Skip to content

Commit a4c7ba5

Browse files
committed
Penetration tests will run only on Baremetal platform
1 parent a914623 commit a4c7ba5

1 file changed

Lines changed: 32 additions & 0 deletions

File tree

test/extended/security/penetration.go

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
2626

2727
// CNF-18378: Check For Plain Text Passwords
2828
g.It("TestNoPasswordExposedInLogFiles [apigroup:config.openshift.io]", ote.Informing(), func() {
29+
skipIfNotBaremetal(oc)
2930
ctx := context.Background()
3031

3132
// Skip for HyperShift - control plane is hosted separately
@@ -60,6 +61,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
6061

6162
// CNF-21165: Check CNI SELinux From All Nodes
6263
g.It("TestProperSELinuxContextOnCNI", ote.Informing(), func() {
64+
skipIfNotBaremetal(oc)
6365
ctx := context.Background()
6466

6567
g.By("Getting all node names")
@@ -82,20 +84,23 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
8284
// CNF-22599: Combined NRHO Security Penetration Tests
8385
g.Describe("Security Penetration Tests", func() {
8486
g.It("TestNoSSHKeysInUnexpectedSecrets [apigroup:security.openshift.io]", ote.Informing(), func() {
87+
skipIfNotBaremetal(oc)
8588
ctx := context.Background()
8689
unexpectedSecretCount := countSecretsContainingSSHKeys(ctx, oc)
8790
o.Expect(unexpectedSecretCount).To(o.Equal(0),
8891
fmt.Sprintf("Found %d unexpected Secret(s) containing SSH private keys (details redacted for security)", unexpectedSecretCount))
8992
})
9093

9194
g.It("TestNoUnexpectedPrivilegedPods", ote.Informing(), func() {
95+
skipIfNotBaremetal(oc)
9296
ctx := context.Background()
9397
privilegedPodCount := countPrivilegedPodsInUserNamespaces(ctx, oc)
9498
o.Expect(privilegedPodCount).To(o.Equal(0),
9599
fmt.Sprintf("Found %d privileged pod(s) in user namespaces (details redacted for security)", privilegedPodCount))
96100
})
97101

98102
g.It("TestProperNodeSudoConfiguration", ote.Informing(), func() {
103+
skipIfNotBaremetal(oc)
99104
ctx := context.Background()
100105
nodes, err := oc.AdminKubeClient().CoreV1().Nodes().List(ctx, metav1.ListOptions{})
101106
o.Expect(err).NotTo(o.HaveOccurred())
@@ -106,6 +111,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
106111
})
107112

108113
g.It("TestEtcdBackupEncryptionAndRestriction [apigroup:config.openshift.io][apigroup:operator.openshift.io]", ote.Informing(), func() {
114+
skipIfNotBaremetal(oc)
109115
ctx := context.Background()
110116
verifyEtcdEncryptionAtRest(ctx, oc)
111117

@@ -137,13 +143,15 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
137143
fmt.Sprintf("Critical etcd files are world-readable: %v", allCriticalFiles))
138144
})
139145
g.It("TestAllRoutesUseTLS [apigroup:route.openshift.io]", ote.Informing(), func() {
146+
skipIfNotBaremetal(oc)
140147
ctx := context.Background()
141148
routesWithoutTLSCount := countRoutesWithoutTLS(ctx, oc)
142149
o.Expect(routesWithoutTLSCount).To(o.Equal(0),
143150
fmt.Sprintf("Found %d route(s) without TLS (details redacted for security)", routesWithoutTLSCount))
144151
})
145152

146153
g.It("TestEtcdDirectoryPermissions [apigroup:operator.openshift.io]", ote.Informing(), func() {
154+
skipIfNotBaremetal(oc)
147155
ctx := context.Background()
148156

149157
// Skip master node checks for HyperShift and MicroShift
@@ -175,6 +183,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
175183
})
176184

177185
g.It("TestSecurityToolingInstalled [apigroup:operators.coreos.com]", ote.Informing(), func() {
186+
skipIfNotBaremetal(oc)
178187
ctx := context.Background()
179188
foundOperators := checkSecurityOperators(ctx, oc)
180189
o.Expect(foundOperators).NotTo(o.BeEmpty(),
@@ -185,6 +194,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
185194
})
186195

187196
g.It("TestMonitoringStackHealthy", ote.Informing(), func() {
197+
skipIfNotBaremetal(oc)
188198
ctx := context.Background()
189199
notRunningPods := getNonRunningMonitoringPods(ctx, oc)
190200
o.Expect(notRunningPods).To(o.BeEmpty(),
@@ -195,12 +205,14 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
195205
})
196206

197207
g.It("TestNetworkTrafficEncrypted [apigroup:operator.openshift.io]", ote.Informing(), func() {
208+
skipIfNotBaremetal(oc)
198209
ctx := context.Background()
199210
etcdUsesTLS := verifyEtcdUsesTLS(ctx, oc)
200211
o.Expect(etcdUsesTLS).To(o.BeTrue(), "Etcd is not using TLS certificates")
201212
})
202213

203214
g.It("TestNoUnprotectedDatabasePods", ote.Informing(), func() {
215+
skipIfNotBaremetal(oc)
204216
ctx := context.Background()
205217
dbPodCount := countDatabasePods(ctx, oc)
206218
// Fail if database pods are found - they should use Secrets for credentials
@@ -209,6 +221,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
209221
})
210222

211223
g.It("TestNoUnexpectedClusterAdminServiceAccounts [apigroup:rbac.authorization.k8s.io]", ote.Informing(), func() {
224+
skipIfNotBaremetal(oc)
212225
ctx := context.Background()
213226
bindingCount := countClusterAdminServiceAccountBindings(ctx, oc)
214227
// Fail if unexpected cluster-admin service accounts are found
@@ -217,6 +230,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
217230
})
218231

219232
g.It("TestNoNFSVolumesRisk", ote.Informing(), func() {
233+
skipIfNotBaremetal(oc)
220234
ctx := context.Background()
221235
nfsPVCount := countNFSPersistentVolumes(ctx, oc)
222236
// Fail if NFS PVs are found - verify root_squash is enabled on NFS servers
@@ -225,6 +239,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
225239
})
226240

227241
g.It("TestContainerRegistryAuthentication [apigroup:config.openshift.io]", ote.Informing(), func() {
242+
skipIfNotBaremetal(oc)
228243
ctx := context.Background()
229244
insecureRegistryCount := countInsecureRegistries(ctx, oc)
230245
o.Expect(insecureRegistryCount).To(o.Equal(0),
@@ -514,6 +529,10 @@ func findUnexpectedSudoersFiles(oc *exutil.CLI, nodes []corev1.Node) []string {
514529
if strings.Contains(output, "No such file or directory") {
515530
continue
516531
}
532+
// Skip namespace errors - these are test infrastructure issues, not security findings
533+
if strings.Contains(output, "unable to get namespace") || strings.Contains(output, "not found") {
534+
continue
535+
}
517536
// Record other inspection failures
518537
unexpected = append(unexpected,
519538
fmt.Sprintf("%s: failed to inspect sudoers.d (error: %v)", node.Name, err))
@@ -853,3 +872,16 @@ func hasRegistryExternalRoute(ctx context.Context, oc *exutil.CLI) bool {
853872

854873
return len(routes.Items) > 0
855874
}
875+
876+
// skipIfNotBaremetal skips the test if not running on baremetal platform
877+
func skipIfNotBaremetal(oc *exutil.CLI) {
878+
g.By("checking platform type")
879+
880+
infra, err := oc.AdminConfigClient().ConfigV1().Infrastructures().Get(
881+
context.Background(), "cluster", metav1.GetOptions{})
882+
o.Expect(err).NotTo(o.HaveOccurred())
883+
884+
if infra.Status.PlatformStatus.Type != configv1.BareMetalPlatformType {
885+
e2eskipper.Skipf("Security penetration tests only run on baremetal platform")
886+
}
887+
}

0 commit comments

Comments
 (0)