diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml index 0b49b716c..4dd2a8fb4 100644 --- a/.github/workflows/actions.yml +++ b/.github/workflows/actions.yml @@ -402,7 +402,7 @@ jobs: ./cnf-testsuite setup wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml ./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml - LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~privileged ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose + LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose - name: Delete Cluster if: ${{ always() }} run: | @@ -477,7 +477,7 @@ jobs: ./cnf-testsuite setup wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml ./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml - LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~privileged ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose + LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose - name: Delete Cluster if: ${{ always() }} run: | diff --git a/CNF_TESTSUITE_YML_USAGE.md b/CNF_TESTSUITE_YML_USAGE.md index a5b80ce58..35417956e 100644 --- a/CNF_TESTSUITE_YML_USAGE.md +++ b/CNF_TESTSUITE_YML_USAGE.md @@ -4,7 +4,7 @@ The cnf-testsuite.yml is used by `cnf_setup` in order to install the CNF to be tested onto an existing K8s cluster. -The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L196) container test. +The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged_containers](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L138) container test. ### Table of Contents diff --git a/docs/TEST_DOCUMENTATION.md b/docs/TEST_DOCUMENTATION.md index a9d49ea5d..12b568bd0 100644 --- a/docs/TEST_DOCUMENTATION.md +++ b/docs/TEST_DOCUMENTATION.md @@ -922,7 +922,7 @@ Make sure your CNF doesn't mount `/var/run/docker.sock`, `/var/run/containerd.so #### Overview -Checks if any containers are running in privileged mode (using [Kubescape](https://hub.armo.cloud/docs/c-0057)) +Checks if any containers are running in privileged mode. Expectation: Containers should not run in privileged mode #### Rationale diff --git a/embedded_files/points.yml b/embedded_files/points.yml index 11294b238..4379d2a48 100644 --- a/embedded_files/points.yml +++ b/embedded_files/points.yml @@ -53,10 +53,6 @@ #- name: check_reaped # tags: state, dynamic, configuration -- name: privileged - emoji: "🔓🔑" - tags: [security, dynamic, workload] - # required: true - name: privilege_escalation emoji: "🔓🔑" tags: [security, dynamic, workload, cert, normal] diff --git a/spec/utils/cnf_manager_spec.cr b/spec/utils/cnf_manager_spec.cr index 8d23dd49a..57c48a16f 100644 --- a/spec/utils/cnf_manager_spec.cr +++ b/spec/utils/cnf_manager_spec.cr @@ -128,7 +128,7 @@ describe "SampleUtils" do it "'CNFManager::Points.all_task_test_names' should return all tasks names", tags: ["points"] do CNFManager::Points.clean_results_yml - tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"] + tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"] (CNFManager::Points.all_task_test_names()).sort.should eq(tags.sort) end diff --git a/spec/utils/utils_spec.cr b/spec/utils/utils_spec.cr index 910ec283f..3b55dc418 100644 --- a/spec/utils/utils_spec.cr +++ b/spec/utils/utils_spec.cr @@ -105,9 +105,9 @@ describe "Utils" do Log.debug { "violator list: #{violation_list.flatten}" } emoji_security="" if resource_response - resp = upsert_passed_task("privileged", "✔️ PASSED: No privileged containers", Time.utc) + resp = upsert_passed_task("privileged_containers", "✔️ PASSED: No privileged containers", Time.utc) else - resp = upsert_failed_task("privileged", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc) + resp = upsert_failed_task("privileged_containers", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc) end Log.info { resp } resp @@ -156,7 +156,7 @@ describe "Utils" do result = ShellCmd.run_testsuite("cnf_setup cnf-path=sample-cnfs/sample_privileged_cnf") task_response = CNFManager::Task.all_cnfs_task_runner(my_args) do |args, config| Log.info { "all_cnfs_task_runner spec args #{args.inspect}" } - Log.for("verbose").info { "privileged" } if check_verbose(args) + Log.for("verbose").info { "privileged_containers" } if check_verbose(args) white_list_container_names = config.cnf_config[:white_list_container_names] Log.for("verbose").info { "white_list_container_names #{white_list_container_names.inspect}" } if check_verbose(args) violation_list = [] of String @@ -178,9 +178,9 @@ describe "Utils" do Log.debug { "violator list: #{violation_list.flatten}" } emoji_security="" if resource_response - resp = upsert_passed_task("privileged", "✔️ PASSED: No privileged containers", Time.utc) + resp = upsert_passed_task("privileged_containers", "✔️ PASSED: No privileged containers", Time.utc) else - resp = upsert_failed_task("privileged", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc) + resp = upsert_failed_task("privileged_containers", "✖️ FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc) end resp end @@ -194,7 +194,7 @@ describe "Utils" do it "'task_runner' should run a test against a single cnf if passed a cnf-config argument even if there are multiple cnfs installed", tags: ["task_runner"] do result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml") result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml") - result = ShellCmd.run_testsuite("privileged") + result = ShellCmd.run_testsuite("privileged_containers") (/(FAILED).*(Found 1 privileged containers)/ =~ result[:output]).should_not be_nil ensure result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml") diff --git a/spec/workload/security_spec.cr b/spec/workload/security_spec.cr index 8d61aebab..093a71b84 100644 --- a/spec/workload/security_spec.cr +++ b/spec/workload/security_spec.cr @@ -4,23 +4,23 @@ require "../../src/tasks/utils/utils.cr" describe "Security" do - it "'privileged' should pass with a non-privileged cnf", tags: ["privileged"] do + it "'privileged_containers' should pass with a non-privileged cnf", tags: ["privileges"] do begin result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml") Log.debug { result[:output] } - result = ShellCmd.run_testsuite("privileged verbose") + result = ShellCmd.run_testsuite("privileged_containers verbose") result[:status].success?.should be_true - (/Found.*privileged containers.*coredns/ =~ result[:output]).should be_nil + (/No privileged containers/ =~ result[:output]).should_not be_nil ensure result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml") Log.debug { result[:output] } end end - it "'privileged' should fail on a non-whitelisted, privileged cnf", tags: ["privileged"] do + it "'privileged_containers' should fail on a non-whitelisted, privileged cnf", tags: ["privileges"] do begin result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml verbose wait_count=0") result[:status].success?.should be_true - result = ShellCmd.run_testsuite("privileged verbose") + result = ShellCmd.run_testsuite("privileged_containers verbose") result[:status].success?.should be_true (/Found.*privileged containers.*/ =~ result[:output]).should_not be_nil (/Privileged container (privileged-coredns) in.*/ =~ result[:output]).should_not be_nil @@ -28,18 +28,18 @@ describe "Security" do result = ShellCmd.run_testsuite("sample_privileged_cnf_non_whitelisted_cleanup") end end - it "'privileged' should pass on a whitelisted, privileged cnf", tags: ["privileged"] do + it "'privileged_containers' should pass on a whitelisted, privileged cnf", tags: ["privileges"] do begin result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_whitelisted_privileged_cnf/cnf-testsuite.yml verbose wait_count=0") result[:status].success?.should be_true - result = ShellCmd.run_testsuite("privileged cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose") + result = ShellCmd.run_testsuite("privileged_containers cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose") result[:status].success?.should be_true (/Found.*privileged containers.*/ =~ result[:output]).should be_nil ensure result = ShellCmd.run_testsuite("sample_privileged_cnf_whitelisted_cleanup") end end - it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileged"] do + it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileges"] do begin result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-privilege-escalation/cnf-testsuite.yml") result[:status].success?.should be_true @@ -51,7 +51,7 @@ describe "Security" do end end - it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileged"] do + it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileges"] do begin result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-nonroot-containers/cnf-testsuite.yml") result[:status].success?.should be_true @@ -219,18 +219,6 @@ describe "Security" do end end - it "'privileged_containers' should pass when the cnf has no privileged containers", tags: ["privileged"] do - begin - result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf") - result[:status].success?.should be_true - result = ShellCmd.run_testsuite("privileged_containers") - result[:status].success?.should be_true - (/(FAILED).*(Found privileged containers)/ =~ result[:output]).should be_nil - ensure - result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=./sample-cnfs/sample-coredns-cnf") - end - end - it "'immutable_file_systems' should fail when the cnf containers with mutable file systems", tags: ["security"] do begin result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf") diff --git a/src/tasks/workload/security.cr b/src/tasks/workload/security.cr index 65d83b588..1233332ba 100644 --- a/src/tasks/workload/security.cr +++ b/src/tasks/workload/security.cr @@ -7,7 +7,6 @@ require "../utils/utils.cr" desc "CNF containers should be isolated from one another and the host. The CNF Test suite uses tools like Sysdig Inspect and gVisor" task "security", [ - "privileged", "symlink_file_system", "privilege_escalation", "insecure_capabilities", @@ -137,7 +136,7 @@ task "container_sock_mounts" do |t, args| end desc "Check if any containers are running in privileged mode" -task "privileged" do |t, args| +task "privileged_containers" do |t, args| CNFManager::Task.task_runner(args, task: t) do |args, config| white_list_container_names = config.cnf_config[:white_list_container_names] VERBOSE_LOGGING.info "white_list_container_names #{white_list_container_names.inspect}" if check_verbose(args) @@ -397,26 +396,6 @@ task "non_root_containers", ["kubescape_scan"] do |t, args| end end -desc "Check that privileged containers are not used" -task "privileged_containers", ["kubescape_scan" ] do |t, args| - CNFManager::Task.task_runner(args, task: t) do |args, config| - results_json = Kubescape.parse - test_json = Kubescape.test_by_test_name(results_json, "Privileged container") - test_report = Kubescape.parse_test_report(test_json) - resource_keys = CNFManager.workload_resource_keys(args, config) - test_report = Kubescape.filter_cnf_resources(test_report, resource_keys) - - #todo whitelist - if test_report.failed_resources.size == 0 - CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "No privileged containers were found") - else - test_report.failed_resources.map {|r| stdout_failure(r.alert_message) } - stdout_failure("Remediation: #{test_report.remediation}") - CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Found privileged containers") - end - end -end - desc "Check if containers have immutable file systems" task "immutable_file_systems", ["kubescape_scan"] do |t, args| CNFManager::Task.task_runner(args, task: t) do |args, config|