-
Notifications
You must be signed in to change notification settings - Fork 29
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
security requirements of the container-native operators #1967
base: main
Are you sure you want to change the base?
security requirements of the container-native operators #1967
Conversation
1fbed6f
to
651df13
Compare
from change #1967: |
@shimritproj could you add this new test to the CATALOG.md? Thanks |
651df13
to
e7b8a0c
Compare
b9b2eb3
to
1deda2b
Compare
1deda2b
to
a976e0f
Compare
from change #1967: |
Don't know if it's expected, but the four new tests added in this change are all skipped in this DCI job. Are they behaving properly? |
a976e0f
to
584eca9
Compare
from change #1967: |
@shimritproj Could you please move the description of the functions as code comments? |
I am aware of the issue and actively working on it. This is why I indicated that the PR is still a work in progress and not yet ready for review. @ramperher |
5854570
to
4c5443a
Compare
52df14d
to
1ec1c62
Compare
08cdd81
to
8470b63
Compare
…ve operators checks: USER id should not be 0 readOnlyRootFilesystem = true runAsNonRoot = true automount service account token = false{}
8470b63
to
f111d96
Compare
Issue Link
https://issues.redhat.com/browse/CNFCERT-882?filter=-1
This PR includes 4 operator test cases.
testOperatorRunAsUserID(): This test verifies that no pods managed by operators run with the root user ID (UID) of 0, which could introduce security vulnerabilities.
testOperatorRunAsNonRoot(): This test ensures that pods managed by operators adhere to security best practices by running as non-root users.
testOperatorAutomountTokens(): This test evaluates the configuration of automount service tokens in pods managed by operators.
testOperatorReadOnlyFilesystem(): This test verifies whether containers within pods managed by operators have a read-only root filesystem, enhancing security by preventing unauthorized modifications.
We get pods of all operators and then test the above conditions.
In addition, the 'rbac' folder moved into the 'common' folder because it is used by functions in many places in the code, and we want to avoid duplicating code.