failed_task("privileged", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
resp = upsert_failed_task("privileged_containers", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
end
resp
end
Expand All @@ -194,7 +194,7 @@ describe "Utils" do
it "'task_runner' should run a test against a single cnf if passed a cnf-config argument even if there are multiple cnfs installed", tags: ["task_runner"] do
result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml")
result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml")
result = ShellCmd.run_testsuite("privileged")
result = ShellCmd.run_testsuite("privileged_containers")
(/(FAILED).*(Found 1 privileged containers)/ =~ result[:output]).should_not be_nil
ensure
result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml")
Expand Down
30 changes: 9 additions & 21 deletions spec/workload/security_spec.cr
Original file line number Diff line number Diff line change
Expand Up @@ -4,42 +4,42 @@ require "../../src/tasks/utils/utils.cr"

describe "Security" do

it "'privileged' should pass with a non-privileged cnf", tags: ["privileged"] do
it "'privileged_containers' should pass with a non-privileged cnf", tags: ["privileges"] do
begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
Log.debug { result[:output] }
result = ShellCmd.run_testsuite("privileged verbose")
result = ShellCmd.run_testsuite("privileged_containers verbose")
result[:status].success?.should be_true
(/Found.*privileged containers.*coredns/ =~ result[:output]).should be_nil
(/No privileged containers/ =~ result[:output]).should_not be_nil
ensure
result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
Log.debug { result[:output] }
end
end
it "'privileged' should fail on a non-whitelisted, privileged cnf", tags: ["privileged"] do
it "'privileged_containers' should fail on a non-whitelisted, privileged cnf", tags: ["privileges"] do
begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
result[:status].success?.should be_true
result = ShellCmd.run_testsuite("privileged verbose")
result = ShellCmd.run_testsuite("privileged_containers verbose")
result[:status].success?.should be_true
(/Found.*privileged containers.*/ =~ result[:output]).should_not be_nil
(/Privileged container (privileged-coredns) in.*/ =~ result[:output]).should_not be_nil
ensure
result = ShellCmd.run_testsuite("sample_privileged_cnf_non_whitelisted_cleanup")
end
end
it "'privileged' should pass on a whitelisted, privileged cnf", tags: ["privileged"] do
it "'privileged_containers' should pass on a whitelisted, privileged cnf", tags: ["privileges"] do
begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_whitelisted_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
result[:status].success?.should be_true
result = ShellCmd.run_testsuite("privileged cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
result = ShellCmd.run_testsuite("privileged_containers cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
result[:status].success?.should be_true
(/Found.*privileged containers.*/ =~ result[:output]).should be_nil
ensure
result = ShellCmd.run_testsuite("sample_privileged_cnf_whitelisted_cleanup")
end
end
it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileged"] do
it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileges"] do
begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-privilege-escalation/cnf-testsuite.yml")
result[:status].success?.should be_true
Expand All @@ -51,7 +51,7 @@ describe "Security" do
end
end

it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileged"] do
it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileges"] do
begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-nonroot-containers/cnf-testsuite.yml")
result[:status].success?.should be_true
Expand Down Expand Up @@ -219,18 +219,6 @@ describe "Security" do
end
end

it "'privileged_containers' should pass when the cnf has no privileged containers", tags: ["privileged"] do
begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")
result[:status].success?.should be_true
result = ShellCmd.run_testsuite("privileged_containers")
result[:status].success?.should be_true
(/(FAILED).*(Found privileged containers)/ =~ result[:output]).should be_nil
ensure
result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=./sample-cnfs/sample-coredns-cnf")
end
end

it "'immutable_file_systems' should fail when the cnf containers with mutable file systems", tags: ["security"] do
begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")
Expand Down
23 changes: 1 addition & 22 deletions src/tasks/workload/security.cr
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ require "../utils/utils.cr"

desc "CNF containers should be isolated from one another and the host. The CNF Test suite uses tools like Sysdig Inspect and gVisor"
task "security", [
"privileged",
"symlink_file_system",
"privilege_escalation",
"insecure_capabilities",
Expand Down Expand Up @@ -137,7 +136,7 @@ task "container_sock_mounts" do |t, args|
end

desc "Check if any containers are running in privileged mode"
task "privileged" do |t, args|
task "privileged_containers" do |t, args|
CNFManager::Task.task_runner(args, task: t) do |args, config|
white_list_container_names = config.cnf_config[:white_list_container_names]
VERBOSE_LOGGING.info "white_list_container_names #{white_list_container_names.inspect}" if check_verbose(args)
Expand Down Expand Up @@ -397,26 +396,6 @@ task "non_root_containers", ["kubescape_scan"] do |t, args|
end
end

desc "Check that privileged containers are not used"
task "privileged_containers", ["kubescape_scan" ] do |t, args|
CNFManager::Task.task_runner(args, task: t) do |args, config|
results_json = Kubescape.parse
test_json = Kubescape.test_by_test_name(results_json, "Privileged container")
test_report = Kubescape.parse_test_report(test_json)
resource_keys = CNFManager.workload_resource_keys(args, config)
test_report = Kubescape.filter_cnf_resources(test_report, resource_keys)

#todo whitelist
if test_report.failed_resources.size == 0
CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "No privileged containers were found")
else
test_report.failed_resources.map {|r| stdout_failure(r.alert_message) }
stdout_failure("Remediation: #{test_report.remediation}")
CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Found privileged containers")
end
end
end

desc "Check if containers have immutable file systems"
task "immutable_file_systems", ["kubescape_scan"] do |t, args|
CNFManager::Task.task_runner(args, task: t) do |args, config|
Expand Down

0 comments on commit 0a33918

Please sign in to comment.