Check for the recommended security requirements of the container-nati…

…ve operators

cnf-certification-test/identifiers/identifiers.go

@@ -937,7 +937,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorRunAsUserID = AddCatalogEntry(
 		"run-as-user-id",
 		common.OperatorTestKey,
-		`Tests that checks user id should not be 0.`,
+		`Tests that checks the user id of the pods created by the operator is not 0`,
 		OperatorRunAsUserID,
 		NoExceptions,
 		TestOperatorRunAsUserIDDocLink,
@@ -953,7 +953,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorRunAsNonRoot = AddCatalogEntry(
 		"run-as-non-root",
 		common.OperatorTestKey,
-		`Tests that checks run as non root.`,
+		`Tests that checks the pods created by the operator is run as non root.`,
 		OperatorRunAsNonRoot,
 		NoExceptions,
 		TestOperatorRunAsNonRootDocLink,
@@ -969,7 +969,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorAutomountTokens = AddCatalogEntry(
 		"automount-tokens",
 		common.OperatorTestKey,
-		`Tests that checks the automount service account token is disabled.`,
+		`Tests that check the pods created by the operator ensure that the automount service account token is disabled.`,
 		OperatorAutomountTokens,
 		NoExceptions,
 		TestOperatorAutomountTokensDocLink,
@@ -985,7 +985,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorReadOnlyFilesystem = AddCatalogEntry(
 		"read-only-file-system",
 		common.OperatorTestKey,
-		`Tests that checks the read-only root filesystem setting is enabled.`,
+		`Tests that check the pods created by the operator ensure that the read-only root filesystem setting is enabled.`,
 		OperatorReadOnlyFilesystem,
 		NoExceptions,
 		TestOperatorReadOnlyFilesystemDocLink,

cnf-certification-test/identifiers/remediation.go

@@ -83,13 +83,13 @@ const (
 
 	OperatorCrdSchemaIdentifierRemediation = `Ensure that the Operator CRD is defined with OpenAPI spec.`
 
-	OperatorRunAsUserID = `Ensure that user id should not be 0.`
+	OperatorRunAsUserID = `Ensure that the user ID of the pods created by the operator is not 0.`
 
-	OperatorRunAsNonRoot = `Ensure that run as non root.`
+	OperatorRunAsNonRoot = `Ensure that the pods created by the operator are run as non-root.`
 
-	OperatorAutomountTokens = `Ensure that the automount service account token is disabled.`
+	OperatorAutomountTokens = `Ensure that the pods created by the operator have the automount service account token disabled.`
 
-	OperatorReadOnlyFilesystem = `Ensure that the read-only root filesystem setting is enabled.`
+	OperatorReadOnlyFilesystem = `Ensure that the pods created by the operator have the read-only root filesystem setting enabled.`
 
 	OperatorCrdVersioningRemediation = `Ensure that the Operator CRD has a valid version.`
 

cnf-certification-test/operator/suite.go

@@ -355,10 +355,10 @@ func testOperatorRunAsUserID(check *checksdb.Check, env *provider.TestEnvironmen
 	for _, put := range env.AllOperatorPods {
 		check.LogInfo("Testing Pod %q", put)
 		if put.IsRunAsUserID(0) {
-			check.LogError("Pod %q UserID is 0", put.Name)
+			check.LogError("Pod %q UserID of the pods created by the operator is 0", put.Name)
 			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod has been found with UserID is 0", false))
 		} else {
-			check.LogInfo("Pod %q UserID is not 0", put.Name)
+			check.LogInfo("Pod %q UserID of the pods created by the operator is not 0", put.Name)
 			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod has been found with UserID is not 0", true))
 		}
 	}
@@ -371,10 +371,10 @@ func testOperatorRunAsNonRoot(check *checksdb.Check, env *provider.TestEnvironme
 	for _, put := range env.AllOperatorPods {
 		check.LogInfo("Testing Pod %q", put)
 		if put.IsRunAsNonRoot() {
-			check.LogInfo("Pod %q is run as not root", put.Name)
+			check.LogInfo("Pod %q created by the operator is run as not root", put.Name)
 			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod has been found is run as not root", true))
 		} else {
-			check.LogError("Pod %q is run as root", put.Name)
+			check.LogError("Pod %q created by the operator is run as root", put.Name)
 			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod has been found is run as root", false))
 		}
 	}
@@ -391,7 +391,7 @@ func testOperatorAutomountTokens(check *checksdb.Check, env *provider.TestEnviro
 		podPassed, newMsg := rbac.EvaluateAutomountTokens(client.K8sClient.CoreV1(), put.Pod)
 		if !podPassed {
 			check.LogInfo("Pod %q have automount service tokens set to false", put)
-			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod %q have automount service tokens set to false", true))
+			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod %q created by the operator that the automount service account token set to false", true))
 		} else {
 			check.LogError(newMsg)
 			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, newMsg, false))
@@ -408,10 +408,10 @@ func testOperatorReadOnlyFilesystem(check *checksdb.Check, env *provider.TestEnv
 		for _, cut := range put.Containers {
 			check.LogInfo("Testing Container %q", cut.Name)
 			if cut.IsReadOnlyRootFilesystem(check.GetLoggger()) {
-				check.LogInfo("Pod %q container %q is read only root file system.", put.Name, cut.Name)
+				check.LogInfo("Pod %q container %q created by the operator is read only root file system.", put.Name, cut.Name)
 				compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod has been found read only root file system", true))
 			} else {
-				check.LogError("Pod %q container %q is read not only root file system.", put.Name, cut.Name)
+				check.LogError("Pod %q container %q created by the operator is read not only root file system.", put.Name, cut.Name)
 				nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod has been found read not only root file system", false))
 			}
 		}