testsuite icon indicating copy to clipboard operation
testsuite copied to clipboard

Published 20 hours ago verified publisher icon cnti-testcatalog

Removal of allowlist from priviledged tests

Open horecoli opened this issue 11 months ago • 7 comments

Description

This change updates priviledged test to consider only containers from CNF under test. As a result of this change, the 'allowlist_helm_chart_container_names' parameter in the cnf-testsuite.yml configuration file is no longer needed. Therefore this patch also removes this parameter from the configuration, as well as from all samples and examples.

Issues:

Refs: #1906

How has this been tested:

  • [ ] Covered by existing integration testing
  • [ ] Added integration testing to cover
  • [ ] Verified all A/C passes
    • [ ] develop
    • [ ] master
    • [ ] tag/other branch
  • [ ] Test environment
    • [ ] Shared Packet K8s cluster
    • [ ] New Packet K8s cluster
    • [ ] Kind cluster
  • [ ] Have not tested

Types of changes:

  • [x] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [x] Documentation update

Checklist:

Documentation

  • [ ] My change requires a change to the documentation.
  • [x] I have updated the documentation accordingly.
  • [ ] No updates required.

Code Review

  • [ ] Does the test handle fatal exceptions, ie. rescue block

Issue

  • [ ] Tasks in issue are checked off

horecoli avatar Mar 13 '24 09:03 horecoli

Thank you for the updates. Waiting for the build to run for the main branch.

I will re-run this build once the main branch is green - https://github.com/cnti-testcatalog/testsuite/actions/runs/8345433746

HashNuke avatar Mar 19 '24 15:03 HashNuke

https://github.com/lfn-cnti/bestpractices/blob/main/doc/cbpps/0004-do-not-run-containers-with-privilege-flag.md#notesconstraintscaveats https://github.com/lfn-cnti/bestpractices/blob/main/doc/cbpps/0003-exceptions.md#summary

taylor avatar Mar 19 '24 15:03 taylor

Needs further discussion and updates

taylor avatar Mar 19 '24 15:03 taylor

@taylor, maybe you are right to have such exceptions in some cases. But the question is whether the allowlisting has to be done per-test or if there should be a common list of exceptions. Because as it is right now, we are giving the user the ability to make this test pass at any time. However, on the other side, there has to be motivation for the user to follow this best practice and refrain from making fraudulent attempts to pass the test. Do we have any sample examples where privileged containers are necessary and need to be whitelisted?

horecoli avatar Mar 28 '24 08:03 horecoli

lgtm

martin-mat avatar Apr 08 '24 21:04 martin-mat

This change is more or less done, but I am still verifying if all tests are running as expected.

horecoli avatar Apr 11 '24 06:04 horecoli

@horecoli rebase and this should be good to merge.

cc: @agentpoyo @HashNuke

taylor avatar May 07 '24 15:05 taylor

Some sample CNFs still have empty arrays:

  • sample-nonroot
  • sample_coredns_default_namespace

kosstennbl avatar Jul 15 '24 11:07 kosstennbl

Some sample CNFs still have empty arrays:

  • sample-nonroot
  • sample_coredns_default_namespace

Those two samples were added after I created this PR, so at that time, they were not there. And now I just rebased and forgot to do some grep to check if there is something new. So I fixed it in the latest change. Thank you :)

horecoli avatar Jul 23 '24 07:07 horecoli