testsuite icon indicating copy to clipboard operation
testsuite copied to clipboard

Published 20 hours ago verified publisher icon cnti-testcatalog

[BUG] Doc: Some workload cases not included in the usage.md and list_of_tests.md

Open iElephant opened this issue 2 years ago • 6 comments

Describe the bug

There are 3 test cases included in the workload tests, however, it seems they are not mentioned in the USAGE.md and LIST_OF_TESTS.md.

  1. Test case ip_addresses in configuration category
  2. Test case non_root_user in security category
  3. Test case privileged in security category -> The privileged case seems to be similar to privilege_escalation test, they have the same desc field.

Maybe it's just my misunderstanding, please help to take a look. Thanks.

iElephant avatar Sep 21 '22 14:09 iElephant

@iElephant

We'll take a look. We did a recent overhaul of the docs and some of these might need to be merged, updated or removed since some of them are almost identical to the other tests.

agentpoyo avatar Sep 21 '22 15:09 agentpoyo

My opinion regarding those 3 tests:

  • "ip_addresses" tests usage of explicit ip address in the helm chart (which is pre-processed/stored locally). Similar check is done during "hardcoded_ip_addresses_in_k8s_runtime_configuration", but that is done on helm chart of deployed pod in k8s. Unlike "hardcoded_ip_addresses_in_k8s_runtime_configuration", "ip_address" is a static test that is possible to be executed without k8s. So perhaps "ip_address" somehow meaningful and prehaps should be added to the list of tests in the docs.
  • "non_root_user" tests the same thing (or a subset) as "non_root_containers". "non_root_user" test can be removed in my opinion. And along with that, cnf_testsuite's dependency on Falco as it is the only test that uses Falco.
  • "privileged" test is in my opinion the same as "privileged containers". "privileged" uses directly kubectl, whereas "privileged_containers" uses kubescape.

-> I suggest to add "ip_address" to the docs, and remove "non_root_user", "privileged" tests (along with Falco) from the code.

martin-mat avatar Jan 30 '24 13:01 martin-mat

@HashNuke @agentpoyo can you please review the above comment?

lixuna avatar Feb 06 '24 16:02 lixuna

"privileged" test is in my opinion the same as "privileged containers". "privileged" uses directly kubectl, whereas "privileged_containers" uses kubescape.

  • these are duplicates in functionality and it is intentional to have both. only 1 is actively used for certification
  • privileged uses Falco and is being removed.

taylor avatar Feb 06 '24 16:02 taylor

@taylor note that it is "non_root_user" that uses Falco, not "privileged". Based on your comment:

  • "ip_addresses" will be kept and added to the docs
  • "non_root_user" task will be removed along with Falco (perhaps a new issue to be opened specifically for this)
  • "privileged" will be kept and added to the docs as an alternative to "privileged containers", with keeping different tooling for each ("privileged" uses directly kubectl, whereas "privileged_containers" uses kubescape)

ok?

martin-mat avatar Feb 12 '24 09:02 martin-mat

#1893

martin-mat avatar Feb 19 '24 08:02 martin-mat