Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Removal and exchange duplicate test for privileged containers #2119

Merged
merged 1 commit into from
Aug 7, 2024

Conversation

horecoli
Copy link
Contributor

Description

This change removes the Kubescape implementation of test for privileged containers. The reason behind this decision is the absence of functionality to exclude containers from the test. Instead, it has been replaced with an in-house implementation of this test, which has been renamed from "privileged" to "privileged_containers".

Issues:

Refs: #2115

How has this been tested:

  • Covered by existing integration testing
  • Added integration testing to cover
  • Verified all A/C passes
    • develop
    • master
    • tag/other branch
  • Test environment
    • Shared Packet K8s cluster
    • New Packet K8s cluster
    • Kind cluster
  • Have not tested

Types of changes:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Checklist:

Documentation

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • No updates required.

Code Review

  • Does the test handle fatal exceptions, ie. rescue block

Issue

  • Tasks in issue are checked off

@horecoli horecoli force-pushed the privileged_exchange branch 2 times, most recently from 9a47a29 to 8c7f5c2 Compare August 1, 2024 08:37
Copy link
Collaborator

@kosstennbl kosstennbl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TEST_DOCUMENTATION.md requires a small change.
utils_spec.cr:181-183, seems that prefix is also needed to be changed.

begin
result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
Log.debug { result[:output] }
result = ShellCmd.run_testsuite("privileged verbose")
result = ShellCmd.run_testsuite("privileged_containers verbose")
result[:status].success?.should be_true
(/Found.*privileged containers.*coredns/ =~ result[:output]).should be_nil
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This output check doesn't seem right when comparing to test outputs, the test will always pass.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure what you mean, I didn't change anything related to output, I just renamed test during its execution.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

but yes, there was issue with regex before, which we didn't know about it. I fixed it in last commit. Thanks.

@@ -4,35 +4,35 @@ require "../../src/tasks/utils/utils.cr"

describe "Security" do

it "'privileged' should pass with a non-privileged cnf", tags: ["privileged"] do
it "'privileged_containers' should pass with a non-privileged cnf", tags: ["privileged"] do
Copy link
Collaborator

@kosstennbl kosstennbl Aug 1, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe tag could be changed to "privileged_containers"? And same would be used for privilege escalation tests.

@horecoli horecoli force-pushed the privileged_exchange branch from 8c7f5c2 to 1fd4080 Compare August 5, 2024 07:01
@@ -402,7 +402,7 @@ jobs:
./cnf-testsuite setup
wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~privileged ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~privileges ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think task names are used there, not spec tags. Should be ~privileged_containers

Copy link
Contributor Author

@horecoli horecoli Aug 5, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, you right, this is just excluding and we don't want to exclude it now, so I just removed it.

@@ -477,7 +477,7 @@ jobs:
./cnf-testsuite setup
wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~privileged ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~privileges ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

This change removes the Kubescape implementation of test
for privileged containers. The reason behind this decision
is the absence of functionality to exclude containers
from the test. Instead, it has been replaced with an in-house
implementation of this test, which has been renamed
from "privileged" to "privileged_containers".

Implements: cnti-testcatalog#2115
Signed-off-by: horecoli <[email protected]>
@horecoli horecoli force-pushed the privileged_exchange branch from 1fd4080 to 860c576 Compare August 5, 2024 09:17
Copy link
Collaborator

@kosstennbl kosstennbl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Collaborator

@martin-mat martin-mat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

Copy link

@rich-l rich-l left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@martin-mat martin-mat merged commit 0a33918 into cnti-testcatalog:main Aug 7, 2024
88 checks passed
@horecoli horecoli deleted the privileged_exchange branch August 7, 2024 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants