Skip to content

Commit a914623

Browse files
committed
Made penetration tests informing for now
1 parent a098abc commit a914623

1 file changed

Lines changed: 21 additions & 16 deletions

File tree

test/extended/security/penetration.go

Lines changed: 21 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ import (
88

99
g "github.com/onsi/ginkgo/v2"
1010
o "github.com/onsi/gomega"
11+
ote "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo"
1112

1213
corev1 "k8s.io/api/core/v1"
1314
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -24,7 +25,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
2425
oc := exutil.NewCLIWithoutNamespace("security-penetration")
2526

2627
// CNF-18378: Check For Plain Text Passwords
27-
g.It("TestNoPasswordExposedInLogFiles [apigroup:config.openshift.io]", func() {
28+
g.It("TestNoPasswordExposedInLogFiles [apigroup:config.openshift.io]", ote.Informing(), func() {
2829
ctx := context.Background()
2930

3031
// Skip for HyperShift - control plane is hosted separately
@@ -58,7 +59,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
5859
})
5960

6061
// CNF-21165: Check CNI SELinux From All Nodes
61-
g.It("TestProperSELinuxContextOnCNI", func() {
62+
g.It("TestProperSELinuxContextOnCNI", ote.Informing(), func() {
6263
ctx := context.Background()
6364

6465
g.By("Getting all node names")
@@ -80,21 +81,21 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
8081

8182
// CNF-22599: Combined NRHO Security Penetration Tests
8283
g.Describe("Security Penetration Tests", func() {
83-
g.It("TestNoSSHKeysInUnexpectedSecrets [apigroup:security.openshift.io]", func() {
84+
g.It("TestNoSSHKeysInUnexpectedSecrets [apigroup:security.openshift.io]", ote.Informing(), func() {
8485
ctx := context.Background()
8586
unexpectedSecretCount := countSecretsContainingSSHKeys(ctx, oc)
8687
o.Expect(unexpectedSecretCount).To(o.Equal(0),
8788
fmt.Sprintf("Found %d unexpected Secret(s) containing SSH private keys (details redacted for security)", unexpectedSecretCount))
8889
})
8990

90-
g.It("TestNoUnexpectedPrivilegedPods", func() {
91+
g.It("TestNoUnexpectedPrivilegedPods", ote.Informing(), func() {
9192
ctx := context.Background()
9293
privilegedPodCount := countPrivilegedPodsInUserNamespaces(ctx, oc)
9394
o.Expect(privilegedPodCount).To(o.Equal(0),
9495
fmt.Sprintf("Found %d privileged pod(s) in user namespaces (details redacted for security)", privilegedPodCount))
9596
})
9697

97-
g.It("TestProperNodeSudoConfiguration", func() {
98+
g.It("TestProperNodeSudoConfiguration", ote.Informing(), func() {
9899
ctx := context.Background()
99100
nodes, err := oc.AdminKubeClient().CoreV1().Nodes().List(ctx, metav1.ListOptions{})
100101
o.Expect(err).NotTo(o.HaveOccurred())
@@ -104,7 +105,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
104105
fmt.Sprintf("Unexpected sudoers files found: %v", unexpectedSudoers))
105106
})
106107

107-
g.It("TestEtcdBackupEncryptionAndRestriction [apigroup:config.openshift.io][apigroup:operator.openshift.io]", func() {
108+
g.It("TestEtcdBackupEncryptionAndRestriction [apigroup:config.openshift.io][apigroup:operator.openshift.io]", ote.Informing(), func() {
108109
ctx := context.Background()
109110
verifyEtcdEncryptionAtRest(ctx, oc)
110111

@@ -135,14 +136,14 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
135136
o.Expect(allCriticalFiles).To(o.BeEmpty(),
136137
fmt.Sprintf("Critical etcd files are world-readable: %v", allCriticalFiles))
137138
})
138-
g.It("TestAllRoutesUseTLS [apigroup:route.openshift.io]", func() {
139+
g.It("TestAllRoutesUseTLS [apigroup:route.openshift.io]", ote.Informing(), func() {
139140
ctx := context.Background()
140141
routesWithoutTLSCount := countRoutesWithoutTLS(ctx, oc)
141142
o.Expect(routesWithoutTLSCount).To(o.Equal(0),
142143
fmt.Sprintf("Found %d route(s) without TLS (details redacted for security)", routesWithoutTLSCount))
143144
})
144145

145-
g.It("TestEtcdDirectoryPermissions [apigroup:operator.openshift.io]", func() {
146+
g.It("TestEtcdDirectoryPermissions [apigroup:operator.openshift.io]", ote.Informing(), func() {
146147
ctx := context.Background()
147148

148149
// Skip master node checks for HyperShift and MicroShift
@@ -173,7 +174,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
173174
fmt.Sprintf("Etcd data directory permission issues: %v", allProblems))
174175
})
175176

176-
g.It("TestSecurityToolingInstalled [apigroup:operators.coreos.com]", func() {
177+
g.It("TestSecurityToolingInstalled [apigroup:operators.coreos.com]", ote.Informing(), func() {
177178
ctx := context.Background()
178179
foundOperators := checkSecurityOperators(ctx, oc)
179180
o.Expect(foundOperators).NotTo(o.BeEmpty(),
@@ -183,7 +184,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
183184
g.By(fmt.Sprintf("Audit log profile: %s", auditProfile))
184185
})
185186

186-
g.It("TestMonitoringStackHealthy", func() {
187+
g.It("TestMonitoringStackHealthy", ote.Informing(), func() {
187188
ctx := context.Background()
188189
notRunningPods := getNonRunningMonitoringPods(ctx, oc)
189190
o.Expect(notRunningPods).To(o.BeEmpty(),
@@ -193,37 +194,37 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
193194
o.Expect(rulesCount).To(o.BeNumerically(">", 0), "No Prometheus rules found")
194195
})
195196

196-
g.It("TestNetworkTrafficEncrypted [apigroup:operator.openshift.io]", func() {
197+
g.It("TestNetworkTrafficEncrypted [apigroup:operator.openshift.io]", ote.Informing(), func() {
197198
ctx := context.Background()
198199
etcdUsesTLS := verifyEtcdUsesTLS(ctx, oc)
199200
o.Expect(etcdUsesTLS).To(o.BeTrue(), "Etcd is not using TLS certificates")
200201
})
201202

202-
g.It("TestNoUnprotectedDatabasePods", func() {
203+
g.It("TestNoUnprotectedDatabasePods", ote.Informing(), func() {
203204
ctx := context.Background()
204205
dbPodCount := countDatabasePods(ctx, oc)
205206
// Fail if database pods are found - they should use Secrets for credentials
206207
o.Expect(dbPodCount).To(o.Equal(0),
207208
fmt.Sprintf("Found %d database pod(s) - verify credentials use Secrets (details redacted for security)", dbPodCount))
208209
})
209210

210-
g.It("TestNoUnexpectedClusterAdminServiceAccounts [apigroup:rbac.authorization.k8s.io]", func() {
211+
g.It("TestNoUnexpectedClusterAdminServiceAccounts [apigroup:rbac.authorization.k8s.io]", ote.Informing(), func() {
211212
ctx := context.Background()
212213
bindingCount := countClusterAdminServiceAccountBindings(ctx, oc)
213214
// Fail if unexpected cluster-admin service accounts are found
214215
o.Expect(bindingCount).To(o.Equal(0),
215216
fmt.Sprintf("Found %d ServiceAccount(s) with cluster-admin role - review for unexpected entries (details redacted for security)", bindingCount))
216217
})
217218

218-
g.It("TestNoNFSVolumesRisk", func() {
219+
g.It("TestNoNFSVolumesRisk", ote.Informing(), func() {
219220
ctx := context.Background()
220221
nfsPVCount := countNFSPersistentVolumes(ctx, oc)
221222
// Fail if NFS PVs are found - verify root_squash is enabled on NFS servers
222223
o.Expect(nfsPVCount).To(o.Equal(0),
223224
fmt.Sprintf("Found %d NFS PersistentVolume(s) - verify root_squash is enabled on NFS servers (details redacted for security)", nfsPVCount))
224225
})
225226

226-
g.It("TestContainerRegistryAuthentication [apigroup:config.openshift.io]", func() {
227+
g.It("TestContainerRegistryAuthentication [apigroup:config.openshift.io]", ote.Informing(), func() {
227228
ctx := context.Background()
228229
insecureRegistryCount := countInsecureRegistries(ctx, oc)
229230
o.Expect(insecureRegistryCount).To(o.Equal(0),
@@ -509,7 +510,11 @@ func findUnexpectedSudoersFiles(oc *exutil.CLI, nodes []corev1.Node) []string {
509510
).Output()
510511

511512
if err != nil {
512-
// Record inspection failure instead of silently skipping
513+
// If directory doesn't exist, that's fine - no unexpected sudoers files
514+
if strings.Contains(output, "No such file or directory") {
515+
continue
516+
}
517+
// Record other inspection failures
513518
unexpected = append(unexpected,
514519
fmt.Sprintf("%s: failed to inspect sudoers.d (error: %v)", node.Name, err))
515520
continue

0 commit comments

Comments
 (0)