Removal and exchange duplicate test for privileged containers

.github/workflows/actions.yml

@@ -402,7 +402,7 @@ jobs:
         ./cnf-testsuite setup
         wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
         ./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
-        LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~privileged ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
+        LOG_LEVEL=info ./cnf-testsuite all ~compatibility ~resilience ~reasonable_startup_time ~reasonable_image_size ~platform ~increase_capacity ~decrease_capacity ~install_script_helm ~helm_chart_valid ~helm_chart_published verbose
     - name: Delete Cluster
       if: ${{ always() }}
       run: |
@@ -477,7 +477,7 @@ jobs:
         ./cnf-testsuite setup
         wget -O cnf-testsuite.yml https://raw.githubusercontent.com/cnti-testcatalog/testsuite/main/example-cnfs/coredns/cnf-testsuite.yml
         ./cnf-testsuite cnf_setup cnf-config=./cnf-testsuite.yml
-        LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~privileged ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
+        LOG_LEVEL=info ./cnf-testsuite all ~resilience ~compatibility ~pod_network_latency ~platform ~increase_capacity ~decrease_capacity ~ip_addresses ~liveness ~readiness ~rolling_update ~rolling_downgrade ~rolling_version_change ~nodeport_not_used ~hostport_not_used ~hardcoded_ip_addresses_in_k8s_runtime_configuration ~install_script_helm ~helm_chart_valid ~helm_chart_published ~rollback ~secrets_used ~immutable_configmap verbose
     - name: Delete Cluster
       if: ${{ always() }}
       run: |

CNF_TESTSUITE_YML_USAGE.md

@@ -4,7 +4,7 @@
 The cnf-testsuite.yml is used by `cnf_setup` in order to install the CNF to be tested onto an existing K8s cluster. 
 
 
-The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L196) container test.
+The information in the cnf-testsuite.yml is also used for additional configuration of some tests e.g. `allowlist_helm_chart_container_names` is used for exculding containers from the [privileged_containers](https://github.com/cnti-testcatalog/testsuite/blob/main/src/tasks/workload/security.cr#L138) container test.
 
 
 ### Table of Contents

docs/TEST_DOCUMENTATION.md

@@ -922,7 +922,7 @@ Make sure your CNF doesn't mount `/var/run/docker.sock`, `/var/run/containerd.so
 
 #### Overview
 
-Checks if any containers are running in privileged mode (using [Kubescape](https://hub.armo.cloud/docs/c-0057))
+Checks if any containers are running in privileged mode.
 Expectation: Containers should not run in privileged mode
 
 #### Rationale

embedded_files/points.yml

@@ -53,10 +53,6 @@
 #- name: check_reaped 
 #  tags: state, dynamic, configuration
 
-- name: privileged
-  emoji: "🔓🔑"
-  tags: [security, dynamic, workload]
-  # required: true
 - name: privilege_escalation
   emoji: "🔓🔑"
   tags: [security, dynamic, workload, cert, normal]

spec/utils/cnf_manager_spec.cr

@@ -128,7 +128,7 @@ describe "SampleUtils" do
 
   it "'CNFManager::Points.all_task_test_names' should return all tasks names", tags: ["points"] do
     CNFManager::Points.clean_results_yml
-		tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"]
+		tags = ["alpha_k8s_apis", "application_credentials", "cni_compatible", "container_sock_mounts", "database_persistence", "default_namespace", "disk_fill", "elastic_volumes", "external_ips", "hardcoded_ip_addresses_in_k8s_runtime_configuration", "helm_chart_published", "helm_chart_valid", "helm_deploy", "host_network", "host_pid_ipc_privileges", "hostpath_mounts", "hostport_not_used", "immutable_configmap", "immutable_file_systems", "increase_decrease_capacity", "ingress_egress_blocked", "insecure_capabilities", "ip_addresses", "latest_tag", "linux_hardening", "liveness", "log_output", "no_local_volume_configuration", "node_drain", "nodeport_not_used", "non_root_containers", "open_metrics", "operator_installed", "oran_e2_connection", "pod_delete", "pod_dns_error", "pod_io_stress", "pod_memory_hog", "pod_network_corruption", "pod_network_duplication", "pod_network_latency", "privilege_escalation", "privileged_containers", "prometheus_traffic", "readiness", "reasonable_image_size", "reasonable_startup_time", "require_labels", "cpu_limits", "memory_limits", "rollback", "rolling_downgrade", "rolling_update", "rolling_version_change", "routed_logs", "secrets_used", "selinux_options", "service_account_mapping", "service_discovery", "shared_database", "sig_term_handled", "single_process_type", "smf_upf_heartbeat", "specialized_init_system", "suci_enabled", "symlink_file_system", "sysctls", "tracing", "versioned_tag", "zombie_handled"]
     (CNFManager::Points.all_task_test_names()).sort.should eq(tags.sort)
   end
 

spec/utils/utils_spec.cr

@@ -105,9 +105,9 @@ describe "Utils" do
       Log.debug { "violator list: #{violation_list.flatten}" }
       emoji_security=""
       if resource_response 
-        resp = upsert_passed_task("privileged", "✔️  PASSED: No privileged containers", Time.utc)
+        resp = upsert_passed_task("privileged_containers", "✔️  PASSED: No privileged containers", Time.utc)
       else
-        resp = upsert_failed_task("privileged", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
+        resp = upsert_failed_task("privileged_containers", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
       end
       Log.info { resp }
       resp
@@ -156,7 +156,7 @@ describe "Utils" do
       result = ShellCmd.run_testsuite("cnf_setup cnf-path=sample-cnfs/sample_privileged_cnf")
     task_response = CNFManager::Task.all_cnfs_task_runner(my_args) do |args, config|
       Log.info { "all_cnfs_task_runner spec args #{args.inspect}" }
-      Log.for("verbose").info { "privileged" } if check_verbose(args)
+      Log.for("verbose").info { "privileged_containers" } if check_verbose(args)
       white_list_container_names = config.cnf_config[:white_list_container_names]
       Log.for("verbose").info { "white_list_container_names #{white_list_container_names.inspect}" } if check_verbose(args)
       violation_list = [] of String
@@ -178,9 +178,9 @@ describe "Utils" do
       Log.debug { "violator list: #{violation_list.flatten}" }
       emoji_security=""
       if resource_response 
-        resp = upsert_passed_task("privileged", "✔️  PASSED: No privileged containers", Time.utc)
+        resp = upsert_passed_task("privileged_containers", "✔️  PASSED: No privileged containers", Time.utc)
       else
-        resp = upsert_failed_task("privileged", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
+        resp = upsert_failed_task("privileged_containers", "✖️  FAILED: Found #{violation_list.size} privileged containers: #{violation_list.inspect}", Time.utc)
       end
       resp
     end
@@ -194,7 +194,7 @@ describe "Utils" do
   it "'task_runner' should run a test against a single cnf if passed a cnf-config argument even if there are multiple cnfs installed", tags: ["task_runner"]  do
     result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml")
     result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml")
-    result = ShellCmd.run_testsuite("privileged")
+    result = ShellCmd.run_testsuite("privileged_containers")
     (/(FAILED).*(Found 1 privileged containers)/ =~ result[:output]).should_not be_nil
   ensure
     result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-generic-cnf/cnf-testsuite.yml")

spec/workload/security_spec.cr

@@ -4,42 +4,42 @@ require "../../src/tasks/utils/utils.cr"
 
 describe "Security" do
 
-  it "'privileged' should pass with a non-privileged cnf", tags: ["privileged"]  do
+  it "'privileged_containers' should pass with a non-privileged cnf", tags: ["privileges"]  do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
       Log.debug { result[:output] }
-      result = ShellCmd.run_testsuite("privileged verbose")
+      result = ShellCmd.run_testsuite("privileged_containers verbose")
       result[:status].success?.should be_true
-      (/Found.*privileged containers.*coredns/ =~ result[:output]).should be_nil
+      (/No privileged containers/ =~ result[:output]).should_not be_nil
     ensure
       result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
       Log.debug { result[:output] }
     end
   end
-  it "'privileged' should fail on a non-whitelisted, privileged cnf", tags: ["privileged"] do
+  it "'privileged_containers' should fail on a non-whitelisted, privileged cnf", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
       result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged verbose")
+      result = ShellCmd.run_testsuite("privileged_containers verbose")
       result[:status].success?.should be_true
       (/Found.*privileged containers.*/ =~ result[:output]).should_not be_nil
       (/Privileged container (privileged-coredns) in.*/ =~ result[:output]).should_not be_nil
     ensure
       result = ShellCmd.run_testsuite("sample_privileged_cnf_non_whitelisted_cleanup")
     end
   end
-  it "'privileged' should pass on a whitelisted, privileged cnf", tags: ["privileged"] do
+  it "'privileged_containers' should pass on a whitelisted, privileged cnf", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_whitelisted_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
       result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
+      result = ShellCmd.run_testsuite("privileged_containers cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
       result[:status].success?.should be_true
       (/Found.*privileged containers.*/ =~ result[:output]).should be_nil
     ensure
       result = ShellCmd.run_testsuite("sample_privileged_cnf_whitelisted_cleanup")
     end
   end
-  it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileged"] do
+  it "'privilege_escalation' should fail on a cnf that has escalated privileges", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-privilege-escalation/cnf-testsuite.yml")
       result[:status].success?.should be_true
@@ -51,7 +51,7 @@ describe "Security" do
     end
   end
 
-  it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileged"] do
+  it "'privilege_escalation' should pass on a cnf that does not have escalated privileges", tags: ["privileges"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-nonroot-containers/cnf-testsuite.yml")
       result[:status].success?.should be_true
@@ -219,18 +219,6 @@ describe "Security" do
     end
   end
 
-  it "'privileged_containers' should pass when the cnf has no privileged containers", tags: ["privileged"] do
-    begin
-      result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")
-      result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged_containers")
-      result[:status].success?.should be_true
-      (/(FAILED).*(Found privileged containers)/ =~ result[:output]).should be_nil
-    ensure
-      result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=./sample-cnfs/sample-coredns-cnf")
-    end
-  end
-
   it "'immutable_file_systems' should fail when the cnf containers with mutable file systems", tags: ["security"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")

src/tasks/workload/security.cr

@@ -7,7 +7,6 @@ require "../utils/utils.cr"
 
 desc "CNF containers should be isolated from one another and the host.  The CNF Test suite uses tools like Sysdig Inspect and gVisor"
 task "security", [
-    "privileged",
     "symlink_file_system",
     "privilege_escalation",
     "insecure_capabilities",
@@ -137,7 +136,7 @@ task "container_sock_mounts" do |t, args|
 end
 
 desc "Check if any containers are running in privileged mode"
-task "privileged" do |t, args|
+task "privileged_containers" do |t, args|
   CNFManager::Task.task_runner(args, task: t) do |args, config|
     white_list_container_names = config.cnf_config[:white_list_container_names]
     VERBOSE_LOGGING.info "white_list_container_names #{white_list_container_names.inspect}" if check_verbose(args)
@@ -397,26 +396,6 @@ task "non_root_containers", ["kubescape_scan"] do |t, args|
   end
 end
 
-desc "Check that privileged containers are not used"
-task "privileged_containers", ["kubescape_scan" ] do |t, args|
-  CNFManager::Task.task_runner(args, task: t) do |args, config|
-    results_json = Kubescape.parse
-    test_json = Kubescape.test_by_test_name(results_json, "Privileged container")
-    test_report = Kubescape.parse_test_report(test_json)
-    resource_keys = CNFManager.workload_resource_keys(args, config)
-    test_report = Kubescape.filter_cnf_resources(test_report, resource_keys)
-
-    #todo whitelist
-    if test_report.failed_resources.size == 0
-      CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "No privileged containers were found")
-    else
-      test_report.failed_resources.map {|r| stdout_failure(r.alert_message) }
-      stdout_failure("Remediation: #{test_report.remediation}")
-      CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Found privileged containers")
-    end
-  end
-end
-
 desc "Check if containers have immutable file systems"
 task "immutable_file_systems", ["kubescape_scan"] do |t, args|
   CNFManager::Task.task_runner(args, task: t) do |args, config|