fix code reviews

Author: jcantrill

test/e2e/operator/tls/e2e_test.go

@@ -23,25 +23,18 @@ var _ = Describe("[E2E][Operator][TLS] TLS Scanner Validation", func() {
 	)
 
 	var (
-		e2e            *framework.E2ETestFramework
-		clf            *obs.ClusterLogForwarder
-		l              *loki.Receiver
-		lokiNS         string
-		scannerNS      string
-		sa             *corev1.ServiceAccount
-		err            error
-		skipTLSScanner bool
+		e2e       *framework.E2ETestFramework
+		clf       *obs.ClusterLogForwarder
+		l         *loki.Receiver
+		lokiNS    string
+		scannerNS string
+		sa        *corev1.ServiceAccount
+		err       error
 	)
 
 	BeforeEach(func() {
 		e2e = framework.NewE2ETestFramework()
 
-		// Check if TLS Scanner image is available
-		if tlsscanner.GetImage() == "" {
-			skipTLSScanner = true
-			Skip("TLS Scanner image not available")
-		}
-
 		lokiNS = e2e.CreateTestNamespace()
 		scannerNS = e2e.CreateTestNamespace()
 
@@ -116,10 +109,6 @@ var _ = Describe("[E2E][Operator][TLS] TLS Scanner Validation", func() {
 	})
 
 	AfterEach(func() {
-		if skipTLSScanner {
-			return
-		}
-
 		e2e.Cleanup()
 	}, framework.DefaultCleanUpTimeout)
 

test/framework/e2e/tls/scanner.go

@@ -117,7 +117,6 @@ func (s *Scanner) Deploy(scannerNamespace, targetNamespace string) (*batchv1.Job
 	// Create the Job
 	backoffLimit := int32(0)
 	ttlSecondsAfterFinished := int32(600) // Keep job for 10 minutes after completion
-	privileged := true
 
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
@@ -140,9 +139,8 @@ func (s *Scanner) Deploy(scannerNamespace, targetNamespace string) (*batchv1.Job
 								"-csv-file", "/tmp/scan-results.csv",
 								"-j", "4", // Use 4 concurrent threads
 							},
-							SecurityContext: &corev1.SecurityContext{
-								Privileged: &privileged,
-							},
+							// No privileged mode needed - using default "pod" scan mode
+							// which scans running pods' TLS ports, not host ports
 						},
 					},
 				},
@@ -332,7 +330,7 @@ func ValidateCompliance(results []ScanResult, profileSpec configv1.TLSProfileSpe
 	return nil
 }
 
-// containsTLSVersion checks if the TLS versions string contains at least the minimum required version
+// containsTLSVersion checks if all TLS versions meet the minimum required version
 func containsTLSVersion(tlsVersions, minVersion string) bool {
 	// If no TLS versions detected, fail validation
 	if tlsVersions == "" {
@@ -346,16 +344,25 @@ func containsTLSVersion(tlsVersions, minVersion string) bool {
 		return true
 	}
 
-	// Check if any of the supported versions meets the minimum
+	// Check that ALL supported versions meet the minimum
 	versions := strings.Split(tlsVersions, ",")
+	foundVersion := false
 	for _, v := range versions {
 		v = strings.TrimSpace(v)
-		if vNum := parseTLSVersion(v); vNum >= minVersionNum {
-			return true
+		vNum := parseTLSVersion(v)
+		if vNum == 0 {
+			// Skip unparseable versions
+			continue
+		}
+		foundVersion = true
+		if vNum < minVersionNum {
+			// Found a version below the minimum - fail validation
+			return false
 		}
 	}
 
-	return false
+	// Return true only if we found at least one version and none were below minimum
+	return foundVersion
 }
 
 // parseTLSVersion converts TLS version string to a comparable number