88
99 g "github.com/onsi/ginkgo/v2"
1010 o "github.com/onsi/gomega"
11+ ote "github.com/openshift-eng/openshift-tests-extension/pkg/ginkgo"
1112
1213 corev1 "k8s.io/api/core/v1"
1314 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -24,7 +25,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
2425 oc := exutil .NewCLIWithoutNamespace ("security-penetration" )
2526
2627 // CNF-18378: Check For Plain Text Passwords
27- g .It ("TestNoPasswordExposedInLogFiles [apigroup:config.openshift.io]" , func () {
28+ g .It ("TestNoPasswordExposedInLogFiles [apigroup:config.openshift.io]" , ote . Informing (), func () {
2829 ctx := context .Background ()
2930
3031 // Skip for HyperShift - control plane is hosted separately
@@ -58,7 +59,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
5859 })
5960
6061 // CNF-21165: Check CNI SELinux From All Nodes
61- g .It ("TestProperSELinuxContextOnCNI" , func () {
62+ g .It ("TestProperSELinuxContextOnCNI" , ote . Informing (), func () {
6263 ctx := context .Background ()
6364
6465 g .By ("Getting all node names" )
@@ -80,21 +81,21 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
8081
8182 // CNF-22599: Combined NRHO Security Penetration Tests
8283 g .Describe ("Security Penetration Tests" , func () {
83- g .It ("TestNoSSHKeysInUnexpectedSecrets [apigroup:security.openshift.io]" , func () {
84+ g .It ("TestNoSSHKeysInUnexpectedSecrets [apigroup:security.openshift.io]" , ote . Informing (), func () {
8485 ctx := context .Background ()
8586 unexpectedSecretCount := countSecretsContainingSSHKeys (ctx , oc )
8687 o .Expect (unexpectedSecretCount ).To (o .Equal (0 ),
8788 fmt .Sprintf ("Found %d unexpected Secret(s) containing SSH private keys (details redacted for security)" , unexpectedSecretCount ))
8889 })
8990
90- g .It ("TestNoUnexpectedPrivilegedPods" , func () {
91+ g .It ("TestNoUnexpectedPrivilegedPods" , ote . Informing (), func () {
9192 ctx := context .Background ()
9293 privilegedPodCount := countPrivilegedPodsInUserNamespaces (ctx , oc )
9394 o .Expect (privilegedPodCount ).To (o .Equal (0 ),
9495 fmt .Sprintf ("Found %d privileged pod(s) in user namespaces (details redacted for security)" , privilegedPodCount ))
9596 })
9697
97- g .It ("TestProperNodeSudoConfiguration" , func () {
98+ g .It ("TestProperNodeSudoConfiguration" , ote . Informing (), func () {
9899 ctx := context .Background ()
99100 nodes , err := oc .AdminKubeClient ().CoreV1 ().Nodes ().List (ctx , metav1.ListOptions {})
100101 o .Expect (err ).NotTo (o .HaveOccurred ())
@@ -104,7 +105,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
104105 fmt .Sprintf ("Unexpected sudoers files found: %v" , unexpectedSudoers ))
105106 })
106107
107- g .It ("TestEtcdBackupEncryptionAndRestriction [apigroup:config.openshift.io][apigroup:operator.openshift.io]" , func () {
108+ g .It ("TestEtcdBackupEncryptionAndRestriction [apigroup:config.openshift.io][apigroup:operator.openshift.io]" , ote . Informing (), func () {
108109 ctx := context .Background ()
109110 verifyEtcdEncryptionAtRest (ctx , oc )
110111
@@ -135,14 +136,14 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
135136 o .Expect (allCriticalFiles ).To (o .BeEmpty (),
136137 fmt .Sprintf ("Critical etcd files are world-readable: %v" , allCriticalFiles ))
137138 })
138- g .It ("TestAllRoutesUseTLS [apigroup:route.openshift.io]" , func () {
139+ g .It ("TestAllRoutesUseTLS [apigroup:route.openshift.io]" , ote . Informing (), func () {
139140 ctx := context .Background ()
140141 routesWithoutTLSCount := countRoutesWithoutTLS (ctx , oc )
141142 o .Expect (routesWithoutTLSCount ).To (o .Equal (0 ),
142143 fmt .Sprintf ("Found %d route(s) without TLS (details redacted for security)" , routesWithoutTLSCount ))
143144 })
144145
145- g .It ("TestEtcdDirectoryPermissions [apigroup:operator.openshift.io]" , func () {
146+ g .It ("TestEtcdDirectoryPermissions [apigroup:operator.openshift.io]" , ote . Informing (), func () {
146147 ctx := context .Background ()
147148
148149 // Skip master node checks for HyperShift and MicroShift
@@ -173,7 +174,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
173174 fmt .Sprintf ("Etcd data directory permission issues: %v" , allProblems ))
174175 })
175176
176- g .It ("TestSecurityToolingInstalled [apigroup:operators.coreos.com]" , func () {
177+ g .It ("TestSecurityToolingInstalled [apigroup:operators.coreos.com]" , ote . Informing (), func () {
177178 ctx := context .Background ()
178179 foundOperators := checkSecurityOperators (ctx , oc )
179180 o .Expect (foundOperators ).NotTo (o .BeEmpty (),
@@ -183,7 +184,7 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
183184 g .By (fmt .Sprintf ("Audit log profile: %s" , auditProfile ))
184185 })
185186
186- g .It ("TestMonitoringStackHealthy" , func () {
187+ g .It ("TestMonitoringStackHealthy" , ote . Informing (), func () {
187188 ctx := context .Background ()
188189 notRunningPods := getNonRunningMonitoringPods (ctx , oc )
189190 o .Expect (notRunningPods ).To (o .BeEmpty (),
@@ -193,37 +194,37 @@ var _ = g.Describe("[sig-auth][Feature:SecurityPenetration] ", func() {
193194 o .Expect (rulesCount ).To (o .BeNumerically (">" , 0 ), "No Prometheus rules found" )
194195 })
195196
196- g .It ("TestNetworkTrafficEncrypted [apigroup:operator.openshift.io]" , func () {
197+ g .It ("TestNetworkTrafficEncrypted [apigroup:operator.openshift.io]" , ote . Informing (), func () {
197198 ctx := context .Background ()
198199 etcdUsesTLS := verifyEtcdUsesTLS (ctx , oc )
199200 o .Expect (etcdUsesTLS ).To (o .BeTrue (), "Etcd is not using TLS certificates" )
200201 })
201202
202- g .It ("TestNoUnprotectedDatabasePods" , func () {
203+ g .It ("TestNoUnprotectedDatabasePods" , ote . Informing (), func () {
203204 ctx := context .Background ()
204205 dbPodCount := countDatabasePods (ctx , oc )
205206 // Fail if database pods are found - they should use Secrets for credentials
206207 o .Expect (dbPodCount ).To (o .Equal (0 ),
207208 fmt .Sprintf ("Found %d database pod(s) - verify credentials use Secrets (details redacted for security)" , dbPodCount ))
208209 })
209210
210- g .It ("TestNoUnexpectedClusterAdminServiceAccounts [apigroup:rbac.authorization.k8s.io]" , func () {
211+ g .It ("TestNoUnexpectedClusterAdminServiceAccounts [apigroup:rbac.authorization.k8s.io]" , ote . Informing (), func () {
211212 ctx := context .Background ()
212213 bindingCount := countClusterAdminServiceAccountBindings (ctx , oc )
213214 // Fail if unexpected cluster-admin service accounts are found
214215 o .Expect (bindingCount ).To (o .Equal (0 ),
215216 fmt .Sprintf ("Found %d ServiceAccount(s) with cluster-admin role - review for unexpected entries (details redacted for security)" , bindingCount ))
216217 })
217218
218- g .It ("TestNoNFSVolumesRisk" , func () {
219+ g .It ("TestNoNFSVolumesRisk" , ote . Informing (), func () {
219220 ctx := context .Background ()
220221 nfsPVCount := countNFSPersistentVolumes (ctx , oc )
221222 // Fail if NFS PVs are found - verify root_squash is enabled on NFS servers
222223 o .Expect (nfsPVCount ).To (o .Equal (0 ),
223224 fmt .Sprintf ("Found %d NFS PersistentVolume(s) - verify root_squash is enabled on NFS servers (details redacted for security)" , nfsPVCount ))
224225 })
225226
226- g .It ("TestContainerRegistryAuthentication [apigroup:config.openshift.io]" , func () {
227+ g .It ("TestContainerRegistryAuthentication [apigroup:config.openshift.io]" , ote . Informing (), func () {
227228 ctx := context .Background ()
228229 insecureRegistryCount := countInsecureRegistries (ctx , oc )
229230 o .Expect (insecureRegistryCount ).To (o .Equal (0 ),
@@ -509,7 +510,11 @@ func findUnexpectedSudoersFiles(oc *exutil.CLI, nodes []corev1.Node) []string {
509510 ).Output ()
510511
511512 if err != nil {
512- // Record inspection failure instead of silently skipping
513+ // If directory doesn't exist, that's fine - no unexpected sudoers files
514+ if strings .Contains (output , "No such file or directory" ) {
515+ continue
516+ }
517+ // Record other inspection failures
513518 unexpected = append (unexpected ,
514519 fmt .Sprintf ("%s: failed to inspect sudoers.d (error: %v)" , node .Name , err ))
515520 continue
0 commit comments