Added penetration tests important to Telco partners/customers#31283
Open
yogeshahiray wants to merge 8 commits into
Open
Added penetration tests important to Telco partners/customers#31283yogeshahiray wants to merge 8 commits into
yogeshahiray wants to merge 8 commits into
Conversation
Contributor
|
Pipeline controller notification For optional jobs, comment This repository is configured in: automatic mode |
openshift-ci
Bot
added
ready-for-human-review
Contributor
|
Hi @yogeshahiray. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
WalkthroughAdds a Ginkgo test suite that runs node- and cluster-scoped security posture scans: password/log scans, CNI SELinux validation, secret/privileged pod checks, sudoers/etcd/Route inspections, monitoring/operator checks, and registry/PV/resource discovery. ChangesSecurity Penetration Test Suite
🎯 4 (Complex) | ⏱️ ~45 minutes Caution Pre-merge checks failedPlease resolve all errors before merging. Addressing warnings is optional.
❌ Failed checks (1 error, 3 warnings, 1 inconclusive)
✅ Passed checks (10 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: yogeshahiray The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 7
🧹 Nitpick comments (1)
test/extended/security/penetration.go (1)
282-286: 💤 Low valueConsider making the regex more specific.
The pattern
drwxr[A-Za-z0-9\s\.\-]+(/usr/[a-z0-9/]+)is quite permissive in the first part. While the captured path group[a-z0-9/]+safely prevents injection, the leading pattern could match unintended output. Consider making it more specific to match only expectedls -ldpermission strings.📝 Example of more specific pattern
- re := regexp.MustCompile(`drwxr[A-Za-z0-9\s\.\-]+(/usr/[a-z0-9/]+)`) + // Match: drwxr-xr-x. <number> <user> <group> ... /usr/... + re := regexp.MustCompile(`^drwxr-?x?r-?x?[.-]\s+\d+\s+\S+\s+\S+\s+.*?(/usr/libexec/cni|/opt/cni)`)This more precisely matches the
ls -ldoutput format and explicitly looks for the expected CNI paths.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 282 - 286, The current regex assigned to re is too permissive; narrow it to match a precise ls -ld permission line and restrict the captured path to expected CNI locations. Update the pattern used by re (the string `drwxr[A-Za-z0-9\s\.\-]+(/usr/[a-z0-9/]+)`) to explicitly match permission bits (e.g., ^d[rwx-]{9}), whitespace-separated columns (inode/owner/group/size/date), then capture only known /usr subpaths (for example /usr/bin, /usr/lib, /usr/libexec, etc.) with a conservative character class for the path; keep the code flow using matches := re.FindStringSubmatch(output) and the existing conditional that returns matches[1] when present.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/extended/security/penetration.go`:
- Around line 234-236: The testPasswords slice is empty so the YAML-password
scanning never runs; populate testPasswords with actual values (either load from
the cluster configuration or supply a sensible default list of common/test
passwords) and reuse it in the YAML check function (the slice named
testPasswords used in the YAML scan) and in checkLogsForPasswords so both checks
operate on the same non-empty password list; update the code that builds
testPasswords and ensure both the YAML scanner and checkLogsForPasswords
reference that populated slice.
- Around line 192-194: The test currently defines an empty slice testPasswords
which prevents the nested verification loops in the penetration test from
running; either populate testPasswords with representative password strings used
in the cluster (e.g., common service/account passwords or test fixtures) so the
loops in the test exercise log-scanning, or explicitly skip the test when it’s
not configured by calling e2eskipper.Skipf (or the existing skip helper) early
in the test; update the code paths around testPasswords and the test function in
test/extended/security/penetration.go (the loops that scan logs) to use the
populated slice or to return after Skipf so the test no longer silently passes.
- Around line 627-643: The current verifyEtcdUsesTLS logic inspects etcd.Object
by converting spec and status maps to strings (fmt.Sprintf("%v", spec/status))
and substring-searching for "cert"/"tls", which is fragile; replace this with
structured checks: retrieve spec and status via unstructured.NestedMap (as you
already do), then explicitly inspect known TLS-related keys (e.g., spec["tls"],
spec["clientTLS"], spec["serverTLS"], spec["peerTLS"], spec["backup"] or the
etcd-operator fields like "tls", "tlsClientConfig", "certFile", "keyFile",
"caFile") and iterate nested maps/slices to detect boolean flags or presence of
certificate file fields; update verifyEtcdUsesTLS to return true only when those
concrete fields exist/are enabled rather than on loose substring matches of
fmt.Sprintf output.
- Line 54: Before calling findCNIPath(oc, nodes.Items[0].Name) add a defensive
check that nodes.Items is non-empty; if len(nodes.Items) == 0, handle the case
(return an error from the surrounding test function or log and fail the test)
instead of indexing [0]. Locate the call to findCNIPath and the variable nodes
in the same test function in test/extended/security/penetration.go and add the
guard so the code never dereferences nodes.Items[0] when the node list is empty.
- Around line 247-253: The code builds a shell command via fmt.Sprintf("grep -nl
'%s' %s") (cmd) and then runs it through "/bin/bash -c", which allows command
injection; change the call in this block so you do not invoke a shell or
interpolate pwd into a single-quoted string. Replace the Sprintf/"/bin/bash -c"
approach by passing grep and its arguments directly to
oc.AsAdmin().Run("debug").Args (e.g., use "/bin/grep", "-nl", pwd, yamlPath) so
pwd and yamlPath are separate Args instead of being concatenated into cmd;
update the code around the cmd variable and the oc.AsAdmin().Run("debug").Args
invocation to use these explicit args.
- Around line 91-92: The shared ctx := context.Background() declared at the
Describe-level is reused across multiple It test cases (the It blocks such as
"TestEtcdBackupEncryptionAndRestriction
[apigroup:config.openshift.io][apigroup:operator.openshift.io]" and the
subsequent It blocks) which breaks test isolation; remove the top-level ctx
declaration and instead add a fresh ctx := context.Background() as the first
statement inside each It block that currently references ctx (all It blocks
between lines 92-181), ensuring each test case obtains its own context.
- Around line 211-217: The grep command is vulnerable to shell injection because
pwd is interpolated into a bash -c string; update the
oc.AsAdmin().Run("debug").Args(...).Output() invocation that builds cmd so it
does not pass an interpolated shell string. Fix by invoking grep without using
"/bin/bash -c" and pass the pattern and logPath as separate arguments (use pwd
and logPath as raw args), or if shell usage is unavoidable, escape/quote pwd
with a robust shell-escaping utility (e.g., use a library that safely quotes
shell arguments) before formatting into the command; ensure the change targets
the code building cmd and the oc.AsAdmin().Run(...).Args call that executes it.
---
Nitpick comments:
In `@test/extended/security/penetration.go`:
- Around line 282-286: The current regex assigned to re is too permissive;
narrow it to match a precise ls -ld permission line and restrict the captured
path to expected CNI locations. Update the pattern used by re (the string
`drwxr[A-Za-z0-9\s\.\-]+(/usr/[a-z0-9/]+)`) to explicitly match permission bits
(e.g., ^d[rwx-]{9}), whitespace-separated columns (inode/owner/group/size/date),
then capture only known /usr subpaths (for example /usr/bin, /usr/lib,
/usr/libexec, etc.) with a conservative character class for the path; keep the
code flow using matches := re.FindStringSubmatch(output) and the existing
conditional that returns matches[1] when present.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 7cc44443-f610-468e-a69f-5d3eae92b3dc
📒 Files selected for processing (1)
test/extended/security/penetration.go
Contributor
|
/test e2e-aws-ovn-microshift |
Contributor
|
/payload-job periodic-ci-openshift-hypershift-release-5.0-periodics-e2e-aws-ovn-conformance |
Contributor
|
@neisw: trigger 1 job(s) for the /payload-(with-prs|job|aggregate|job-with-prs|aggregate-with-prs) command
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/39651d60-6590-11f1-8635-10ef9a19d878-0 |
neisw
reviewed
Jun 11, 2026
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (5)
test/extended/security/penetration.go (5)
124-131:⚠️ Potential issue | 🟠 Major | ⚡ Quick winSampling only
masterNodes.Items[0]leaves master-local etcd permission issues undetected.Both specs validate a single control-plane node, but backup artifacts and
/var/lib/etcdpermissions can drift per node. If the first master is clean and another is not, these tests still pass. Iterate over all listed masters before asserting success.Also applies to: 157-164
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 124 - 131, The test only checks masterNodes.Items[0] which can miss per-node etcd permission issues; update the code that calls findWorldReadableCriticalEtcdFiles(oc, masterNodes.Items[0].Name) to iterate over all masterNodes.Items, call findWorldReadableCriticalEtcdFiles for each node (using masterNodes.Items[i].Name), collect/merge any returned critical files, and assert the aggregated result is empty (or assert per-node emptiness) using the existing o.Expect checks; apply the same iteration/fix to the duplicate check that uses findWorldReadableCriticalEtcdFiles later in the file.
328-350:⚠️ Potential issue | 🟠 Major | ⚡ Quick win
findCNIPathcan skip valid nodes and can never correctly return/opt/cni.
ls -ld /opt/cni /usr/libexec/cniexits non-zero when either path is missing, so a node with only one valid CNI location hits Line 336 and the test skips. Even when parsing succeeds, the regex only matches/usr/..., and the fallback hardcodes/usr/libexec/cni, so/opt/cniis effectively unreachable. Probe each candidate independently and return the one that actually exists.
252-279:⚠️ Potential issue | 🟠 Major | ⚡ Quick winLiteral
*.log/*.yamlarguments mean most of these grep scans never touch real files.Passing
/var/log/containers/*.logor/etc/kubernetes/manifests/*.yamlas raw args to/bin/grepdoes not expand the glob, sogrepsees a literal filename and returns an error. The currenterr == nilgate then treats that execution failure as “nothing found”, which is another false-clean result. Enumerate matching files first and search them with literal matching (grep -F --), rather than handing wildcard patterns straight togrep.Also applies to: 298-319
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 252 - 279, The grep calls loop over logPaths (e.g., "/var/log/containers/*.log") with oc.AsAdmin().Run("debug") but pass unexpanded globs to /bin/grep, so grep sees literal filenames and errors are treated as "not found"; fix by enumerating matching files on the node before grepping (e.g., run a safe listing like ls -1 or find via oc debug for each pattern), then invoke /bin/grep -F -- <pwd> <eachFoundFile> (literal matching and explicit file args) and append to foundPasswords only when grep succeeds; apply the same change to the similar block referenced at 298-319.
466-475:⚠️ Potential issue | 🟠 Major | ⚡ Quick winA node that cannot be inspected is currently treated as “no unexpected sudoers files”.
continueon the debug-command error drops that node from the result set, so this spec can pass even when one of the nodes was never checked. Surface the error, or at least record the node as an inspection failure instead of silently skipping it. As per coding guidelines, Go code should never ignore error returns.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 466 - 475, The code currently ignores errors from oc.AsAdmin().Run("debug").Args(...).Output() (the block using node.Name and cmd) by doing if err != nil { continue }, which silently skips nodes; fix this by surfacing the error or recording the node as an inspection failure instead of continuing. Replace the continue with error handling that logs or returns the error (include node.Name and err in the message) or append node.Name to a failures slice (e.g., failedNodes) so the spec can fail or assert on failedNodes after the loop; ensure you handle the Output() error from oc.AsAdmin().Run("debug").Args(...) rather than ignoring it.Source: Coding guidelines
447-455:⚠️ Potential issue | 🟠 Major | ⚡ Quick winPrivileged init and ephemeral containers bypass this check.
This only inspects
pod.Spec.Containers. A privilegedinitContainerorephemeralContaineris just as relevant for a penetration test and will currently be missed, so the spec can pass while a namespace still runs privileged workload.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 447 - 455, The current check only iterates pod.Spec.Containers and misses privileged init or ephemeral containers; update the logic that builds privilegedPods to also iterate pod.Spec.InitContainers and pod.Spec.EphemeralContainers and perform the same nil and *SecurityContext.Privileged checks for each element, appending fmt.Sprintf("%s/%s", pod.Namespace, pod.Name) to privilegedPods and breaking once any privileged container (regular, init, or ephemeral) is found; ensure you reference the same variable names (pod, privilegedPods) and mirror the existing condition used for pod.Spec.Containers.
♻️ Duplicate comments (1)
test/extended/security/penetration.go (1)
243-249:⚠️ Potential issue | 🟠 Major | ⚡ Quick winThese plaintext-password tests still pass without scanning anything.
Both helpers return an empty result when
testPasswordsis empty, and the callers assert that emptiness as success. That makes the suite report a clean result even though no password exposure check ran. Either load real inputs or explicitlySkipf/fail the spec until the source of passwords exists.Also applies to: 289-295
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 243 - 249, The plaintext-password check currently treats an empty testPasswords slice as a successful pass; update the logic in the penetration test to not silently succeed when no inputs exist: in the block where testPasswords is declared and where the helper returns early (the code around the testPasswords variable and the function that returns foundPasswords), if testPasswords is empty call t.Skipf (or t.Fatalf if you prefer a hard failure) with an explanatory message indicating passwords are not configured, or load real test inputs from cluster config; apply the same change to the similar block around lines 289-295 so the spec is skipped/failed instead of passing when no passwords are provided, referencing the testPasswords variable and the helper that returns foundPasswords.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@test/extended/security/penetration.go`:
- Around line 124-131: The test only checks masterNodes.Items[0] which can miss
per-node etcd permission issues; update the code that calls
findWorldReadableCriticalEtcdFiles(oc, masterNodes.Items[0].Name) to iterate
over all masterNodes.Items, call findWorldReadableCriticalEtcdFiles for each
node (using masterNodes.Items[i].Name), collect/merge any returned critical
files, and assert the aggregated result is empty (or assert per-node emptiness)
using the existing o.Expect checks; apply the same iteration/fix to the
duplicate check that uses findWorldReadableCriticalEtcdFiles later in the file.
- Around line 252-279: The grep calls loop over logPaths (e.g.,
"/var/log/containers/*.log") with oc.AsAdmin().Run("debug") but pass unexpanded
globs to /bin/grep, so grep sees literal filenames and errors are treated as
"not found"; fix by enumerating matching files on the node before grepping
(e.g., run a safe listing like ls -1 or find via oc debug for each pattern),
then invoke /bin/grep -F -- <pwd> <eachFoundFile> (literal matching and explicit
file args) and append to foundPasswords only when grep succeeds; apply the same
change to the similar block referenced at 298-319.
- Around line 466-475: The code currently ignores errors from
oc.AsAdmin().Run("debug").Args(...).Output() (the block using node.Name and cmd)
by doing if err != nil { continue }, which silently skips nodes; fix this by
surfacing the error or recording the node as an inspection failure instead of
continuing. Replace the continue with error handling that logs or returns the
error (include node.Name and err in the message) or append node.Name to a
failures slice (e.g., failedNodes) so the spec can fail or assert on failedNodes
after the loop; ensure you handle the Output() error from
oc.AsAdmin().Run("debug").Args(...) rather than ignoring it.
- Around line 447-455: The current check only iterates pod.Spec.Containers and
misses privileged init or ephemeral containers; update the logic that builds
privilegedPods to also iterate pod.Spec.InitContainers and
pod.Spec.EphemeralContainers and perform the same nil and
*SecurityContext.Privileged checks for each element, appending
fmt.Sprintf("%s/%s", pod.Namespace, pod.Name) to privilegedPods and breaking
once any privileged container (regular, init, or ephemeral) is found; ensure you
reference the same variable names (pod, privilegedPods) and mirror the existing
condition used for pod.Spec.Containers.
---
Duplicate comments:
In `@test/extended/security/penetration.go`:
- Around line 243-249: The plaintext-password check currently treats an empty
testPasswords slice as a successful pass; update the logic in the penetration
test to not silently succeed when no inputs exist: in the block where
testPasswords is declared and where the helper returns early (the code around
the testPasswords variable and the function that returns foundPasswords), if
testPasswords is empty call t.Skipf (or t.Fatalf if you prefer a hard failure)
with an explanatory message indicating passwords are not configured, or load
real test inputs from cluster config; apply the same change to the similar block
around lines 289-295 so the spec is skipped/failed instead of passing when no
passwords are provided, referencing the testPasswords variable and the helper
that returns foundPasswords.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 4881a8d4-aec9-48cc-ab99-4e0c9b6f870b
📒 Files selected for processing (1)
test/extended/security/penetration.go
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (3)
test/extended/security/penetration.go (3)
267-272:⚠️ Potential issue | 🟠 Major | ⚡ Quick winRestore wildcard expansion and literal matching in the password scans.
Passing
*.logand*.yamlpaths as rawgreparguments means those wildcards are never expanded, so these checks usually return exit code 2 and silently miss the files they are supposed to scan.grepis also treatingpwdas a regex, so passwords containing regex metacharacters can produce false positives or misses. Expand the file list separately and search withgrep -F --so the scans stay both safe and functional.Suggested fix
- output, err := oc.AsAdmin().Run("debug").Args( - fmt.Sprintf("node/%s", node.Name), - "--", - "/bin/grep", "-nl", pwd, logPath, - ).Output() + output, err := oc.AsAdmin().Run("debug").Args( + fmt.Sprintf("node/%s", node.Name), + "--", + "/bin/sh", "-c", + `for f in $1; do [ -e "$f" ] && /bin/grep -F -nl -- "$2" "$f"; done`, + "_", logPath, pwd, + ).Output()Apply the same pattern to the YAML scan as well.
As per coding guidelines, "Command: no shell=True, os.system, or backtick exec with user input".
Also applies to: 307-312
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 267 - 272, The grep invocation in oc.AsAdmin().Run("debug").Args (where you pass pwd and logPath) is feeding unexpanded wildcards and a regex pattern to grep; change it to first expand the target file globs (e.g., expand logPath like "*.log" and the YAML glob into an explicit list of files) on the node before invoking grep, then call grep with fixed-string mode and explicit end-of-options (use "-F" and "--") so the password string (pwd) is treated literally; update the same pattern for the YAML scan too (the other oc.AsAdmin().Run("debug").Args site mentioned) so both scans expand globs and use grep -F -- with expanded file lists.Source: Coding guidelines
725-731:⚠️ Potential issue | 🟡 Minor | ⚡ Quick win
countDatabasePodscan count the same pod more than once.The
breakonly exits thedbImagesloop. If a pod has two matching containers,countis incremented twice even though the helper comment and log message both describe a pod count. Use a labeledcontinueor a per-pod boolean so each pod contributes at most once.Suggested fix
- for _, pod := range pods.Items { +podLoop: + for _, pod := range pods.Items { for _, container := range pod.Spec.Containers { lowerImage := strings.ToLower(container.Image) for _, dbType := range dbImages { if strings.Contains(lowerImage, dbType) { count++ - break // Count each pod only once + continue podLoop } } } }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 725 - 731, The loop in countDatabasePods is incrementing count once per matching container because the break only exits the dbImages loop; change the logic so each pod increments count at most once by introducing a per-pod boolean (e.g., found) that is set when any container image matches dbImages and then break out of the container loop or use a labeled continue to skip to the next pod; update the use of pods.Items, pod.Spec.Containers, dbImages and count accordingly so the helper truly counts pods, not containers.
451-456:⚠️ Potential issue | 🟠 MajorPrivileged-pod test misses privileged init/ephemeral containers
countPrivilegedPodsInUserNamespacesonly checkspod.Spec.Containers[*].SecurityContext.Privileged(lines 451-458), so pods with privilegedinitContainersorephemeralContainerscan evadeTestNoUnexpectedPrivilegedPods. Update the helper to scan those container types as well, while still counting each pod only once.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/extended/security/penetration.go` around lines 451 - 456, The helper countPrivilegedPodsInUserNamespaces currently only inspects pod.Spec.Containers for SecurityContext.Privileged; update it to also iterate pod.Spec.InitContainers and pod.Spec.EphemeralContainers and check each container's SecurityContext != nil and SecurityContext.Privileged != nil && *SecurityContext.Privileged, incrementing count and breaking out once per pod (same behavior as for pod.Spec.Containers) so pods with privileged init or ephemeral containers are counted exactly once; reuse the existing loop/break pattern and nil checks to avoid panics.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@test/extended/security/penetration.go`:
- Around line 194-200: The tests named TestNoUnprotectedDatabasePods,
TestNoUnexpectedClusterAdminServiceAccounts, and TestNoNFSVolumesRisk currently
only log via g.By(...) when a non-zero risk is detected, so CI doesn't fail;
replace the informational g.By(...) calls with explicit assertions (e.g., use
g.Expect(dbPodCount).To(BeZero(), "found %d database pod(s) - verify credentials
use Secrets", dbPodCount)) so the test fails when risk is detected; update the
occurrences around TestNoUnprotectedDatabasePods (calling countDatabasePods),
TestNoUnexpectedClusterAdminServiceAccounts (calling countClusterAdminSAs or
similar), and TestNoNFSVolumesRisk (calling countNFSVolumes or similar) to
assert counts are zero (or rename tests to make them discovery-only if you
prefer a non-failing check).
---
Outside diff comments:
In `@test/extended/security/penetration.go`:
- Around line 267-272: The grep invocation in oc.AsAdmin().Run("debug").Args
(where you pass pwd and logPath) is feeding unexpanded wildcards and a regex
pattern to grep; change it to first expand the target file globs (e.g., expand
logPath like "*.log" and the YAML glob into an explicit list of files) on the
node before invoking grep, then call grep with fixed-string mode and explicit
end-of-options (use "-F" and "--") so the password string (pwd) is treated
literally; update the same pattern for the YAML scan too (the other
oc.AsAdmin().Run("debug").Args site mentioned) so both scans expand globs and
use grep -F -- with expanded file lists.
- Around line 725-731: The loop in countDatabasePods is incrementing count once
per matching container because the break only exits the dbImages loop; change
the logic so each pod increments count at most once by introducing a per-pod
boolean (e.g., found) that is set when any container image matches dbImages and
then break out of the container loop or use a labeled continue to skip to the
next pod; update the use of pods.Items, pod.Spec.Containers, dbImages and count
accordingly so the helper truly counts pods, not containers.
- Around line 451-456: The helper countPrivilegedPodsInUserNamespaces currently
only inspects pod.Spec.Containers for SecurityContext.Privileged; update it to
also iterate pod.Spec.InitContainers and pod.Spec.EphemeralContainers and check
each container's SecurityContext != nil and SecurityContext.Privileged != nil &&
*SecurityContext.Privileged, incrementing count and breaking out once per pod
(same behavior as for pod.Spec.Containers) so pods with privileged init or
ephemeral containers are counted exactly once; reuse the existing loop/break
pattern and nil checks to avoid panics.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 275ca5b4-bce4-4c29-86bf-7965200fb8e3
📒 Files selected for processing (1)
test/extended/security/penetration.go
Author
|
I have addressed all the comments |
sosiouxme
changed the title
Member
|
/ok-to-test |
openshift-ci
Bot
added
ok-to-test
Contributor
|
Scheduling required tests: |
Contributor
|
@yogeshahiray: The following tests failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Risk analysis has seen new tests most likely introduced by this PR. New Test Risks for sha: 4549d1c
New tests seen in this PR at sha: 4549d1c
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Added penetration tests which are very important to Telco partners/customers.
Summary by CodeRabbit