Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[1993, 1999, 2003] Upgrade Kubescape to v3.0.8 and fix affected tests #2004

Merged
merged 15 commits into from
Apr 25, 2024
Merged

[1993, 1999, 2003] Upgrade Kubescape to v3.0.8 and fix affected tests #2004

merged 15 commits into from
Apr 25, 2024

Conversation

HashNuke
Copy link
Collaborator

@HashNuke HashNuke commented Apr 24, 2024
edited
Loading

Related issues

Description

(#1993) Kubescape version check

  • Kubescape version is now checked and the tool+framework is redownloaded if the version does not match.
  • Avoiding parsing version from the kubescape version command. Don't prefer to maintain a parser for it in the testsuite. We just write the version to a plain text file and check against that.

(#1999) resource_policies

  • The Resource Policies control has been split in the Kubescape NSA framework.
  • The test has been split in the testsuite accordingly as cpu_limits and memory_limits tests.
  • The automated test have also been updated appropriately.
  • These new tests have been updated in points.yml and rationale doc and the usage doc.

CleanShot 2024-04-25 at 15 31 58

(#1999) hostpath_mounts

  • This control has been removed from the Kubescape NSA framework, but is a still part of the armosec/regolibrary.
  • Updated test to run the control directly using the Control ID. We can discuss retaining/removing/replacing this test as a separate discussion.

CleanShot 2024-04-25 at 02 38 14@2x

(#2003) service_account_mapping

The automated spec for service_account_mapping was failing. Turns out that KubectlClient::WORKLOAD_RESOURCES in kubectl_client dependency, did not have ServiceAccount in the list of resources to identify.

The above findings mean that when the Kubescape module's helper functions are used to get the CNF's resources that failed a particular test, the service account is not included as part of CNF's resources.

  • An update has been made to kubectl_client repo (in the testsuite/2003 branch), to fix this issue.
  • A shard.override.yml file has also been temporarily added to this PR, to point to the updated dependency's branch.

PR to kubectl_client merged. I've tagged a new release v1.0.6 on kubectl_client. The shard.yml of the testsuite has been updated to use this version.

CleanShot 2024-04-25 at 14 00 32@2x

(#1999) platform:control_plane_hardening

Updated test to use new control name in Kubescape NSA framework.

(#1999) platform:cluster_admin

Updated the name of the Kubescape control. This fixes the test.

(#1999) platform:exposed_dashboard removed

  • This test does not exist in the Kubescape NSA framework and also not in the armosec regolibrary.
  • Removed it from the testsuite too.

non_root_containers

  • Fixed non_root_containers spec by updating the sample used for the check.
  • Build with error. Screenshot below

CleanShot 2024-04-25 at 15 25 29@2x

CleanShot 2024-04-25 at 15 23 55@2x

(#1999) Other changes

  • Upgrades Kubescape version to v3.0.8 (latest)
    • Without this upgrade, linux_hardening test was throwing errors due to invalid rego syntax in the Kubescape control definition.
  • Added another option to kubescape scan command to force Kubescape to return v1 format JSON.
    • The Kubescape integration can be updated later as a part of another PR to read JSON v2 output from Kubescape.

Related PRs

Validation with sample coredns CNF

Tried running workload tests for the sample coredns CNF. No crashes/stacktraces displayed. Tests seem to be running.

CleanShot 2024-04-25 at 21 21 25@2x

CleanShot 2024-04-25 at 21 21 54@2x

CleanShot 2024-04-25 at 21 19 18@2x

How has this been tested:

  • Covered by existing integration testing
  • Added integration testing to cover
  • Verified all A/C passes
    • develop
    • master
    • tag/other branch
  • Test environment
    • Shared Packet K8s cluster
    • New Packet K8s cluster
    • Kind cluster
  • Have not tested

Types of changes:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Checklist:

Documentation

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • No updates required.

Code Review

  • Does the test handle fatal exceptions, ie. rescue block

Issue

  • Tasks in issue are checked off

@HashNuke
[1993] Check kubescape & framework version to ensure latest
d6c5b73
@HashNuke
Replace resource_limits with cpu_limits and memory_limits tests
a85887e 
* Update points file
* Update specs
* Update rationale doc
* Update test categories doc
* Update usage doc

List of tests doc can be updated after the release/tag is made,
because it requires the tag name and the line number in the file.

Additionally, remove a few lines that were already commented out.
@HashNuke
Update points.yml with cpu_limits and memory_limits
ff31455
@HashNuke
Remove two commented lines with resource_policies mentions
51aa078
@HashNuke
Fix control_plane_hardening
6e4c5ba
@HashNuke
Remove platform:exposed_dashboard + docs
29d83ad
@HashNuke
Fix cluster_admin kubescape control name
af04986
@HashNuke
🔼 kubescape 3.0.8 + use format-version=v1
91a6adb
@HashNuke
Remove exposed_dashboard from points.yml
c68a41f
@HashNuke
scan hostpath_mounts using control ID
490cf6a
@HashNuke
Fix syntax error
66d10fa
@HashNuke
Copy link
Collaborator Author

Identified an issue with service_account_mapping and reported here - #2003

There is one other failure to look into (non_root_containers). Will take a look in a few hours.

@HashNuke HashNuke mentioned this pull request Apr 25, 2024
Closed
20 tasks
@HashNuke HashNuke mentioned this pull request Apr 25, 2024
Open
@HashNuke HashNuke changed the title [1993, 1999] Upgrade Kubescape to v3.0.8 and fix affected tests [1993, 1999, 2003] Upgrade Kubescape to v3.0.8 and fix affected tests Apr 25, 2024
@HashNuke HashNuke mentioned this pull request Apr 25, 2024
Closed
@HashNuke
Copy link
Collaborator Author

Updates

The previous build passed - https://github.com/cnti-testcatalog/testsuite/actions/runs/8830493531

To move forward

Next steps

  • I will wait for the build again.
  • I will also run the cert command for coredns on the pair machine to verify the changes.

@HashNuke HashNuke marked this pull request as ready for review April 25, 2024 10:51
agentpoyo
agentpoyo approved these changes Apr 25, 2024
View reviewed changes
Copy link
Collaborator

@agentpoyo agentpoyo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@agentpoyo agentpoyo merged commit 56ab664 into main Apr 25, 2024
188 of 190 checks passed
@HashNuke HashNuke mentioned this pull request Apr 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agentpoyo agentpoyo agentpoyo approved these changes

@denverwilliams denverwilliams Awaiting requested review from denverwilliams denverwilliams is a code owner

@wvwatson wvwatson Awaiting requested review from wvwatson

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@HashNuke @agentpoyo