diff --git a/.github/workflows/eks-ci.yml b/.github/workflows/eks-ci.yml index fb34ea1a9c..b5d356be75 100644 --- a/.github/workflows/eks-ci.yml +++ b/.github/workflows/eks-ci.yml @@ -191,6 +191,8 @@ jobs: - name: Deploy tests Helm chart id: deploy_helm if: success() + env: + ELK_VERSION: 8.13.0-SNAPSHOT run: | just deploy-tests-helm ${{ matrix.test-target }} ${{ matrix.values_file }} ${{ matrix.range }} diff --git a/.github/workflows/k8s-ci.yml b/.github/workflows/k8s-ci.yml index 148fe65d70..eec15d358f 100644 --- a/.github/workflows/k8s-ci.yml +++ b/.github/workflows/k8s-ci.yml @@ -206,220 +206,3 @@ jobs: id: clear_cache if: always() run: rm -rf /tmp/*-${{ env.CONTAINER_SUFFIX }}.tar - - k8s_functional_tests_full: - # Run full test suit on post-merge - name: ${{ matrix.test-target }}-${{ matrix.range }}-tests - if: github.event_name == 'push' - needs: [ Build ] - runs-on: ubuntu-22.04 - timeout-minutes: 55 - env: - KIND_CONFIG: kind-multi - strategy: - fail-fast: false - matrix: - include: - - test-target: pre_merge_agent - range: '' - values_file: tests/test_environments/values/ci-sa-agent.yml - - test-target: pre_merge - range: "" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "0..5" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "5..10" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "10..15" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "15..20" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "20..25" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "25..30" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "30..35" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "35..40" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "40..45" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "45..50" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "50..55" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "55..60" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "60..65" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "65..70" - values_file: tests/test_environments/values/ci.yml - - test-target: file_system_rules - range: "70.." - values_file: tests/test_environments/values/ci.yml - - test-target: k8s_object_rules - range: "0..6" - values_file: tests/test_environments/values/ci.yml - - test-target: k8s_object_rules - range: "6..12" - values_file: tests/test_environments/values/ci.yml - - test-target: k8s_object_rules - range: "12..18" - values_file: tests/test_environments/values/ci.yml - - test-target: k8s_object_rules - range: "18.." - values_file: tests/test_environments/values/ci.yml - - test-target: process_scheduler_rules - range: "0..3" - values_file: tests/test_environments/values/ci.yml - - test-target: process_scheduler_rules - range: "3.." - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "0..5" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "5..10" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "10..15" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "15..20" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "20..24" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "24..28" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "28..32" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "32..36" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "36..40" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "40..44" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "44..48" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "48..52" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "52..56" - values_file: tests/test_environments/values/ci.yml - - test-target: process_api_server_rules - range: "56.." - values_file: tests/test_environments/values/ci.yml - - test-target: process_controller_manager_rules - range: "0..4" - values_file: tests/test_environments/values/ci.yml - - test-target: process_controller_manager_rules - range: "4..8" - values_file: tests/test_environments/values/ci.yml - - test-target: process_controller_manager_rules - range: "8..12" - values_file: tests/test_environments/values/ci.yml - - test-target: process_controller_manager_rules - range: "12.." - values_file: tests/test_environments/values/ci.yml - - test-target: process_etcd_rules - range: "0..4" - values_file: tests/test_environments/values/ci.yml - - test-target: process_etcd_rules - range: "4..8" - values_file: tests/test_environments/values/ci.yml - - test-target: process_etcd_rules - range: "8.." - values_file: tests/test_environments/values/ci.yml - - test-target: process_kubelet_rules - range: "0..4" - values_file: tests/test_environments/values/ci.yml - - test-target: process_kubelet_rules - range: "4..8" - values_file: tests/test_environments/values/ci.yml - - test-target: process_kubelet_rules - range: "8..12" - values_file: tests/test_environments/values/ci.yml - - test-target: process_kubelet_rules - range: "12..16" - values_file: tests/test_environments/values/ci.yml - - test-target: process_kubelet_rules - range: "16..20" - values_file: tests/test_environments/values/ci.yml - - test-target: process_kubelet_rules - range: "20.." - values_file: tests/test_environments/values/ci.yml - steps: - - name: Free Disk Space (Ubuntu) - uses: jlumbroso/free-disk-space@main - with: - tool-cache: false - android: true - dotnet: true - haskell: true - large-packages: false - docker-images: true - swap-storage: true - - name: Check out the repo - uses: actions/checkout@v4 - - - name: Init Hermit - run: ./bin/hermit env -r >> $GITHUB_ENV - - - name: Create k8s Kind Cluster - run: | - just create-kind-cluster ${{ env.KIND_CONFIG }} - - - name: Cache docker images - uses: actions/cache@v4 - with: - path: /tmp/*.tar - key: ${{ runner.os }}-dockers-cache-${{ env.CONTAINER_SUFFIX }} - - - name: Load images to kind - run: | - ./.ci/scripts/kind-images.sh ${{ env.CONTAINER_SUFFIX }} ${{ env.KIND_CONFIG }} - shell: bash - - - name: Deploy tests Helm chart - id: deploy_helm - run: | - just deploy-tests-helm '${{ matrix.test-target }}' ${{ matrix.values_file }} ${{ matrix.range }} - - - name: Run Tests - id: run_tests - run: | - just run-tests '${{ matrix.test-target }}' kind-${{ env.KIND_CONFIG }} - - - name: Upload Test Results - if: always() - uses: actions/upload-artifact@v3 - with: - name: allure_results-${{ matrix.test-target}} - path: tests/allure/results/ - - - name: clear cache - id: clear_cache - if: always() - run: rm -rf /tmp/*-${{ env.CONTAINER_SUFFIX }}.tar diff --git a/tests/commonlib/io_utils.py b/tests/commonlib/io_utils.py index 98980a2111..404849fb47 100644 --- a/tests/commonlib/io_utils.py +++ b/tests/commonlib/io_utils.py @@ -217,103 +217,6 @@ def in_place_copy(source, destination): for line in sfile: dfile.write(line) - @staticmethod - def edit_process_file(container_name: str, dictionary, resource: str): - """ - This function edits a process file - @param container_name: Container node - @param dictionary: Process parameters to set/unset - @param resource: File / Resource path - @return: None - """ - if container_name == "": - raise ValueError("Unknown container name is sent") - - current_resource = Path(resource) - if not current_resource.is_file(): - raise FileNotFoundError(f"File {resource} does not exist or mount missing.") - - # Open and load the YAML into variable - with current_resource.open(encoding="utf-8") as file: - r_file = yaml.safe_load(file) - - # Get process configuration arguments - arguments = r_file["spec"]["containers"][0]["command"] - - # Collect set/unset keys and values from the dictionary - set_dict = dictionary.get("set", {}) - unset_list = dictionary.get("unset", []) - - # Cycle across set items from the dictionary - for s_key, s_value in set_dict.items(): - # Find if set key exists already in the configuration arguments - if any(s_key == x.split("=")[0] for x in arguments): - # Replace the value of the key with the new value from the set items - arguments = [f"{s_key}={s_value}" if arg.split("=")[0] == s_key else arg for arg in arguments] - else: - # In case of non-existing key in the configuration arguments, - # append the key/value from set items - arguments.append(f"{s_key}={s_value}") - - # Cycle across unset items from the dictionary - for us_key in unset_list: - # Filter out the unset keys from the configuration arguments - arguments = [x for x in arguments if us_key != x.split("=")[0]] - - # Override the configuration arguments with the newly built configuration arguments - r_file["spec"]["containers"][0]["command"] = arguments - - # Write the newly built configuration arguments - with current_resource.open(mode="w", encoding="utf-8") as file: - yaml.dump(r_file, file) - - @staticmethod - def edit_config_file(container_name: str, dictionary, resource: str): - """ - This function edits a config file - @param container_name: Container node - @param dictionary: Config parameters to set/unset - @param resource: Config path - @return: None - """ - if container_name == "": - raise ValueError("Unknown container name is sent") - - current_resource = Path(resource) - if not current_resource.is_file(): - raise FileExistsError(f"File {resource} does not exist or mount missing.") - - # Open and load the YAML into variable - with current_resource.open(encoding="utf-8") as file: - r_file = yaml.safe_load(file) - - # Collect set/unset keys and values from the dictionary - set_dict = dictionary.get("set", {}) - unset_list = dictionary.get("unset", []) - - # Merge two dictionaries with priority for the set items - r_file = {**r_file, **set_dict} - - # Cycle across unset items from the dictionary - for us_key in unset_list: - # Parsed dot separated key values - keys = us_key.split(".") - key_to_del = keys.pop() - r_dict = r_file - - # Advance inside the dictionary for nested keys - for key in keys: - r_dict = r_dict.get(key, None) - if r_dict is None: - # Non-existing nested key - break - # Remove nested keys when all path exists - if r_dict: - del r_dict[key_to_del] - # Write the newly built config - with current_resource.open(mode="w", encoding="utf-8") as file: - yaml.dump(r_file, file) - @staticmethod def get_beat_status_from_json(response: str, beat_name: str) -> str: """ diff --git a/tests/commonlib/utils.py b/tests/commonlib/utils.py index a9c1b15fb1..7b2aa60a61 100644 --- a/tests/commonlib/utils.py +++ b/tests/commonlib/utils.py @@ -130,34 +130,6 @@ def get_logs_evaluation( return None -def dict_contains(small, big): - """ - Checks if the small dict like object is contained inside the big object - @param small: dict like object - @param big: dict like object - @return: true iff the small dict like object is contained inside the big object - """ - if isinstance(small, dict): - if not set(small.keys()) <= set(big.keys()): - return False - for key in small.keys(): - if not dict_contains(small.get(key), big.get(key)): - return False - return True - - return small == big - - -def get_resource_identifier(body): - def resource_identifier(resource): - if getattr(resource, "to_dict", None): - return dict_contains(body, resource.to_dict()) - if getattr(resource, "__dict__", None): - return dict_contains(body, dict(resource)) - - return resource_identifier - - def wait_for_cycle_completion(elastic_client, nodes: list) -> bool: """ Wait for all agents to finish sending findings to ES. @@ -213,52 +185,6 @@ def is_timeout(start_time: time, timeout: int) -> bool: return time.time() - start_time > timeout -def command_contains_arguments(command, arguments_dict): - args = command.split()[1:] - args_dict = {} - for arg in args: - key, val = arg.split("=", 1) - args_dict[key] = val - - set_dict = arguments_dict.get("set", {}) - unset_list = arguments_dict.get("unset", []) - - for key, val in set_dict.items(): - arg_val = args_dict.get(key) - if val != arg_val: - return False - - for key in unset_list: - if key in args_dict: - return False - - return True - - -def config_contains_arguments(config, arguments_dict): - set_dict = arguments_dict.get("set", {}) - unset_list = arguments_dict.get("unset", []) - - if not dict_contains(set_dict, config): - return False - - for arg in unset_list: - current = config - arg_set = True - - for arg_part in arg.split("."): - if (not isinstance(current, dict)) or (arg_part not in current): - arg_set = False - break - - current = current[arg_part] - - if arg_set: - return False - - return True - - def get_findings(elastic_client, config_timeout, query, sort, match_type): """ Retrieves data from an Elasticsearch index using the specified query and sort parameters. diff --git a/tests/product/tests/conftest.py b/tests/product/tests/conftest.py index 1289fe66c2..a2e1f81a43 100644 --- a/tests/product/tests/conftest.py +++ b/tests/product/tests/conftest.py @@ -3,191 +3,9 @@ product tests. """ -from pathlib import Path -import time -import json -import pytest -from loguru import logger -from kubernetes.client import ApiException -from kubernetes.utils import FailToCreateError -from commonlib.io_utils import get_k8s_yaml_objects - from product.tests.parameters import TEST_PARAMETERS -DEPLOY_YML = "../../test_environments/cloudbeat-pytest.yml" -KUBE_RULES_ENV_YML = "../../test_environments/mock-pod.yml" -POD_RESOURCE_TYPE = "Pod" - - -@pytest.fixture(scope="module", name="cloudbeat_start_stop") -def data(k8s, api_client, cloudbeat_agent): - """ - This fixture starts cloudbeat, in case cloudbeat exists - restart will be performed - @param k8s: Kubernetes wrapper object - @param api_client: Docker or FileSystem client - @param cloudbeat_agent: Cloudbeat configuration - @return: - """ - file_path = Path(__file__).parent / DEPLOY_YML - if k8s.get_agent_pod_instances( - agent_name=cloudbeat_agent.name, - namespace=cloudbeat_agent.namespace, - ): - k8s.delete_from_yaml(get_k8s_yaml_objects(file_path=file_path)) - k8s.start_agent(yaml_file=file_path, namespace=cloudbeat_agent.namespace) - time.sleep(5) - yield k8s, api_client, cloudbeat_agent - k8s_yaml_list = get_k8s_yaml_objects(file_path=file_path) - k8s.delete_from_yaml(yaml_objects_list=k8s_yaml_list) # stop agent - - -@pytest.fixture(scope="module", name="config_node_pre_test") -def config_node_pre_test(cloudbeat_start_stop): - """ - This fixture performs extra operations required in - file system rules tests. - Before test execution creates temporary files - After test execution delete files created in Before section - @param cloudbeat_start_stop: Cloudbeat fixture execution - @return: Kubernetes object, Api client, Cloudbeat configuration - """ - k8s_client, api_client, cloudbeat_agent = cloudbeat_start_stop - - nodes = k8s_client.get_cluster_nodes() - - temp_file_list = [ - "/var/lib/etcd/some_file.txt", - "/etc/kubernetes/pki/some_file.txt", - "/etc/kubernetes/pki/some_dir/some_file.txt", - ] - - config_files = { - "/etc/kubernetes/pki/admission_config.yaml": """apiVersion: apiserver.config.k8s.io/v1 -kind: AdmissionConfiguration -plugins: - - name: EventRateLimit - path: /etc/kubernetes/pki/event_config.yaml""", - "/etc/kubernetes/pki/event_config.yaml": """apiVersion: eventratelimit.admission.k8s.io/v1alpha1 -kind: Configuration -limits: - - type: Namespace - qps: 50 - burst: 100 - cacheSize: 2000 - - type: User - qps: 10 - burst: 50""", - } - - # create temporary files: - for node in nodes: - if node.metadata.name != cloudbeat_agent.node_name: - continue - for temp_file in temp_file_list: - api_client.exec_command( - container_name=node.metadata.name, - command="mkdir", - param_value=str(Path(temp_file).parent), - resource="", - ) - api_client.exec_command( - container_name=node.metadata.name, - command="touch", - param_value=temp_file, - resource="", - ) - - # create config files: - for config_file, contents in config_files.items(): - api_client.exec_command( - container_name=node.metadata.name, - command="cat", - param_value=contents, - resource=config_file, - ) - - yield k8s_client, api_client, cloudbeat_agent - - # delete temporary files: - for node in nodes: - if node.metadata.name != cloudbeat_agent.node_name: - continue - for temp_file in temp_file_list: - api_client.exec_command( - container_name=node.metadata.name, - command="unlink", - param_value=temp_file, - resource="", - ) - - -@pytest.fixture(scope="module", name="clean_test_env") -def clean_test_env(cloudbeat_start_stop): - """ - Sets up a testing env with needed kube resources - """ - k8s_client, api_client, cloudbeat_agent = cloudbeat_start_stop - - file_path = Path(__file__).parent / KUBE_RULES_ENV_YML - k8s_resources = get_k8s_yaml_objects(file_path=file_path) - - for yml_resource in k8s_resources: - # check if we already have one - delete if so - resource_type, metadata = yml_resource["kind"], yml_resource["metadata"] - relevant_metadata = {k: metadata[k] for k in ("name", "namespace") if k in metadata} - try: - # try getting the resource before deleting it - will raise exception if not found - k8s_client.get_resource(resource_type=resource_type, **relevant_metadata) - k8s_client.delete_resources(resource_type=resource_type, **relevant_metadata) - k8s_client.wait_for_resource( - resource_type=resource_type, - status_list=["DELETED"], - **relevant_metadata, - ) - except ApiException as not_found: - logger.error( - f"no {relevant_metadata['name']} online - setting up a new one: {not_found}", - ) - # create resource - - k8s_client.create_from_dict(data=yml_resource, **relevant_metadata) - - yield k8s_client, api_client, cloudbeat_agent - # teardown - k8s_client.delete_from_yaml(yaml_objects_list=k8s_resources) - - -@pytest.fixture(scope="module", name="test_env") -def test_env(cloudbeat_start_stop): - """ - Sets up a testing env with needed kube resources - """ - k8s, api_client, cloudbeat_agent = cloudbeat_start_stop - - file_path = Path(__file__).parent / KUBE_RULES_ENV_YML - k8s_resources = get_k8s_yaml_objects(file_path=file_path) - - try: - k8s.create_from_yaml(yaml_file=file_path, namespace=cloudbeat_agent.namespace) - except FailToCreateError as conflict: - logger.error([json.loads(c.body)["message"] for c in conflict.api_exceptions]) - - for yml_resource in k8s_resources: - resource_type, metadata = yml_resource["kind"], yml_resource["metadata"] - relevant_metadata = {k: metadata[k] for k in ("name", "namespace") if k in metadata} - k8s.wait_for_resource( - resource_type=resource_type, - status_list=["RUNNING", "ADDED"], - **relevant_metadata, - ) - - yield k8s, api_client, cloudbeat_agent - # teardown - k8s.delete_from_yaml(yaml_objects_list=k8s_resources) # stop agent - - def pytest_generate_tests(metafunc): """ This function generates the test cases to run using the set of diff --git a/tests/product/tests/data/file_system/__init__.py b/tests/product/tests/data/eks/__init__.py similarity index 100% rename from tests/product/tests/data/file_system/__init__.py rename to tests/product/tests/data/eks/__init__.py diff --git a/tests/product/tests/data/file_system/eks_file_system_test_cases.py b/tests/product/tests/data/eks/eks_file_system_test_cases.py similarity index 100% rename from tests/product/tests/data/file_system/eks_file_system_test_cases.py rename to tests/product/tests/data/eks/eks_file_system_test_cases.py diff --git a/tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py b/tests/product/tests/data/eks/eks_k8s_object_test_cases.py similarity index 100% rename from tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py rename to tests/product/tests/data/eks/eks_k8s_object_test_cases.py diff --git a/tests/product/tests/data/process/eks_process_test_cases.py b/tests/product/tests/data/eks/eks_process_test_cases.py similarity index 100% rename from tests/product/tests/data/process/eks_process_test_cases.py rename to tests/product/tests/data/eks/eks_process_test_cases.py diff --git a/tests/product/tests/data/file_system/file_system_test_cases.py b/tests/product/tests/data/file_system/file_system_test_cases.py deleted file mode 100644 index 63465d7fd1..0000000000 --- a/tests/product/tests/data/file_system/file_system_test_cases.py +++ /dev/null @@ -1,352 +0,0 @@ -""" -This module provides file system rule test cases. -Cases are organized as rules. -Each rule has one or more test cases. -""" - -cis_1_1_1 = [ - ( - "CIS 1.1.1", - "chmod", - "0700", - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.1.1", - "chmod", - "0644", - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_1_2 = [ - ( - "CIS 1.1.2", - "chown", - "daemon:daemon", - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.1.2", - "chown", - "root:root", - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_1_3 = [ - ( - "CIS 1.1.3", - "chmod", - "0700", - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.1.3", - "chmod", - "0644", - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "passed", - ), -] - -cis_1_1_4 = [ - ( - "CIS 1.1.4", - "chown", - "root:daemon", - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.1.4", - "chown", - "daemon:root", - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.1.4", - "chown", - "daemon:daemon", - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.1.4", - "chown", - "root:root", - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "passed", - ), -] -cis_1_1_5 = [ - ( - "CIS 1.1.5", - "chmod", - "0700", - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "failed", - ), - ( - "CIS 1.1.5", - "chmod", - "0644", - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "passed", - ), -] - -cis_1_1_6 = [ - ( - "CIS 1.1.6", - "chown", - "root:daemon", - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "failed", - ), - ( - "CIS 1.1.6", - "chown", - "root:root", - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "passed", - ), -] - -cis_1_1_7 = [ - ("CIS 1.1.7", "chmod", "0700", "/etc/kubernetes/manifests/etcd.yaml", "failed"), - ("CIS 1.1.7", "chmod", "0644", "/etc/kubernetes/manifests/etcd.yaml", "passed"), -] - -cis_1_1_8 = [ - ( - "CIS 1.1.8", - "chown", - "root:daemon", - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 1.1.8", - "chown", - "daemon:root", - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 1.1.8", - "chown", - "daemon:daemon", - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 1.1.8", - "chown", - "root:root", - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), -] - -cis_1_1_11 = [ - ("CIS 1.1.11", "chmod", "0710", "/var/lib/etcd", "failed"), - ("CIS 1.1.11", "chmod", "0600", "/var/lib/etcd", "passed"), -] - -cis_1_1_12 = [ - ("CIS 1.1.12", "chown", "root:root", "/var/lib/etcd", "failed"), - ("CIS 1.1.12", "chown", "etcd:root", "/var/lib/etcd", "failed"), - ("CIS 1.1.12", "chown", "root:etcd", "/var/lib/etcd", "failed"), - ("CIS 1.1.12", "chown", "etcd:etcd", "/var/lib/etcd", "passed"), -] - -cis_1_1_13 = [ - ("CIS 1.1.13", "chmod", "0700", "/etc/kubernetes/admin.conf", "failed"), - ("CIS 1.1.13", "chmod", "0644", "/etc/kubernetes/admin.conf", "failed"), - # todo: - ("CIS 1.1.13", "chmod", "0600", "/etc/kubernetes/admin.conf", "passed"), -] - -cis_1_1_14 = [ - ("CIS 1.1.14", "chown", "root:daemon", "/etc/kubernetes/admin.conf", "failed"), - ("CIS 1.1.14", "chown", "daemon:root", "/etc/kubernetes/admin.conf", "failed"), - ("CIS 1.1.14", "chown", "daemon:daemon", "/etc/kubernetes/admin.conf", "failed"), - ("CIS 1.1.14", "chown", "root:root", "/etc/kubernetes/admin.conf", "passed"), -] - -cis_1_1_15 = [ - ("CIS 1.1.15", "chmod", "0700", "/etc/kubernetes/scheduler.conf", "failed"), - ("CIS 1.1.15", "chmod", "0644", "/etc/kubernetes/scheduler.conf", "passed"), -] - -cis_1_1_16 = [ - ("CIS 1.1.16", "chown", "root:daemon", "/etc/kubernetes/scheduler.conf", "failed"), - ("CIS 1.1.16", "chown", "daemon:root", "/etc/kubernetes/scheduler.conf", "failed"), - ( - "CIS 1.1.16", - "chown", - "daemon:daemon", - "/etc/kubernetes/scheduler.conf", - "failed", - ), - ("CIS 1.1.16", "chown", "root:root", "/etc/kubernetes/scheduler.conf", "passed"), -] - -cis_1_1_17 = [ - ( - "CIS 1.1.17", - "chmod", - "0700", - "/etc/kubernetes/controller-manager.conf", - "failed", - ), - ( - "CIS 1.1.17", - "chmod", - "0644", - "/etc/kubernetes/controller-manager.conf", - "passed", - ), -] - -cis_1_1_18 = [ - ( - "CIS 1.1.18", - "chown", - "root:daemon", - "/etc/kubernetes/controller-manager.conf", - "failed", - ), - ( - "CIS 1.1.18", - "chown", - "daemon:root", - "/etc/kubernetes/controller-manager.conf", - "failed", - ), - ( - "CIS 1.1.18", - "chown", - "daemon:daemon", - "/etc/kubernetes/controller-manager.conf", - "failed", - ), - ( - "CIS 1.1.18", - "chown", - "root:root", - "/etc/kubernetes/controller-manager.conf", - "passed", - ), -] - -cis_1_1_19 = [ - ("CIS 1.1.19", "chown", "root:daemon", "/etc/kubernetes/pki", "failed"), - ("CIS 1.1.19", "chown", "root:root", "/etc/kubernetes/pki", "passed"), - ("CIS 1.1.19", "chown", "root:root", "/etc/kubernetes/pki/some_file.txt", "passed"), - ("CIS 1.1.19", "chown", "daemon:root", "/etc/kubernetes/pki", "failed"), - ("CIS 1.1.19", "chown", "daemon:daemon", "/etc/kubernetes/pki", "failed"), - ( - "CIS 1.1.19", - "chown", - "root:daemon", - "/etc/kubernetes/pki/some_file.txt", - "failed", - ), - # Directory under pki/ - ("CIS 1.1.19", "chown", "root:root", "/etc/kubernetes/pki/some_dir", "passed"), - ("CIS 1.1.19", "chown", "daemon:daemon", "/etc/kubernetes/pki/some_dir", "failed"), - # Check recursion - ("CIS 1.1.19", "chown", "root:root", "/etc/kubernetes/pki/some_dir/some_file.txt", "passed"), - ("CIS 1.1.19", "chown", "daemon:daemon", "/etc/kubernetes/pki/some_dir/some_file.txt", "failed"), -] - -cis_1_1_20 = [ - ("CIS 1.1.20", "chmod", "0700", "/etc/kubernetes/pki/apiserver.crt", "failed"), - ("CIS 1.1.20", "chmod", "0666", "/etc/kubernetes/pki/apiserver.crt", "failed"), - ("CIS 1.1.20", "chmod", "0644", "/etc/kubernetes/pki/apiserver.crt", "passed"), -] - -cis_1_1_21 = [ - ("CIS 1.1.21", "chmod", "0644", "/etc/kubernetes/pki/apiserver.key", "failed"), - ("CIS 1.1.21", "chmod", "0600", "/etc/kubernetes/pki/apiserver.key", "passed"), -] - -cis_4_1_1 = [ - ( - "CIS 4.1.1", - "chmod", - "0700", - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf", - "failed", - ), - ( - "CIS 4.1.1", - "chmod", - "0644", - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf", - "passed", - ), -] - -cis_4_1_2 = [ - ( - "CIS 4.1.2", - "chown", - "root:daemon", - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf", - "failed", - ), - ( - "CIS 4.1.2", - "chown", - "daemon:root", - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf", - "failed", - ), - ( - "CIS 4.1.2", - "chown", - "daemon:daemon", - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf", - "failed", - ), - ( - "CIS 4.1.2", - "chown", - "root:root", - "/etc/systemd/system/kubelet.service.d/10-kubeadm.conf", - "passed", - ), -] - -cis_4_1_5 = [ - ("CIS 4.1.5", "chmod", "0700", "/etc/kubernetes/kubelet.conf", "failed"), - ("CIS 4.1.5", "chmod", "0644", "/etc/kubernetes/kubelet.conf", "passed"), -] - -cis_4_1_6 = [ - ("CIS 4.1.6", "chown", "root:daemon", "/etc/kubernetes/kubelet.conf", "failed"), - ("CIS 4.1.6", "chown", "daemon:root", "/etc/kubernetes/kubelet.conf", "failed"), - ("CIS 4.1.6", "chown", "daemon:daemon", "/etc/kubernetes/kubelet.conf", "failed"), - ("CIS 4.1.6", "chown", "root:root", "/etc/kubernetes/kubelet.conf", "passed"), -] - -cis_4_1_9 = [ - ("CIS 4.1.9", "chmod", "0700", "/var/lib/kubelet/config.yaml", "failed"), - ("CIS 4.1.9", "chmod", "0644", "/var/lib/kubelet/config.yaml", "passed"), -] - -cis_4_1_10 = [ - ("CIS 4.1.10", "chown", "root:daemon", "/etc/kubernetes/kubelet.conf", "failed"), - ("CIS 4.1.10", "chown", "daemon:root", "/etc/kubernetes/kubelet.conf", "failed"), - ("CIS 4.1.10", "chown", "daemon:daemon", "/etc/kubernetes/kubelet.conf", "failed"), - ("CIS 4.1.10", "chown", "root:root", "/etc/kubernetes/kubelet.conf", "passed"), -] diff --git a/tests/product/tests/data/k8s_object/__init__.py b/tests/product/tests/data/k8s_object/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/tests/product/tests/data/k8s_object/k8s_object_rules.py b/tests/product/tests/data/k8s_object/k8s_object_rules.py deleted file mode 100644 index 1d28873b37..0000000000 --- a/tests/product/tests/data/k8s_object/k8s_object_rules.py +++ /dev/null @@ -1,412 +0,0 @@ -""" -This module defines k8s object test cases -""" - -from .k8s_object_test_cases import KubeTestCase - -DEFAULT = "default" -RULE_FAIL_STATUS = "failed" -RULE_PASS_STATUS = "passed" -TEST_POD_NAME = "busybox-pod" -TEST_CONTAINER_NAME = "busybox" -TEST_ROLE_NAME = "test-role" -TEST_CLUSTER_ROLE_NAME = "test-cluster-role" -TEST_SERVICE_ACCOUNT_NAME = "test-service-account" -TEST_CLUSTER_ROLE_BINDING = "test-cluster-role-binding" -TEST_POD_SECURITY_POLICY = "test-psp" -KUBE_SYSTEM_NAMESPACE = "kube-system" - -# CIS 5.1.3 -cis_5_1_3_role_fail = KubeTestCase( - rule_tag="CIS 5.1.3", - resource_type="Role", - resource_body={ - "metadata": {"name": TEST_ROLE_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "rules": [ - { - "apiGroups": ["*"], - "resources": ["*"], - "verbs": ["*"], - }, - ], - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_1_3_role_pass = KubeTestCase( - rule_tag="CIS 5.1.3", - resource_type="Role", - resource_body={ - "metadata": {"name": TEST_ROLE_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "rules": [ - { - "apiGroups": [""], - "resources": ["pods"], - "verbs": ["get", "watch", "list"], - }, - ], - }, - expected=RULE_PASS_STATUS, -) - -cis_5_1_3_cluster_role_fail = KubeTestCase( - rule_tag="CIS 5.1.3", - resource_type="ClusterRole", - resource_body={ - "metadata": {"name": TEST_CLUSTER_ROLE_NAME}, - "rules": [ - { - "apiGroups": ["*"], - "resources": ["*"], - "verbs": ["*"], - }, - ], - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_1_3_cluster_role_pass = KubeTestCase( - rule_tag="CIS 5.1.3", - resource_type="ClusterRole", - resource_body={ - "metadata": {"name": TEST_CLUSTER_ROLE_NAME}, - "rules": [ - { - "apiGroups": [""], - "resources": ["pods"], - "verbs": ["get", "watch", "list"], - }, - ], - }, - expected=RULE_PASS_STATUS, -) - -cis_5_1_3 = { - "5.1.3 Role with wildcards": cis_5_1_3_role_fail, - "5.1.3 Role with no wildcards": cis_5_1_3_role_pass, - "5.1.3 ClusterRole with wildcards": cis_5_1_3_cluster_role_fail, - "5.1.3 ClusterRole with no wildcards": cis_5_1_3_cluster_role_pass, -} - -# CIS 5.1.5 -cis_5_1_5_pod_serviceAccount = KubeTestCase( - rule_tag="CIS 5.1.5", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"serviceAccount": DEFAULT}, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_1_5_pod_serviceAccountName = KubeTestCase( - rule_tag="CIS 5.1.5", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"serviceAccountName": DEFAULT}, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_1_5_service_account = KubeTestCase( - rule_tag="CIS 5.1.5", - resource_type="ServiceAccount", - resource_body={ - "metadata": {"name": DEFAULT, "namespace": DEFAULT}, - "automountServiceAccountToken": True, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_1_5 = { - "5.1.5 ServiceAccount.Name == default and automountServiceAccountToken == true": cis_5_1_5_service_account, - "5.1.5 Pod.serviceAccount == default": cis_5_1_5_pod_serviceAccount, - "5.1.5 Pod.serviceAccountName == default": cis_5_1_5_pod_serviceAccountName, -} - -# CIS 5.1.6 -cis_5_1_6_pod_fail = KubeTestCase( - rule_tag="CIS 5.1.6", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"automountServiceAccountToken": True}, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_1_6_pod_pass = KubeTestCase( - rule_tag="CIS 5.1.6", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"automountServiceAccountToken": False}, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_1_6_service_account_fail = KubeTestCase( - rule_tag="CIS 5.1.6", - resource_type="ServiceAccount", - resource_body={ - "metadata": { - "name": TEST_SERVICE_ACCOUNT_NAME, - "namespace": KUBE_SYSTEM_NAMESPACE, - }, - "automountServiceAccountToken": True, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_1_6_service_account_pass = KubeTestCase( - rule_tag="CIS 5.1.6", - resource_type="ServiceAccount", - resource_body={ - "metadata": { - "name": TEST_SERVICE_ACCOUNT_NAME, - "namespace": KUBE_SYSTEM_NAMESPACE, - }, - "automountServiceAccountToken": False, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_1_6 = { - "5.1.6 Pod.spec.automountServiceAccountToken == true": cis_5_1_6_pod_fail, - "5.1.6 Pod.spec.automountServiceAccountToken == false": cis_5_1_6_pod_pass, - "5.1.6 ServiceAccount.automountServiceAccountToken == true": cis_5_1_6_service_account_pass, - "5.1.6 ServiceAccount.automountServiceAccountToken == false": cis_5_1_6_service_account_fail, -} - -# CIS 5.2.2 -cis_5_2_2_pod_fail = KubeTestCase( - rule_tag="CIS 5.2.2", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "containers": [ - {"name": TEST_CONTAINER_NAME, "securityContext": {"privileged": True}}, - ], - }, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_2_2_pod_pass = KubeTestCase( - rule_tag="CIS 5.2.2", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "containers": [ - {"name": TEST_CONTAINER_NAME, "securityContext": {"privileged": False}}, - ], - }, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_2_2 = { - "5.2.2 Pod.spec.containers.securityContext.privileged == true": cis_5_2_2_pod_fail, - "5.2.2 Pod.spec.containers.securityContext.privileged == false": cis_5_2_2_pod_pass, -} - -# CIS 5.2.3 -cis_5_2_3_pod_fail = KubeTestCase( - rule_tag="CIS 5.2.3", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"hostPID": True}, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_2_3_pod_pass = KubeTestCase( - rule_tag="CIS 5.2.3", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"hostPID": False}, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_2_3 = { - "5.2.3 Pod.spec.hostPID == true": cis_5_2_3_pod_fail, - "5.2.3 Pod.spec.hostPID == false": cis_5_2_3_pod_pass, -} - -# CIS 5.2.4 -cis_5_2_4_pod_fail = KubeTestCase( - rule_tag="CIS 5.2.4", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"hostIPC": True}, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_2_4_pod_pass = KubeTestCase( - rule_tag="CIS 5.2.4", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"hostIPC": False}, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_2_4 = { - "5.2.4 Pod.spec.hostIPC == true": cis_5_2_4_pod_fail, - "5.2.4 Pod.spec.hostIPC == false": cis_5_2_4_pod_pass, -} - -# CIS 5.2.5 -cis_5_2_5_pod_fail = KubeTestCase( - rule_tag="CIS 5.2.5", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"hostNetwork": True}, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_2_5_pod_pass = KubeTestCase( - rule_tag="CIS 5.2.5", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": {"hostNetwork": False}, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_2_5 = { - "5.2.5 Pod.spec.hostNetwork == true": cis_5_2_5_pod_fail, - "5.2.5 Pod.spec.hostNetwork == false": cis_5_2_5_pod_pass, -} - -# CIS 5.2.6 -cis_5_2_6_pod_fail = KubeTestCase( - rule_tag="CIS 5.2.6", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "containers": [ - { - "name": TEST_CONTAINER_NAME, - "securityContext": {"allowPrivilegeEscalation": True}, - }, - ], - }, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_2_6_pod_pass = KubeTestCase( - rule_tag="CIS 5.2.6", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "containers": [ - { - "name": TEST_CONTAINER_NAME, - "securityContext": {"allowPrivilegeEscalation": False}, - }, - ], - }, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_2_6 = { - "5.2.6 Pod.spec.containers.securityContext.allowPrivilegeEscalation == true": cis_5_2_6_pod_fail, - "5.2.6 Pod.spec.containers.securityContext.allowPrivilegeEscalation == false": cis_5_2_6_pod_pass, -} - -# CIS 5.2.7 -cis_5_2_7_pod_fail = KubeTestCase( - rule_tag="CIS 5.2.7", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "runAsUser": {"rule": "MustRunAs", "ranges": [{"min": 0, "max": 65535}]}, - }, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_2_7_pod_pass = KubeTestCase( - rule_tag="CIS 5.2.7", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "runAsUser": {"rule": "MustRunAs", "ranges": [{"min": 1, "max": 65535}]}, - }, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_2_7_pod_container_fail = KubeTestCase( - rule_tag="CIS 5.2.7", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "containers": [ - {"name": TEST_CONTAINER_NAME, "securityContext": {"runAsUser": 0}}, - ], - }, - }, - expected=RULE_FAIL_STATUS, -) - -cis_5_2_7 = { - "5.2.7 Pod.spec.runAsUser allows root": cis_5_2_7_pod_fail, - "5.2.7 Pod.spec.runAsUser forbids root": cis_5_2_7_pod_pass, - "5.2.7 Pod.container.spec.securityContext.runAsUser == root": cis_5_2_7_pod_container_fail, -} - -# CIS 5.2.8 -cis_5_2_8_pod_container_fail = KubeTestCase( - rule_tag="CIS 5.2.8", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "containers": [ - {"name": TEST_CONTAINER_NAME, "securityContext": {"runAsUser": 0}}, - ], - }, - }, - expected=RULE_FAIL_STATUS, -) - -# CIS 5.2.8 -cis_5_2_8_pod_container_pass = KubeTestCase( - rule_tag="CIS 5.2.8", - resource_type="Pod", - resource_body={ - "metadata": {"name": TEST_POD_NAME, "namespace": KUBE_SYSTEM_NAMESPACE}, - "spec": { - "containers": [ - {"name": TEST_CONTAINER_NAME, "securityContext": {"capabilities": {"drop": ["ALL"]}}}, - ], - }, - }, - expected=RULE_PASS_STATUS, -) - -cis_5_2_8 = { - "5.2.8 Pod.container.spec.securityContext.runAsUser == root": cis_5_2_8_pod_container_fail, - "5.2.8 Pod.container.spec.securityContext.capabilities drop all": cis_5_2_8_pod_container_pass, -} diff --git a/tests/product/tests/data/k8s_object/k8s_object_test_cases.py b/tests/product/tests/data/k8s_object/k8s_object_test_cases.py deleted file mode 100644 index 8e0207876f..0000000000 --- a/tests/product/tests/data/k8s_object/k8s_object_test_cases.py +++ /dev/null @@ -1,23 +0,0 @@ -""" -This module provides definition for k8s object test cases -""" - -from dataclasses import dataclass, astuple - - -@dataclass -class KubeTestCase: - """ - Represent a test case for Kube API resources - """ - - rule_tag: str - resource_type: str - resource_body: dict - expected: str - - def __iter__(self): - return iter(astuple(self)) - - def __len__(self): - return len(astuple(self)) diff --git a/tests/product/tests/data/process/__init__.py b/tests/product/tests/data/process/__init__.py deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/tests/product/tests/data/process/process_test_cases.py b/tests/product/tests/data/process/process_test_cases.py deleted file mode 100644 index cec0e8269c..0000000000 --- a/tests/product/tests/data/process/process_test_cases.py +++ /dev/null @@ -1,1042 +0,0 @@ -""" -This module contains process test cases definition. -Each rule is list of tuples -Rule test case is defined as tuple of data -""" - -from commonlib.framework.reporting import skip_param_case, SkipReportData - -cis_1_2_4 = [ - ( - "CIS 1.2.4", - {"unset": ["--kubelet-https"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_2_1 = [ - ( - "CIS 2.1", - { - "set": { - "--cert-file": "/etc/kubernetes/pki/etcd/server.crt", - "--key-file": "/etc/kubernetes/pki/etcd/server.key", - }, - }, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), -] - -cis_2_2 = [ - ( - "CIS 2.2", - {"unset": ["--client-cert-auth"]}, - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 2.2", - {"set": {"--client-cert-auth": "false"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 2.2", - {"set": {"--client-cert-auth": "true"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), -] - -cis_2_3 = [ - ( - "CIS 2.3", - {"set": {"--auto-tls": "false"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), - ( - "CIS 2.3", - {"set": {"--auto-tls": "true"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 2.3", - {"unset": ["--auto-tls"]}, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), -] - -cis_2_4 = [ - ( - "CIS 2.4", - { - "set": { - "--peer-cert-file": "/etc/kubernetes/pki/etcd/peer.crt", - "--peer-key-file": "/etc/kubernetes/pki/etcd/peer.key", - }, - }, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), -] - -cis_2_5 = [ - ( - "CIS 2.5", - {"unset": ["--peer-client-cert-auth"]}, - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 2.5", - {"set": {"--peer-client-cert-auth": "false"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 2.5", - {"set": {"--peer-client-cert-auth": "true"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), -] - -cis_2_6 = [ - ( - "CIS 2.6", - {"set": {"--peer-auto-tls": "false"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), - ( - "CIS 2.6", - {"set": {"--peer-auto-tls": "true"}}, - "/etc/kubernetes/manifests/etcd.yaml", - "failed", - ), - ( - "CIS 2.6", - {"unset": ["--peer-auto-tls"]}, - "/etc/kubernetes/manifests/etcd.yaml", - "passed", - ), -] - -cis_1_4_1 = [ - ( - "CIS 1.4.1", - {"set": {"--profiling": "true"}}, - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "failed", - ), - ( - "CIS 1.4.1", - {"unset": ["--profiling"]}, - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "failed", - ), - ( - "CIS 1.4.1", - {"set": {"--profiling": "false"}}, - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "passed", - ), -] - -cis_1_4_2 = [ - ( - "CIS 1.4.2", - {"set": {"--bind-address": "0.0.0.0"}}, - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "failed", - ), - ( - "CIS 1.4.2", - {"unset": ["--bind-address"]}, - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "failed", - ), - ( - "CIS 1.4.2", - {"set": {"--bind-address": "127.0.0.1"}}, - "/etc/kubernetes/manifests/kube-scheduler.yaml", - "passed", - ), -] - -cis_1_3_2 = [ - ( - "CIS 1.3.2", - {"set": {"--profiling": "true"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.2", - {"unset": ["--profiling"]}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.2", - {"set": {"--profiling": "false"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "passed", - ), -] - -cis_1_3_3 = [ - ( - "CIS 1.3.3", - {"set": {"--use-service-account-credentials": "false"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.3", - {"unset": ["--use-service-account-credentials"]}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.3", - {"set": {"--use-service-account-credentials": "true"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "passed", - ), -] - -cis_1_3_4 = [ - ( - "CIS 1.3.4", - {"unset": ["--use-service-account-credentials"]}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "passed", - ), -] - -cis_1_3_5 = [ - ( - "CIS 1.3.5", - {"unset": ["--root-ca-file"]}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), -] - -cis_1_3_6 = [ - ( - "CIS 1.3.6", - {"set": {"--feature-gates": "RotateKubeletServerCertificate=false"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.6", - {"unset": ["--feature-gates"]}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.6", - {"set": {"--feature-gates": "RotateKubeletServerCertificate=true"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "passed", - ), -] - -cis_1_3_7 = [ - ( - "CIS 1.3.7", - {"set": {"--bind-address": "0.0.0.0"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.7", - {"unset": ["--bind-address"]}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "failed", - ), - ( - "CIS 1.3.7", - {"set": {"--bind-address": "127.0.0.1"}}, - "/etc/kubernetes/manifests/kube-controller-manager.yaml", - "passed", - ), -] - -cis_1_2_2 = [ - ( - "CIS 1.2.2", - {"unset": ["--token-auth-file"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_3 = [ - ( - "CIS 1.2.3", - {"unset": ["--DenyServiceExternalIPs"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_5 = [ - ( - "CIS 1.2.5", - { - "set": { - "--kubelet-client-certificate": "/etc/kubernetes/pki/apiserver-kubelet-client.crt", - "--kubelet-client-key": "/etc/kubernetes/pki/apiserver-kubelet-client.key", - }, - }, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_6 = [ - ( - "CIS 1.2.6", - {"unset": ["--kubelet-certificate-authority"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_7 = [ - ( - "CIS 1.2.7", - {"set": {"--authorization-mode": "AlwaysAllow"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.7", - {"unset": ["--authorization-mode"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.7", - {"set": {"--authorization-mode": "Node,RBAC"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_8 = [ - ( - "CIS 1.2.8", - {"unset": ["--authorization-mode"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.8", - {"set": {"--authorization-mode": "Node,RBAC"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_9 = [ - ( - "CIS 1.2.9", - {"set": {"--authorization-mode": "Node"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.9", - {"unset": ["--authorization-mode"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.9", - {"set": {"--authorization-mode": "Node,RBAC"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_10 = [ - ( - "CIS 1.2.10", - {"unset": ["--enable-admission-plugins"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.10", - { - "set": { - "--enable-admission-plugins": "EventRateLimit", - "--admission-control-config-file": "/etc/kubernetes/pki/admission_config.yaml", - }, - }, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_11 = [ - ( - "CIS 1.2.11", - {"set": {"--enable-admission-plugins": "AlwaysAdmit"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.11", - {"unset": ["--enable-admission-plugins"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.11", - {"set": {"--enable-admission-plugins": "NodeRestriction"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_12 = [ - ( - "CIS 1.2.12", - {"unset": ["--enable-admission-plugins"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.12", - {"set": {"--enable-admission-plugins": "AlwaysPullImages"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_13 = [ - ( - "CIS 1.2.13", - {"unset": ["--enable-admission-plugins"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.13", - {"set": {"--enable-admission-plugins": "AlwaysPullImages"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.13", - {"set": {"--enable-admission-plugins": "SecurityContextDeny"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.13", - {"set": {"--enable-admission-plugins": "PodSecurityPolicy"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_14 = [ - ( - "CIS 1.2.14", - {"set": {"--disable-admission-plugins": "ServiceAccount"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.14", - {"unset": ["--disable-admission-plugins"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_15 = [ - ( - "CIS 1.2.15", - {"set": {"--disable-admission-plugins": "NamespaceLifecycle"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.15", - {"unset": ["--disable-admission-plugins"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_16 = [ - ( - "CIS 1.2.16", - {"unset": ["--enable-admission-plugins"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.16", - {"set": {"--enable-admission-plugins": "NodeRestriction"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_17 = [ - ( - "CIS 1.2.17", - {"unset": ["--secure-port"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.17", - {"set": {"--secure-port": "6443"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_18 = [ - ( - "CIS 1.2.18", - {"set": {"--profiling": "true"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.18", - {"set": {"--profiling": "false"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.18", - {"unset": ["--profiling"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_19 = [ - ( - "CIS 1.2.19", - {"unset": ["--audit-log-path"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_20 = [ - ( - "CIS 1.2.20", - {"set": {"--audit-log-maxage": "260492"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.20", - {"set": {"--audit-log-maxage": "30"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.20", - {"unset": ["--audit-log-maxage"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_21 = [ - ( - "CIS 1.2.21", - {"set": {"--audit-log-maxbackup": "-1"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.21", - {"set": {"--audit-log-maxbackup": "10"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.21", - {"unset": ["--audit-log-maxbackup"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_22 = [ - ( - "CIS 1.2.22", - {"set": {"--audit-log-maxsize": "-1"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.22", - {"set": {"--audit-log-maxsize": "100"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.22", - {"unset": ["--audit-log-maxsize"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_1_2_23 = [ - ( - "CIS 1.2.23", - {"set": {"--request-timeout": "59s"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.23", - {"set": {"--request-timeout": "300s"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.23", - {"unset": ["--request-timeout"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_24 = [ - ( - "CIS 1.2.24", - {"set": {"--service-account-lookup": "false"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), - ( - "CIS 1.2.24", - {"set": {"--service-account-lookup": "true"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.24", - {"unset": ["--service-account-lookup"]}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_25 = [ - ( - "CIS 1.2.25", - {"set": {"--service-account-key-file": "/etc/kubernetes/pki/sa.pub"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_26 = [ - ( - "CIS 1.2.26", - { - "set": { - "--etcd-certfile": "/etc/kubernetes/pki/apiserver-etcd-client.crt", - "--etcd-keyfile": "/etc/kubernetes/pki/apiserver-etcd-client.key", - }, - }, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_27 = [ - ( - "CIS 1.2.27", - { - "set": { - "--tls-cert-file": "/etc/kubernetes/pki/apiserver.crt", - "--tls-private-key-file": "/etc/kubernetes/pki/apiserver.key", - }, - }, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_28 = [ - ( - "CIS 1.2.28", - {"set": {"--client-ca-file": "/etc/kubernetes/pki/ca.crt"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_29 = [ - ( - "CIS 1.2.29", - {"set": {"--etcd-cafile": "/etc/kubernetes/pki/etcd/ca.crt"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), -] - -cis_1_2_32 = [ - ( - "CIS 1.2.32", - {"set": {"--tls-cipher-suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}}, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.32", - { - "set": { - "--tls-cipher-suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - }, - }, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "passed", - ), - ( - "CIS 1.2.32", - { - "set": { - "--tls-cipher-suites": "TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - }, - }, - "/etc/kubernetes/manifests/kube-apiserver.yaml", - "failed", - ), -] - -cis_4_2_1 = [ - ( - "CIS 4.2.1", - { - "set": {"authentication": {"anonymous": {"enabled": True}}}, - }, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.1", - {"set": {"authentication": {"anonymous": {"enabled": False}}}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_2 = [ - ( - "CIS 4.2.2", - {"set": {"authorization": {"mode": "AlwaysAllow"}}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.2", - {"set": {"authorization": {"mode": "Webhook"}}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_3 = [ - ( - "CIS 4.2.3", - {"unset": ["authentication.x509.clientCAFile"]}, - "/var/lib/kubelet/config.yaml", - "failed", - ), -] - -cis_4_2_4 = [ - ( - "CIS 4.2.4", - {"set": {"readOnlyPort": 26492}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.4", - {"set": {"readOnlyPort": 0}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_5 = [ - ( - "CIS 4.2.5", - {"set": {"streamingConnectionIdleTimeout": 0}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.5", - {"set": {"streamingConnectionIdleTimeout": "26492s"}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_6 = [ - ( - "CIS 4.2.6", - {"set": {"protectKernelDefaults": False}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.6", - {"set": {"protectKernelDefaults": True}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_7 = [ - ( - "CIS 4.2.7", - {"set": {"makeIPTablesUtilChains": False}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.7", - {"set": {"makeIPTablesUtilChains": True}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_9 = [ - ( - "CIS 4.2.9", - {"set": {"eventRecordQPS": 4}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.9", - {"set": {"eventRecordQPS": 0}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_10 = [ - ( - "CIS 4.2.10", - {"set": {"tlsCertFile": "", "tlsPrivateKeyFile": ""}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_11 = [ - ( - "CIS 4.2.11", - {"set": {"rotateCertificates": False}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.11", - {"set": {"rotateCertificates": True}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_12 = [ - # TODO test case should fail instead of pass - # ( - # 'CIS 4.2.12', - # { - # "set": { - # "serverTLSBootstrap": False, - # "featureGates": { - # "RotateKubeletServerCertificate": False - # } - # } - # }, - # '/var/lib/kubelet/config.yaml', - # 'failed' - # ), - ( - "CIS 4.2.12", - { - "set": { - "serverTLSBootstrap": False, - "featureGates": {"RotateKubeletServerCertificate": True}, - }, - }, - "/var/lib/kubelet/config.yaml", - "passed", - ), - ( - "CIS 4.2.12", - { - "set": { - "serverTLSBootstrap": True, - "featureGates": {"RotateKubeletServerCertificate": False}, - }, - }, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -cis_4_2_13 = [ - ( - "CIS 4.2.13", - {"set": {"TLSCipherSuites": ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_DUMMY"]}}, - "/var/lib/kubelet/config.yaml", - "failed", - ), - ( - "CIS 4.2.13", - {"set": {"TLSCipherSuites": ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"]}}, - "/var/lib/kubelet/config.yaml", - "passed", - ), - ( - "CIS 4.2.13", - { - "set": { - "TLSCipherSuites": [ - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_256_GCM_SHA384", - "TLS_RSA_WITH_AES_128_GCM_SHA256", - ], - }, - }, - "/var/lib/kubelet/config.yaml", - "passed", - ), -] - -etcd_rules = [ - *cis_2_1, - *cis_2_2, - *skip_param_case( - skip_objects=[*cis_2_5], - data_to_report=SkipReportData( - url_title="cloudbeat: #512", - url_link="https://github.com/elastic/cloudbeat/issues/512", - skip_reason="flaky test", - ), - ), - *cis_2_6, -] - -api_server_rules = [ - *cis_1_2_2, - *skip_param_case( - skip_objects=[*cis_1_2_3], - data_to_report=SkipReportData( - url_title="security-team: #4975", - url_link="https://github.com/elastic/security-team/issues/4975", - skip_reason="Known issue: rule not implemented", - ), - ), - *cis_1_2_4, - *cis_1_2_5, - *cis_1_2_6, - *cis_1_2_7, - *cis_1_2_8, - *skip_param_case( - skip_objects=[*cis_1_2_9], - data_to_report=SkipReportData( - url_title="security-team: #5128", - url_link="https://github.com/elastic/security-team/issues/5128", - skip_reason="Known issue: connection errors", - ), - ), - *cis_1_2_10, - *cis_1_2_11, - *cis_1_2_12, - *cis_1_2_13, - *cis_1_2_14, - *cis_1_2_15, - *cis_1_2_16, - *cis_1_2_17, - *cis_1_2_18, - *cis_1_2_19, - *cis_1_2_20, - *cis_1_2_21, - *cis_1_2_22, - *cis_1_2_23, - *cis_1_2_24, - *cis_1_2_25, - *cis_1_2_26, - *cis_1_2_27, - *cis_1_2_28, - *cis_1_2_29, - *cis_1_2_32, -] - -controller_manager_rules = [ - *cis_1_3_2, - *cis_1_3_3, - *cis_1_3_4, - *cis_1_3_5, - *cis_1_3_6, - *cis_1_3_7, -] - -scheduler_rules = [ - *cis_1_4_1, - *cis_1_4_2, -] - -kubelet_rules = [ - *cis_4_2_1, - *cis_4_2_2, - *skip_param_case( - skip_objects=[*cis_4_2_3], - data_to_report=SkipReportData( - skip_reason="Known issue", - url_link="https://github.com/elastic/security-team/issues/5106", - url_title="security-team #5106", - ), - ), - *cis_4_2_4, - *cis_4_2_5, - *cis_4_2_6, - *cis_4_2_7, - *cis_4_2_9, - # *cis_4_2_8, # TODO setting is not configurable via the Kubelet config file. - *cis_4_2_10, - *cis_4_2_11, - *cis_4_2_12, # TODO first test case should fail instead of pass - *cis_4_2_13, -] diff --git a/tests/product/tests/test_eks_file_system_rules.py b/tests/product/tests/test_eks_file_system_rules.py index e96ad61124..518e1c2435 100644 --- a/tests/product/tests/test_eks_file_system_rules.py +++ b/tests/product/tests/test_eks_file_system_rules.py @@ -7,7 +7,7 @@ import pytest from commonlib.utils import get_ES_evaluation -from product.tests.data.file_system import eks_file_system_test_cases as eks_fs_tc +from product.tests.data.eks import eks_file_system_test_cases as eks_fs_tc from product.tests.parameters import register_params, Parameters diff --git a/tests/product/tests/test_eks_k8s_objects_rules.py b/tests/product/tests/test_eks_k8s_objects_rules.py index 67c2f53556..18b9b43d0b 100644 --- a/tests/product/tests/test_eks_k8s_objects_rules.py +++ b/tests/product/tests/test_eks_k8s_objects_rules.py @@ -9,7 +9,7 @@ from loguru import logger from commonlib.utils import get_ES_evaluation -from product.tests.data.k8s_object import eks_k8s_object_test_cases as eks_k8s_object_tc +from product.tests.data.eks import eks_k8s_object_test_cases as eks_k8s_object_tc from product.tests.parameters import register_params, Parameters diff --git a/tests/product/tests/test_eks_process_kubelet_rules.py b/tests/product/tests/test_eks_process_kubelet_rules.py index bba4304230..cddbf98eee 100644 --- a/tests/product/tests/test_eks_process_kubelet_rules.py +++ b/tests/product/tests/test_eks_process_kubelet_rules.py @@ -7,7 +7,7 @@ import pytest from commonlib.utils import get_ES_evaluation -from product.tests.data.process import eks_process_test_cases as eks_proc_tc +from product.tests.data.eks import eks_process_test_cases as eks_proc_tc from product.tests.parameters import register_params, Parameters diff --git a/tests/product/tests/test_file_system_rules.py b/tests/product/tests/test_file_system_rules.py deleted file mode 100644 index 139914c5d1..0000000000 --- a/tests/product/tests/test_file_system_rules.py +++ /dev/null @@ -1,114 +0,0 @@ -""" -Kubernetes CIS rules verification. -This module verifies correctness of retrieved findings by manipulating audit and remediation actions -""" - -from datetime import datetime -import pytest -from commonlib.utils import get_ES_evaluation - -from product.tests.data.file_system import file_system_test_cases as fs_tc -from product.tests.parameters import register_params, Parameters - - -@pytest.mark.file_system_rules -def test_file_system_configuration( - kspm_client, - config_node_pre_test, - rule_tag, - command, - param_value, - resource, - expected, -): - """ - This data driven test verifies rules and findings return by cloudbeat agent. - In order to add new cases @pytest.mark.parameterize section shall be updated. - Setup and teardown actions are defined in data method. - This test creates cloudbeat agent instance, - changes node resources (modes, users, groups) and verifies, - that cloudbeat returns correct finding. - @param rule_tag: Name of rule to be verified. - @param command: Command to be executed, for example chmod / chown - @param param_value: Value to be used when executing command. - @param resource: Full path to resource / file - @param expected: Result to be found in finding evaluation field. - @return: None - Test Pass / Fail result is generated. - """ - # pylint: disable=duplicate-code - - k8s_client, api_client, cloudbeat_agent = config_node_pre_test - # Currently, single node is used, in the future may be extended for all nodes. - node = k8s_client.get_cluster_nodes()[0] - api_client.exec_command( - container_name=node.metadata.name, - command=command, - param_value=param_value, - resource=resource, - ) - - def identifier(ident_resource): - eval_resource = ident_resource.resource.raw - if not eval_resource.path.endswith(resource): - return False - - if command == "chmod": - try: - return int(eval_resource.mode) == int(param_value) - except AttributeError: - return False - - elif command == "chown": - owner, group = param_value.split(":") - try: - return (eval_resource.owner == owner) and (eval_resource.group == group) - except AttributeError: - return False - - return False - - evaluation = get_ES_evaluation( - elastic_client=kspm_client, - timeout=cloudbeat_agent.findings_timeout, - rule_tag=rule_tag, - exec_timestamp=datetime.utcnow(), - resource_identifier=identifier, - ) - - assert evaluation is not None, f"No evaluation for rule {rule_tag} could be found" - assert evaluation == expected, f"Rule {rule_tag} verification failed," f"expected: {expected}, got: {evaluation}" - - -register_params( - test_file_system_configuration, - Parameters( - ("rule_tag", "command", "param_value", "resource", "expected"), - [ - *fs_tc.cis_1_1_1, - *fs_tc.cis_1_1_2, - *fs_tc.cis_1_1_3, - *fs_tc.cis_1_1_4, - *fs_tc.cis_1_1_5, - *fs_tc.cis_1_1_6, - *fs_tc.cis_1_1_7, - *fs_tc.cis_1_1_8, - *fs_tc.cis_1_1_11, - *fs_tc.cis_1_1_12, - *fs_tc.cis_1_1_13, - *fs_tc.cis_1_1_14, - *fs_tc.cis_1_1_15, - *fs_tc.cis_1_1_16, - *fs_tc.cis_1_1_17, - *fs_tc.cis_1_1_18, - *fs_tc.cis_1_1_19, - *fs_tc.cis_1_1_20, - *fs_tc.cis_1_1_21, - *fs_tc.cis_4_1_1, - *fs_tc.cis_4_1_2, - *fs_tc.cis_4_1_5, - *fs_tc.cis_4_1_6, - *fs_tc.cis_4_1_9, - *fs_tc.cis_4_1_10, - ], - ), -) diff --git a/tests/product/tests/test_k8s_objects_rules.py b/tests/product/tests/test_k8s_objects_rules.py deleted file mode 100644 index 5a054419c4..0000000000 --- a/tests/product/tests/test_k8s_objects_rules.py +++ /dev/null @@ -1,128 +0,0 @@ -""" -Kubernetes CIS rules verification. -This module verifies correctness of retrieved findings by manipulating audit and remediation actions -""" - -from datetime import datetime -import uuid - -import pytest - -from loguru import logger -from product.tests.data.k8s_object import k8s_object_rules as k8s_tc -from product.tests.parameters import register_params, Parameters - -from commonlib.utils import get_ES_evaluation -from commonlib.framework.reporting import skip_param_case, SkipReportData - - -@pytest.mark.k8s_object_rules -def test_kube_resource_patch( - kspm_client, - test_env, - rule_tag, - resource_type, - resource_body, - expected, -): - """ - Test kube resource - @param test_env: pre step that set-ups a kube resources to test on - @param rule_tag: rule tag in the CIS benchmark - @param resource_type: kube resource type, e.g., Pod, ServiceAccount, etc. - @param resource_body: a dict to represent the relevant properties of the resource - @param expected: "failed" or "passed" - """ - # pylint: disable=duplicate-code - - k8s_client, _, agent_config = test_env - - # make sure resource exists - metadata = resource_body["metadata"] - relevant_metadata = {k: metadata[k] for k in ("name", "namespace") if k in metadata} - try: - resource = k8s_client.get_resource(resource_type=resource_type, **relevant_metadata) - except TypeError as type_error: - logger.error(type_error) - resource = k8s_client.get_resource( - resource_type=resource_type, - namespace=agent_config.namespace, - **relevant_metadata, - ) - - assert resource, f"Resource {resource_type} not found" - - test_resource_id = str(uuid.uuid4()) - - labels = metadata.setdefault("labels", {}) - labels["test_resource_id"] = test_resource_id - - # patch resource - resource = k8s_client.patch_resources( - resource_type=resource_type, - body=resource_body, - **relevant_metadata, - ) - if resource is None: - raise ValueError( - f"Could not patch resource type {resource_type}:" f" {relevant_metadata} with patch {resource_body}", - ) - - def match_resource(ident_resource): - try: - eval_resource = ident_resource.resource.raw - return eval_resource.metadata.labels.test_resource_id == test_resource_id - except AttributeError: - return False - - evaluation = get_ES_evaluation( - elastic_client=kspm_client, - timeout=agent_config.findings_timeout, - rule_tag=rule_tag, - exec_timestamp=datetime.utcnow(), - resource_identifier=match_resource, - ) - - assert evaluation is not None, f"No evaluation for rule {rule_tag} could be found" - assert evaluation == expected, f"Rule {rule_tag} verification failed, " f"expected: {expected} actual: {evaluation}" - - -register_params( - test_kube_resource_patch, - Parameters( - ("rule_tag", "resource_type", "resource_body", "expected"), - [ - *k8s_tc.cis_5_1_3.values(), - *k8s_tc.cis_5_1_5.values(), - *k8s_tc.cis_5_1_6.values(), - *k8s_tc.cis_5_2_3.values(), - *k8s_tc.cis_5_2_4.values(), - *k8s_tc.cis_5_2_5.values(), - *k8s_tc.cis_5_2_2.values(), - *k8s_tc.cis_5_2_6.values(), - *skip_param_case( - skip_objects=[*k8s_tc.cis_5_2_7.values()], - data_to_report=SkipReportData( - url_title="security-team: #4540", - url_link="https://github.com/elastic/security-team/issues/4540", - skip_reason="Known issue: incorrect implementation", - ), - ), - *k8s_tc.cis_5_2_8.values(), - ], - ids=[ - *k8s_tc.cis_5_1_3.keys(), - *k8s_tc.cis_5_1_5.keys(), - *k8s_tc.cis_5_1_6.keys(), - *k8s_tc.cis_5_2_3.keys(), - *k8s_tc.cis_5_2_4.keys(), - *k8s_tc.cis_5_2_5.keys(), - *k8s_tc.cis_5_2_2.keys(), - *k8s_tc.cis_5_2_6.keys(), - *k8s_tc.cis_5_2_7.keys(), - *k8s_tc.cis_5_2_8.keys(), - # *k8s_tc.cis_5_2_9.keys(), - TODO: cases are not implemented - # *k8s_tc.cis_5_2_10.keys() - TODO: cases are not implemented - ], - ), -) diff --git a/tests/product/tests/test_process_api_server_rules.py b/tests/product/tests/test_process_api_server_rules.py deleted file mode 100644 index f2a0acdd69..0000000000 --- a/tests/product/tests/test_process_api_server_rules.py +++ /dev/null @@ -1,75 +0,0 @@ -""" -Kubernetes CIS rules verification. -This module verifies correctness of retrieved findings by manipulating audit and remediation actions -""" - -from datetime import datetime - -import time -import pytest - -from commonlib.utils import get_ES_evaluation, command_contains_arguments -from product.tests.data.process.process_test_cases import api_server_rules -from product.tests.parameters import register_params, Parameters - - -@pytest.mark.process_api_server_rules -def test_process_api_server( - kspm_client, - config_node_pre_test, - rule_tag, - dictionary, - resource, - expected, -): - """ - This data driven test verifies rules and findings return by cloudbeat agent. - In order to add new cases @pytest.mark.parameterize section shall be updated. - Setup and teardown actions are defined in data method. - This test creates cloudbeat agent instance, changes node resources (modes, users, groups) and verifies, - that cloudbeat returns correct finding. - @param rule_tag: Name of rule to be verified. - @param dictionary: Set and Unset dictionary - @param resource: Full path to resource / file - @param expected: Result to be found in finding evaluation field. - @return: None - Test Pass / Fail result is generated. - """ - # pylint: disable=duplicate-code - - k8s_client, api_client, cloudbeat_agent = config_node_pre_test - - if "edit_process_file" not in dir(api_client): - pytest.skip("skipping process rules run in non-containerized api_client") - - # Currently, single node is used, in the future may be extended for all nodes. - node = k8s_client.get_cluster_nodes()[0] - api_client.edit_process_file( - container_name=node.metadata.name, - dictionary=dictionary, - resource=resource, - ) - - # Wait for process reboot - # TODO: Implement a more optimal way of waiting - time.sleep(60) - - def identifier(ident_resource): - eval_resource = ident_resource.resource.raw - return command_contains_arguments(eval_resource.command, dictionary) - - evaluation = get_ES_evaluation( - elastic_client=kspm_client, - timeout=cloudbeat_agent.findings_timeout, - rule_tag=rule_tag, - exec_timestamp=datetime.utcnow(), - resource_identifier=identifier, - ) - - assert evaluation is not None, f"No evaluation for rule {rule_tag} could be found" - assert evaluation == expected, f"Rule {rule_tag} verification failed, expected: {expected} actual: {evaluation}" - - -register_params( - test_process_api_server, - Parameters(("rule_tag", "dictionary", "resource", "expected"), api_server_rules), -) diff --git a/tests/product/tests/test_process_controller_manager_rules.py b/tests/product/tests/test_process_controller_manager_rules.py deleted file mode 100644 index 41db23554b..0000000000 --- a/tests/product/tests/test_process_controller_manager_rules.py +++ /dev/null @@ -1,78 +0,0 @@ -""" -Kubernetes CIS rules verification. -This module verifies correctness of retrieved findings by manipulating audit and remediation actions -""" - -from datetime import datetime - -import time -import pytest - -from commonlib.utils import get_ES_evaluation, command_contains_arguments -from product.tests.data.process.process_test_cases import controller_manager_rules -from product.tests.parameters import register_params, Parameters - - -@pytest.mark.process_controller_manager_rules -def test_process_controller_manager( - kspm_client, - config_node_pre_test, - rule_tag, - dictionary, - resource, - expected, -): - """ - This data driven test verifies rules and findings return by cloudbeat agent. - In order to add new cases @pytest.mark.parameterize section shall be updated. - Setup and teardown actions are defined in data method. - This test creates cloudbeat agent instance, changes node resources (modes, users, groups) and verifies, - that cloudbeat returns correct finding. - @param rule_tag: Name of rule to be verified. - @param dictionary: Set and Unset dictionary - @param resource: Full path to resource / file - @param expected: Result to be found in finding evaluation field. - @return: None - Test Pass / Fail result is generated. - """ - # pylint: disable=duplicate-code - - k8s_client, api_client, cloudbeat_agent = config_node_pre_test - - if "edit_process_file" not in dir(api_client): - pytest.skip("skipping process rules run in non-containerized api_client") - - # Currently, single node is used, in the future may be extended for all nodes. - node = k8s_client.get_cluster_nodes()[0] - api_client.edit_process_file( - container_name=node.metadata.name, - dictionary=dictionary, - resource=resource, - ) - - # Wait for process reboot - # TODO: Implement a more optimal way of waiting - time.sleep(60) - - def identifier(ident_resource): - eval_resource = ident_resource.resource.raw - return command_contains_arguments(eval_resource.command, dictionary) - - evaluation = get_ES_evaluation( - elastic_client=kspm_client, - timeout=cloudbeat_agent.findings_timeout, - rule_tag=rule_tag, - exec_timestamp=datetime.utcnow(), - resource_identifier=identifier, - ) - - assert evaluation is not None, f"No evaluation for rule {rule_tag} could be found" - assert evaluation == expected, f"Rule {rule_tag} verification failed, expected: {expected} actual: {evaluation}" - - -register_params( - test_process_controller_manager, - Parameters( - ("rule_tag", "dictionary", "resource", "expected"), - controller_manager_rules, - ), -) diff --git a/tests/product/tests/test_process_etcd_rules.py b/tests/product/tests/test_process_etcd_rules.py deleted file mode 100644 index 7ac50d42eb..0000000000 --- a/tests/product/tests/test_process_etcd_rules.py +++ /dev/null @@ -1,75 +0,0 @@ -""" -Kubernetes CIS rules verification. -This module verifies correctness of retrieved findings by manipulating audit and remediation actions -""" - -from datetime import datetime - -import time -import pytest - -from commonlib.utils import get_ES_evaluation, command_contains_arguments -from product.tests.data.process.process_test_cases import etcd_rules -from product.tests.parameters import register_params, Parameters - - -@pytest.mark.process_etcd_rules -def test_process_etcd( - kspm_client, - config_node_pre_test, - rule_tag, - dictionary, - resource, - expected, -): - """ - This data driven test verifies rules and findings return by cloudbeat agent. - In order to add new cases @pytest.mark.parameterize section shall be updated. - Setup and teardown actions are defined in data method. - This test creates cloudbeat agent instance, changes node resources (modes, users, groups) and verifies, - that cloudbeat returns correct finding. - @param rule_tag: Name of rule to be verified. - @param dictionary: Set and Unset dictionary - @param resource: Full path to resource / file - @param expected: Result to be found in finding evaluation field. - @return: None - Test Pass / Fail result is generated. - """ - # pylint: disable=duplicate-code - - k8s_client, api_client, cloudbeat_agent = config_node_pre_test - - if "edit_process_file" not in dir(api_client): - pytest.skip("skipping process rules run in non-containerized api_client") - - # Currently, single node is used, in the future may be extended for all nodes. - node = k8s_client.get_cluster_nodes()[0] - api_client.edit_process_file( - container_name=node.metadata.name, - dictionary=dictionary, - resource=resource, - ) - - # Wait for process reboot - # TODO: Implement a more optimal way of waiting - time.sleep(60) - - def identifier(ident_resource): - eval_resource = ident_resource.resource.raw - return command_contains_arguments(eval_resource.command, dictionary) - - evaluation = get_ES_evaluation( - elastic_client=kspm_client, - timeout=cloudbeat_agent.findings_timeout, - rule_tag=rule_tag, - exec_timestamp=datetime.utcnow(), - resource_identifier=identifier, - ) - - assert evaluation is not None, f"No evaluation for rule {rule_tag} could be found" - assert evaluation == expected, f"Rule {rule_tag} verification failed, expected: {expected} actual: {evaluation}" - - -register_params( - test_process_etcd, - Parameters(("rule_tag", "dictionary", "resource", "expected"), etcd_rules), -) diff --git a/tests/product/tests/test_process_kubelet_rules.py b/tests/product/tests/test_process_kubelet_rules.py deleted file mode 100644 index fbe94dcb5e..0000000000 --- a/tests/product/tests/test_process_kubelet_rules.py +++ /dev/null @@ -1,83 +0,0 @@ -""" -Kubernetes CIS rules verification. -This module verifies correctness of retrieved findings by manipulating audit and remediation actions -""" - -from datetime import datetime - -import time -import pytest - -from commonlib.utils import get_ES_evaluation, config_contains_arguments -from product.tests.data.process.process_test_cases import kubelet_rules -from product.tests.parameters import register_params, Parameters - - -@pytest.mark.process_kubelet_rules -def test_process_kubelet( - kspm_client, - config_node_pre_test, - rule_tag, - dictionary, - resource, - expected, -): - """ - This data driven test verifies rules and findings return by cloudbeat agent. - In order to add new cases @pytest.mark.parameterize section shall be updated. - Setup and teardown actions are defined in data method. - This test creates cloudbeat agent instance, changes node resources (modes, users, groups) and verifies, - that cloudbeat returns correct finding. - @param rule_tag: Name of rule to be verified. - @param dictionary: Set and Unset dictionary - @param resource: Full path to resource / file - @param expected: Result to be found in finding evaluation field. - @return: None - Test Pass / Fail result is generated. - """ - # pylint: disable=duplicate-code - - k8s_client, api_client, cloudbeat_agent = config_node_pre_test - - if "edit_config_file" not in dir(api_client): - pytest.skip("skipping process rules run in non-containerized api_client") - - # Currently, single node is used, in the future may be extended for all nodes. - node = k8s_client.get_cluster_nodes()[0] - api_client.edit_config_file( - container_name=node.metadata.name, - dictionary=dictionary, - resource=resource, - ) - - # Wait for process reboot - # TODO: Implement a more optimal way of waiting - time.sleep(60) - - def identifier(ident_resource): - try: - eval_resource = ident_resource.resource.raw - kubelet_config = eval_resource.external_data.config - except AttributeError: - return False - - if kubelet_config is None: - return False - - return config_contains_arguments(kubelet_config, dictionary) - - evaluation = get_ES_evaluation( - elastic_client=kspm_client, - timeout=cloudbeat_agent.findings_timeout, - rule_tag=rule_tag, - exec_timestamp=datetime.utcnow(), - resource_identifier=identifier, - ) - - assert evaluation is not None, f"No evaluation for rule {rule_tag} could be found" - assert evaluation == expected, f"Rule {rule_tag} verification failed, expected: {expected} actual: {evaluation}" - - -register_params( - test_process_kubelet, - Parameters(("rule_tag", "dictionary", "resource", "expected"), kubelet_rules), -) diff --git a/tests/product/tests/test_process_scheduler_rules.py b/tests/product/tests/test_process_scheduler_rules.py deleted file mode 100644 index 533a135fe9..0000000000 --- a/tests/product/tests/test_process_scheduler_rules.py +++ /dev/null @@ -1,75 +0,0 @@ -""" -Kubernetes CIS rules verification. -This module verifies correctness of retrieved findings by manipulating audit and remediation actions -""" - -from datetime import datetime - -import time -import pytest - -from commonlib.utils import get_ES_evaluation, command_contains_arguments -from product.tests.data.process.process_test_cases import scheduler_rules -from product.tests.parameters import register_params, Parameters - - -@pytest.mark.process_scheduler_rules -def test_process_scheduler( - kspm_client, - config_node_pre_test, - rule_tag, - dictionary, - resource, - expected, -): - """ - This data driven test verifies rules and findings return by cloudbeat agent. - In order to add new cases @pytest.mark.parameterize section shall be updated. - Setup and teardown actions are defined in data method. - This test creates cloudbeat agent instance, changes node resources (modes, users, groups) and verifies, - that cloudbeat returns correct finding. - @param rule_tag: Name of rule to be verified. - @param dictionary: Set and Unset dictionary - @param resource: Full path to resource / file - @param expected: Result to be found in finding evaluation field. - @return: None - Test Pass / Fail result is generated. - """ - # pylint: disable=duplicate-code - - k8s_client, api_client, cloudbeat_agent = config_node_pre_test - - if "edit_process_file" not in dir(api_client): - pytest.skip("skipping process rules run in non-containerized api_client") - - # Currently, single node is used, in the future may be extended for all nodes. - node = k8s_client.get_cluster_nodes()[0] - api_client.edit_process_file( - container_name=node.metadata.name, - dictionary=dictionary, - resource=resource, - ) - - # Wait for process reboot - # TODO: Implement a more optimal way of waiting - time.sleep(60) - - def identifier(ident_resource): - eval_resource = ident_resource.resource.raw - return command_contains_arguments(eval_resource.command, dictionary) - - evaluation = get_ES_evaluation( - elastic_client=kspm_client, - timeout=cloudbeat_agent.findings_timeout, - rule_tag=rule_tag, - exec_timestamp=datetime.utcnow(), - resource_identifier=identifier, - ) - - assert evaluation is not None, f"No evaluation for rule {rule_tag} could be found" - assert evaluation == expected, f"Rule {rule_tag} verification failed, expected: {expected} actual: {evaluation}" - - -register_params( - test_process_scheduler, - Parameters(("rule_tag", "dictionary", "resource", "expected"), scheduler_rules), -) diff --git a/tests/pyproject.toml b/tests/pyproject.toml index 5ce9df7a05..10582dfd35 100644 --- a/tests/pyproject.toml +++ b/tests/pyproject.toml @@ -42,17 +42,9 @@ markers = [ "pre_merge_agent", "sanity", # test target markers - "file_system_rules", "k8s_file_system_rules", "k8s_object_psp_rules", "k8s_process_rules", - "k8s_object_rules", - "process_api_server_rules", - "process_controller_manager_rules", - "process_etcd_rules", - "process_api_server_rules", - "process_scheduler_rules", - "process_kubelet_rules", "eks_file_system_rules", "eks_process_rules", "eks_k8s_objects_rules",