@@ -26,6 +26,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
2626
2727 // CNF-18378: Check For Plain Text Passwords
2828 g .It ("TestNoPasswordExposedInLogFiles [apigroup:config.openshift.io]" , ote .Informing (), func () {
29+ skipIfNotBaremetal (oc )
2930 ctx := context .Background ()
3031
3132 // Skip for HyperShift - control plane is hosted separately
@@ -60,6 +61,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
6061
6162 // CNF-21165: Check CNI SELinux From All Nodes
6263 g .It ("TestProperSELinuxContextOnCNI" , ote .Informing (), func () {
64+ skipIfNotBaremetal (oc )
6365 ctx := context .Background ()
6466
6567 g .By ("Getting all node names" )
@@ -82,20 +84,23 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
8284 // CNF-22599: Combined NRHO Security Penetration Tests
8385 g .Describe ("Security Penetration Tests" , func () {
8486 g .It ("TestNoSSHKeysInUnexpectedSecrets [apigroup:security.openshift.io]" , ote .Informing (), func () {
87+ skipIfNotBaremetal (oc )
8588 ctx := context .Background ()
8689 unexpectedSecretCount := countSecretsContainingSSHKeys (ctx , oc )
8790 o .Expect (unexpectedSecretCount ).To (o .Equal (0 ),
8891 fmt .Sprintf ("Found %d unexpected Secret(s) containing SSH private keys (details redacted for security)" , unexpectedSecretCount ))
8992 })
9093
9194 g .It ("TestNoUnexpectedPrivilegedPods" , ote .Informing (), func () {
95+ skipIfNotBaremetal (oc )
9296 ctx := context .Background ()
9397 privilegedPodCount := countPrivilegedPodsInUserNamespaces (ctx , oc )
9498 o .Expect (privilegedPodCount ).To (o .Equal (0 ),
9599 fmt .Sprintf ("Found %d privileged pod(s) in user namespaces (details redacted for security)" , privilegedPodCount ))
96100 })
97101
98102 g .It ("TestProperNodeSudoConfiguration" , ote .Informing (), func () {
103+ skipIfNotBaremetal (oc )
99104 ctx := context .Background ()
100105 nodes , err := oc .AdminKubeClient ().CoreV1 ().Nodes ().List (ctx , metav1.ListOptions {})
101106 o .Expect (err ).NotTo (o .HaveOccurred ())
@@ -106,6 +111,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
106111 })
107112
108113 g .It ("TestEtcdBackupEncryptionAndRestriction [apigroup:config.openshift.io][apigroup:operator.openshift.io]" , ote .Informing (), func () {
114+ skipIfNotBaremetal (oc )
109115 ctx := context .Background ()
110116 verifyEtcdEncryptionAtRest (ctx , oc )
111117
@@ -137,13 +143,15 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
137143 fmt .Sprintf ("Critical etcd files are world-readable: %v" , allCriticalFiles ))
138144 })
139145 g .It ("TestAllRoutesUseTLS [apigroup:route.openshift.io]" , ote .Informing (), func () {
146+ skipIfNotBaremetal (oc )
140147 ctx := context .Background ()
141148 routesWithoutTLSCount := countRoutesWithoutTLS (ctx , oc )
142149 o .Expect (routesWithoutTLSCount ).To (o .Equal (0 ),
143150 fmt .Sprintf ("Found %d route(s) without TLS (details redacted for security)" , routesWithoutTLSCount ))
144151 })
145152
146153 g .It ("TestEtcdDirectoryPermissions [apigroup:operator.openshift.io]" , ote .Informing (), func () {
154+ skipIfNotBaremetal (oc )
147155 ctx := context .Background ()
148156
149157 // Skip master node checks for HyperShift and MicroShift
@@ -175,6 +183,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
175183 })
176184
177185 g .It ("TestSecurityToolingInstalled [apigroup:operators.coreos.com]" , ote .Informing (), func () {
186+ skipIfNotBaremetal (oc )
178187 ctx := context .Background ()
179188 foundOperators := checkSecurityOperators (ctx , oc )
180189 o .Expect (foundOperators ).NotTo (o .BeEmpty (),
@@ -185,6 +194,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
185194 })
186195
187196 g .It ("TestMonitoringStackHealthy" , ote .Informing (), func () {
197+ skipIfNotBaremetal (oc )
188198 ctx := context .Background ()
189199 notRunningPods := getNonRunningMonitoringPods (ctx , oc )
190200 o .Expect (notRunningPods ).To (o .BeEmpty (),
@@ -195,12 +205,14 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
195205 })
196206
197207 g .It ("TestNetworkTrafficEncrypted [apigroup:operator.openshift.io]" , ote .Informing (), func () {
208+ skipIfNotBaremetal (oc )
198209 ctx := context .Background ()
199210 etcdUsesTLS := verifyEtcdUsesTLS (ctx , oc )
200211 o .Expect (etcdUsesTLS ).To (o .BeTrue (), "Etcd is not using TLS certificates" )
201212 })
202213
203214 g .It ("TestNoUnprotectedDatabasePods" , ote .Informing (), func () {
215+ skipIfNotBaremetal (oc )
204216 ctx := context .Background ()
205217 dbPodCount := countDatabasePods (ctx , oc )
206218 // Fail if database pods are found - they should use Secrets for credentials
@@ -209,6 +221,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
209221 })
210222
211223 g .It ("TestNoUnexpectedClusterAdminServiceAccounts [apigroup:rbac.authorization.k8s.io]" , ote .Informing (), func () {
224+ skipIfNotBaremetal (oc )
212225 ctx := context .Background ()
213226 bindingCount := countClusterAdminServiceAccountBindings (ctx , oc )
214227 // Fail if unexpected cluster-admin service accounts are found
@@ -217,6 +230,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
217230 })
218231
219232 g .It ("TestNoNFSVolumesRisk" , ote .Informing (), func () {
233+ skipIfNotBaremetal (oc )
220234 ctx := context .Background ()
221235 nfsPVCount := countNFSPersistentVolumes (ctx , oc )
222236 // Fail if NFS PVs are found - verify root_squash is enabled on NFS servers
@@ -225,6 +239,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
225239 })
226240
227241 g .It ("TestContainerRegistryAuthentication [apigroup:config.openshift.io]" , ote .Informing (), func () {
242+ skipIfNotBaremetal (oc )
228243 ctx := context .Background ()
229244 insecureRegistryCount := countInsecureRegistries (ctx , oc )
230245 o .Expect (insecureRegistryCount ).To (o .Equal (0 ),
@@ -514,6 +529,10 @@ func findUnexpectedSudoersFiles(oc *exutil.CLI, nodes []corev1.Node) []string {
514529 if strings .Contains (output , "No such file or directory" ) {
515530 continue
516531 }
532+ // Skip namespace errors - these are test infrastructure issues, not security findings
533+ if strings .Contains (output , "unable to get namespace" ) || strings .Contains (output , "not found" ) {
534+ continue
535+ }
517536 // Record other inspection failures
518537 unexpected = append (unexpected ,
519538 fmt .Sprintf ("%s: failed to inspect sudoers.d (error: %v)" , node .Name , err ))
@@ -853,3 +872,16 @@ func hasRegistryExternalRoute(ctx context.Context, oc *exutil.CLI) bool {
853872
854873 return len (routes .Items ) > 0
855874}
875+
876+ // skipIfNotBaremetal skips the test if not running on baremetal platform
877+ func skipIfNotBaremetal (oc * exutil.CLI ) {
878+ g .By ("checking platform type" )
879+
880+ infra , err := oc .AdminConfigClient ().ConfigV1 ().Infrastructures ().Get (
881+ context .Background (), "cluster" , metav1.GetOptions {})
882+ o .Expect (err ).NotTo (o .HaveOccurred ())
883+
884+ if infra .Status .PlatformStatus .Type != configv1 .BareMetalPlatformType {
885+ e2eskipper .Skipf ("Security penetration tests only run on baremetal platform" )
886+ }
887+ }
0 commit comments