security requirements of the container-native operators #1967
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
shimritproj
force-pushed
the
securityOperators
branch
from
1fbed6f
to
651df13
Compare
|
from change #1967: |
bnshr
requested changes
Apr 9, 2024
sebrandon1
reviewed
Apr 10, 2024
|
@shimritproj could you add this new test to the CATALOG.md? Thanks |
sebrandon1
reviewed
Apr 15, 2024
shimritproj
force-pushed
the
securityOperators
branch
from
651df13
to
e7b8a0c
Compare
shimritproj
force-pushed
the
securityOperators
branch
6 times, most recently
from
b9b2eb3
to
1deda2b
Compare
aabughosh
reviewed
May 2, 2024
shimritproj
force-pushed
the
securityOperators
branch
from
1deda2b
to
a976e0f
Compare
|
from change #1967: |
Don't know if it's expected, but the four new tests added in this change are all skipped in this DCI job. Are they behaving properly? |
shimritproj
force-pushed
the
securityOperators
branch
from
a976e0f
to
584eca9
Compare
|
from change #1967: |
|
@shimritproj Could you please move the description of the functions as code comments? |
bnshr
requested changes
May 7, 2024
I am aware of the issue and actively working on it. This is why I indicated that the PR is still a work in progress and not yet ready for review. @ramperher |
shimritproj
force-pushed
the
securityOperators
branch
3 times, most recently
from
5854570
to
4c5443a
Compare
shimritproj
force-pushed
the
securityOperators
branch
2 times, most recently
from
52df14d
to
1ec1c62
Compare
bnshr
requested changes
Jun 13, 2024
shimritproj
force-pushed
the
securityOperators
branch
from
08cdd81
to
8470b63
Compare
…ve operators
checks:
USER id should not be 0
readOnlyRootFilesystem = true
runAsNonRoot = true
automount service account token = false{}
shimritproj
force-pushed
the
securityOperators
branch
from
8470b63
to
f111d96
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Issue Link
https://issues.redhat.com/browse/CNFCERT-882?filter=-1
This PR includes 4 operator test cases.
testOperatorRunAsUserID(): This test verifies that no pods managed by operators run with the root user ID (UID) of 0, which could introduce security vulnerabilities.
testOperatorRunAsNonRoot(): This test ensures that pods managed by operators adhere to security best practices by running as non-root users.
testOperatorAutomountTokens(): This test evaluates the configuration of automount service tokens in pods managed by operators.
testOperatorReadOnlyFilesystem(): This test verifies whether containers within pods managed by operators have a read-only root filesystem, enhancing security by preventing unauthorized modifications.
We get pods of all operators and then test the above conditions.
In addition, the 'rbac' folder moved into the 'common' folder because it is used by functions in many places in the code, and we want to avoid duplicating code.