diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000000..f6ef06eefd --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,300 @@ +name: Tests + +on: + pull_request_target: + branches: + - main + - "[0-9]+.[0-9]+" + types: [opened, synchronize, reopened] + push: + branches: + - main + - "[0-9]+.[0-9]+" + workflow_dispatch: + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} + cancel-in-progress: true + +jobs: + init-hermit: + name: Init Hermit Tools + runs-on: ubuntu-22.04 + timeout-minutes: 60 + steps: + - name: Check out the repo + uses: actions/checkout@v4 + - name: Hermit Environment + uses: ./.github/actions/hermit + with: + init-tools: 'true' + + ci-azure: + needs: [ init-hermit ] + name: CIS Azure CI + runs-on: ubuntu-22.04 + timeout-minutes: 60 + permissions: + contents: "read" + id-token: "write" + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Hermit Environment + uses: ./.github/actions/hermit + + - name: Run Azure integration tests + uses: ./.github/actions/azure-ci + with: + elk-version: ${{ env.ELK_VERSION }} + azure-client-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientId }} + azure-tenant-id: ${{ fromJSON(secrets.AZURE_CREDENTIALS).tenantId }} + azure-client-secret: ${{ fromJSON(secrets.AZURE_CREDENTIALS).clientSecret }} + + ci-aws: + needs: [ init-hermit ] + name: CIS AWS CI + runs-on: ubuntu-22.04 + timeout-minutes: 60 + permissions: + contents: "read" + id-token: "write" + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Hermit Environment + uses: ./.github/actions/hermit + + - name: Run AWS integration tests + uses: ./.github/actions/aws-ci + with: + elk-version: ${{ env.ELK_VERSION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_TEST_ACC }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_TEST_ACC }} + aws-account-type: single-account + + ci-gcp: + needs: [ init-hermit ] + name: CIS GCP CI + runs-on: ubuntu-22.04 + timeout-minutes: 60 + permissions: + contents: 'read' + id-token: 'write' + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Hermit Environment + uses: ./.github/actions/hermit + + - name: Run GCP integration tests + uses: ./.github/actions/gcp-ci + with: + elk-version: ${{ env.ELK_VERSION }} + workload-identity-provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }} + service-account: ${{ secrets.GCP_SERVICE_ACCOUNT }} + gcp-project-id: 'elastic-security-test' + gcp-account-type: 'single-account' + + ci-cnvm: + needs: [ init-hermit ] + name: CNVM CI + runs-on: ubuntu-22.04 + timeout-minutes: 30 + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Hermit Environment + uses: ./.github/actions/hermit + + - name: Run CNVM integration tests + uses: ./.github/actions/cnvm-ci + with: + elk-version: ${{ env.ELK_VERSION }} + aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} + aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + aws-region: 'us-east-2' + + docker-images: + needs: [ init-hermit ] + name: Build docker images + # Since we build the cloudbeat in the worker's OS and as non static, + # we need to keep the OS version same as elastic-agent docker image base. + # docker run --interactive --tty --rm --entrypoint bash docker.elastic.co/elastic-agent/elastic-agent-complete:8.14.0-SNAPSHOT -c 'cat /etc/os-release' + runs-on: ubuntu-20.04 + timeout-minutes: 40 + steps: + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + tool-cache: false + android: true + dotnet: true + haskell: true + large-packages: false + docker-images: true + swap-storage: true + + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Hermit Environment + uses: ./.github/actions/hermit + + - name: Build docker images + uses: ./.github/actions/docker-images + with: + build-docker-images: 'true' + + ci-k8s: + needs: [ init-hermit, docker-images ] + name: ${{ matrix.test-target }}-${{ matrix.kind-config }} + runs-on: ubuntu-22.04 + timeout-minutes: 120 + strategy: + fail-fast: false + matrix: + include: + - test-target: pre_merge + kind-config: kind-multi + values-file: tests/test_environments/values/ci.yml + - test-target: pre_merge_agent + kind-config: kind-multi + values-file: tests/test_environments/values/ci-sa-agent.yml + - test-target: k8s_file_system_rules + kind-config: kind-test-files + values-file: tests/test_environments/values/ci-test-k8s-files.yml + # - test-target: k8s_object_psp_rules + # kind-config: kind-multi + # values-file: tests/test_environments/values/ci-test-k8s-objects.yml + - test-target: k8s_process_rules + kind-config: kind-test-proc-conf1 + values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml + - test-target: k8s_process_rules + kind-config: kind-test-proc-conf2 + values-file: tests/test_environments/values/ci-test-k8s-proc-conf2.yml + steps: + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + tool-cache: false + android: true + dotnet: true + haskell: true + large-packages: false + docker-images: true + swap-storage: true + + - name: Check out the repo + uses: actions/checkout@v4 + + - name: Hermit Environment + uses: ./.github/actions/hermit + + - name: Get docker images + uses: ./.github/actions/docker-images + with: + build-docker-images: 'false' + docker-images-folder: '/tmp/.docker-images' + + - name: Run k8s integration tests + uses: ./.github/actions/k8s-ci + with: + kind-config: ${{ matrix.kind-config }} + test-target: ${{ matrix.test-target }} + values-file: ${{ matrix.values-file }} + docker-images-folder: '/tmp/.docker-images' + + upload-allure-results: + needs: + - ci-azure + - ci-aws + - ci-gcp + - ci-cnvm + - ci-k8s + name: Upload integration tests results + runs-on: ubuntu-22.04 + timeout-minutes: 60 + permissions: + pull-requests: write + if: ${{ always() }} + env: + AWS_REGION: "eu-west-1" + ALLURE_S3_BUCKET: "s3://csp-allure-reports/allure_reports/cloudbeat/ci" + S3_BUCKET_ALLURE_REPORT_AP: "http://csp-allure-reports.s3.amazonaws.com/allure_reports/cloudbeat/ci" + steps: + - name: Check out the repo + uses: actions/checkout@v4 + + - uses: actions/download-artifact@v4 + if: ${{ always() }} + with: + pattern: allure-results-ci-* + path: tests/allure/results/ + merge-multiple: true + + - name: log + if: ${{ always() }} + shell: bash + run: | + ls -lahR tests/allure/results/ || true + + - name: Publish allure report + if: ${{ always() }} + uses: andrcuns/allure-publish-action@v2.7.1 + env: + GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + AWS_REGION: ${{ env.AWS_REGION }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + with: + storageType: s3 + resultsGlob: "tests/allure/results" + updatePr: actions + collapseSummary: false + summary: suites + summaryTableType: markdown + copyLatest: true + bucket: csp-allure-reports + prefix: allure_reports/cloudbeat/ci/${{ github.event.number }} + ignoreMissingResults: true + debug: false + + - name: Allure Summary + if: ${{ success() && github.event_name != 'push' }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + curl --fail --show-error --location '${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/history/history-trend.json' --output ./history-trend.json + allure_result=./history-trend.json + allure_url=${{ env.S3_BUCKET_ALLURE_REPORT_AP }}/${{ github.event.number }}/index.html + + ./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url" + allure_summary=$(./.ci/scripts/allure-report-summary.sh "$allure_result" "$allure_url") + + # saving result into env variable (with multiline handling) + echo "ALLURE_SUMMARY<> $GITHUB_ENV + echo "$allure_summary" >> $GITHUB_ENV + echo "EOF" >> $GITHUB_ENV + + - name: Comment test success result + uses: marocchino/sticky-pull-request-comment@v2 + if: ${{ success() && github.event_name != 'push' }} + with: + header: CI Test Results + number: ${{ github.event.number }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + message: | + ${{ env.ALLURE_SUMMARY }} + + - if: ${{ success() }} + name: Cleanup docker image artifacts + uses: geekyeggo/delete-artifact@v5 + with: + name: docker-images + failOnError: false diff --git a/deploy/k8s/fleet-managed-agent.yml b/deploy/k8s/fleet-managed-agent.yml index 8558cf512e..8e69b0aece 100644 --- a/deploy/k8s/fleet-managed-agent.yml +++ b/deploy/k8s/fleet-managed-agent.yml @@ -217,10 +217,10 @@ rules: - ingresses - networkpolicies verbs: ["get", "list", "watch"] - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/deploy/k8s/standalone-agent.yml b/deploy/k8s/standalone-agent.yml index e2c926c113..8d242b3042 100644 --- a/deploy/k8s/standalone-agent.yml +++ b/deploy/k8s/standalone-agent.yml @@ -641,10 +641,10 @@ rules: - ingresses - networkpolicies verbs: ["get", "list", "watch"] - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/deploy/kustomize/base/role.yml b/deploy/kustomize/base/role.yml index 03e87c1242..fbe6d2fdab 100644 --- a/deploy/kustomize/base/role.yml +++ b/deploy/kustomize/base/role.yml @@ -58,10 +58,10 @@ rules: - ingresses - networkpolicies verbs: ["get", "list", "watch"] - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml b/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml index 0ecde4d011..146ed2d9e0 100644 --- a/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml +++ b/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml @@ -248,10 +248,10 @@ rules: - roles verbs: ["get", "list", "watch"] # Needed for cloudbeat - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/go.mod b/go.mod index 4e8b28cb49..f7ae1cb125 100644 --- a/go.mod +++ b/go.mod @@ -40,12 +40,21 @@ require ( github.com/djherbis/times v1.6.0 github.com/elastic/beats/v7 v7.0.0-alpha2.0.20240209195728-d3cac73cfca8 github.com/elastic/e2e-testing v1.99.2-0.20231005090720-556e60d449dc +<<<<<<< HEAD github.com/elastic/elastic-agent-autodiscover v0.6.6 github.com/elastic/elastic-agent-client/v7 v7.5.0 github.com/elastic/elastic-agent-libs v0.7.3 github.com/elastic/go-licenser v0.4.1 github.com/elastic/go-ucfg v0.8.6 github.com/gocarina/gocsv v0.0.0-20170324095351-ffef3ffc77be +======= + github.com/elastic/elastic-agent-autodiscover v0.8.0 + github.com/elastic/elastic-agent-client/v7 v7.15.0 + github.com/elastic/elastic-agent-libs v0.9.15 + github.com/elastic/go-licenser v0.4.2 + github.com/elastic/go-ucfg v0.8.8 + github.com/gocarina/gocsv v0.0.0-20231116093920-b87c2d0e983a +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/gofrs/uuid v4.4.0+incompatible github.com/googleapis/gax-go/v2 v2.12.0 github.com/hashicorp/go-uuid v1.0.3 @@ -70,12 +79,21 @@ require ( golang.org/x/oauth2 v0.13.0 google.golang.org/api v0.148.0 gopkg.in/yaml.v2 v2.4.0 +<<<<<<< HEAD gotest.tools/gotestsum v1.11.0 k8s.io/api v0.28.3 k8s.io/apimachinery v0.28.3 k8s.io/client-go v0.28.3 k8s.io/klog/v2 v2.100.1 modernc.org/sqlite v1.26.0 +======= + gotest.tools/gotestsum v1.12.0 + k8s.io/api v0.29.5 + k8s.io/apimachinery v0.29.5 + k8s.io/client-go v0.29.5 + k8s.io/klog/v2 v2.120.1 + modernc.org/sqlite v1.30.2 +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) ) require ( @@ -85,10 +103,21 @@ require ( github.com/felixge/httpsnoop v1.0.3 // indirect github.com/go-git/go-git/v5 v5.11.0 // indirect github.com/google/gnostic-models v0.6.8 // indirect +<<<<<<< HEAD github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect github.com/moby/sys/user v0.1.0 // indirect github.com/sagikazarmark/locafero v0.3.0 // indirect +======= + github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect + github.com/mattn/go-shellwords v1.0.12 // indirect + github.com/moby/docker-image-spec v1.3.1 // indirect + github.com/moby/sys/user v0.1.0 // indirect + github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect + github.com/ncruces/go-strftime v0.1.9 // indirect + github.com/pkg/errors v0.9.1 // indirect + github.com/sagikazarmark/locafero v0.4.0 // indirect +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/sagikazarmark/slog-shim v0.1.0 // indirect github.com/sourcegraph/conc v0.3.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.45.0 // indirect @@ -200,9 +229,15 @@ require ( github.com/dimchansky/utfbom v1.1.1 // indirect github.com/dlclark/regexp2 v1.10.0 // indirect github.com/dnephin/pflag v1.0.7 // indirect +<<<<<<< HEAD github.com/docker/cli v24.0.5+incompatible // indirect github.com/docker/distribution v2.8.2+incompatible // indirect github.com/docker/docker v24.0.7+incompatible // indirect +======= + github.com/docker/cli v25.0.5+incompatible // indirect + github.com/docker/distribution v2.8.3+incompatible // indirect + github.com/docker/docker v26.1.4+incompatible // indirect +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.4.0 // indirect github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect @@ -227,7 +262,7 @@ require ( github.com/elliotchance/orderedmap v1.5.0 // indirect github.com/emicklei/go-restful/v3 v3.10.1 // indirect github.com/emirpasic/gods v1.18.1 // indirect - github.com/evanphx/json-patch v5.6.0+incompatible // indirect + github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/color v1.15.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect @@ -476,6 +511,7 @@ require ( gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect +<<<<<<< HEAD helm.sh/helm/v3 v3.12.3 // indirect howett.net/plist v1.0.0 // indirect k8s.io/apiextensions-apiserver v0.27.3 // indirect @@ -496,6 +532,24 @@ require ( modernc.org/token v1.0.1 // indirect oras.land/oras-go v1.2.3 // indirect oras.land/oras-go/v2 v2.3.1 // indirect +======= + helm.sh/helm/v3 v3.14.2 // indirect + howett.net/plist v1.0.1 // indirect + k8s.io/apiextensions-apiserver v0.29.0 // indirect + k8s.io/apiserver v0.29.0 // indirect + k8s.io/cli-runtime v0.29.0 // indirect + k8s.io/component-base v0.29.0 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/kubectl v0.29.0 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect + modernc.org/libc v1.52.1 // indirect + modernc.org/mathutil v1.6.0 // indirect + modernc.org/memory v1.8.0 // indirect + modernc.org/strutil v1.2.0 // indirect + modernc.org/token v1.1.0 // indirect + oras.land/oras-go v1.2.5 // indirect + oras.land/oras-go/v2 v2.4.0 // indirect +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect sigs.k8s.io/kustomize/api v0.13.5-0.20230601165947-6ce0bf390ce3 // indirect sigs.k8s.io/kustomize/kyaml v0.14.3-0.20230601165947-6ce0bf390ce3 // indirect diff --git a/go.sum b/go.sum index 49d41a9419..018399e921 100644 --- a/go.sum +++ b/go.sum @@ -1246,11 +1246,16 @@ github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4Kfc github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.11+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +<<<<<<< HEAD github.com/docker/docker v23.0.1+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v23.0.3+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v24.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v24.0.7+incompatible h1:Wo6l37AuwP3JaMnZa226lzVXGA3F9Ig1seQen0cKYlM= github.com/docker/docker v24.0.7+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +======= +github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU= +github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= @@ -1289,6 +1294,7 @@ github.com/elastic/beats/v7 v7.0.0-alpha2.0.20240209195728-d3cac73cfca8 h1:dezaW github.com/elastic/beats/v7 v7.0.0-alpha2.0.20240209195728-d3cac73cfca8/go.mod h1:7Z82D67QYASt57uI5uewr+gxC1ZVm9z5k+cL/VIiKjk= github.com/elastic/e2e-testing v1.99.2-0.20231005090720-556e60d449dc h1:3hGO3+tipLIULlrabnXpXpOV5qSDbN/EJo9Xsj3hqyo= github.com/elastic/e2e-testing v1.99.2-0.20231005090720-556e60d449dc/go.mod h1:8q2d8dmwavJXISowwaoreHFBnbR/uK4qanfRGhC/W9A= +<<<<<<< HEAD github.com/elastic/elastic-agent-autodiscover v0.6.6 h1:P1y0dDpbhJc7Uw/xe85irPEad4Vljygc+y4iSxtqW7A= github.com/elastic/elastic-agent-autodiscover v0.6.6/go.mod h1:chulyCAyZb/njMHgzkhC/yWnt8v/Y6eCRUhmFVnsA5o= github.com/elastic/elastic-agent-client/v7 v7.5.0 h1:niI3WQ+01Lnp2r5LxK8SyNhrPJe13vBiOkqrDRK2oTA= @@ -1299,6 +1305,16 @@ github.com/elastic/elastic-agent-shipper-client v0.5.1-0.20230228231646-f04347b6 github.com/elastic/elastic-agent-shipper-client v0.5.1-0.20230228231646-f04347b666f3/go.mod h1:rWarFM7qYxJKsi9WcV6ONcFjH/NA3niDNpTxO+8/GVI= github.com/elastic/elastic-agent-system-metrics v0.9.1 h1:r0ofKHgPpl+W09ie7tzGcCDC0d4NZbQUv37rSgHf4FM= github.com/elastic/elastic-agent-system-metrics v0.9.1/go.mod h1:9C1UEfj0P687HAzZepHszN6zXA+2tN2Lx3Osvq1zby8= +======= +github.com/elastic/elastic-agent-autodiscover v0.8.0 h1:euHfPSsOE1z8GsPaFoc7lBB8pwyGGUiaE2lXHt0WwQI= +github.com/elastic/elastic-agent-autodiscover v0.8.0/go.mod h1:lSHCpBzQj2DU0U5RX7Z1Kpt12R6WGca6598MorwlJsY= +github.com/elastic/elastic-agent-client/v7 v7.15.0 h1:nDB7v8TBoNuD6IIzC3z7Q0y+7bMgXoT2DsHfolO2CHE= +github.com/elastic/elastic-agent-client/v7 v7.15.0/go.mod h1:6h+f9QdIr3GO2ODC0Y8+aEXRwzbA5W4eV4dd/67z7nI= +github.com/elastic/elastic-agent-libs v0.9.15 h1:WCLtuErafUxczT/rXJa4Vr6mxwC8dgtqMbEq+qWGD4M= +github.com/elastic/elastic-agent-libs v0.9.15/go.mod h1:2VgYxHaeM+cCDBjiS2wbmTvzPGbnlXAtYrlcLefheS8= +github.com/elastic/elastic-agent-system-metrics v0.10.2 h1:AVW+YqgezR0mNOZ80NxPLH3tiYMenNGZ8SC/bIUf4Uc= +github.com/elastic/elastic-agent-system-metrics v0.10.2/go.mod h1:0jJ2ARnzTTOEMmcRX9UNqSwbwguEluE/mK2HaM3GViI= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/elastic/elastic-integration-corpus-generator-tool v0.5.0/go.mod h1:uf9N86y+UACGybdEhZLpwZ93XHWVhsYZAA4c2T2v6YM= github.com/elastic/elastic-package v0.77.0/go.mod h1:Xeqx0OOVnKBfFoSHsHmKI74RxgRGiDhU6yXEu8BkJJM= github.com/elastic/glog v1.0.1-0.20210831205241-7d8b5c89dfc4 h1:ViJxdtOsHeO+SWVekzM82fYHH1xnvZ8CvGPXZj+G4YI= @@ -1363,8 +1379,9 @@ github.com/envoyproxy/protoc-gen-validate v0.9.1/go.mod h1:OKNgG7TCp5pF4d6XftA0+ github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= +github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= @@ -2206,9 +2223,16 @@ github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mmcloughlin/avo v0.5.0/go.mod h1:ChHFdoV7ql95Wi7vuq2YT1bwCJqiWdZrQ1im3VujLYM= +<<<<<<< HEAD github.com/mndrix/tap-go v0.0.0-20171203230836-629fa407e90b/go.mod h1:pzzDgJWZ34fGzaAZGFW22KVZDfyrYW+QABMrWnJBnSs= github.com/moby/buildkit v0.11.6 h1:VYNdoKk5TVxN7k4RvZgdeM4GOyRvIi4Z8MXOY7xvyUs= github.com/moby/buildkit v0.11.6/go.mod h1:GCqKfHhz+pddzfgaR7WmHVEE3nKKZMMDPpK8mh3ZLv4= +======= +github.com/moby/buildkit v0.12.5 h1:RNHH1l3HDhYyZafr5EgstEu8aGNCwyfvMtrQDtjH9T0= +github.com/moby/buildkit v0.12.5/go.mod h1:YGwjA2loqyiYfZeEo8FtI7z4x5XponAaIWsWcSjWwso= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= @@ -2254,6 +2278,7 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/ncw/swift v1.0.47/go.mod h1:23YIA4yWVnGwv2dQlN4bB7egfYX6YLn0Yo/S6zZO/ZM= github.com/nelsam/hel/v2 v2.3.2/go.mod h1:1ZTGfU2PFTOd5mx22i5O0Lc2GY933lQ2wb/ggy+rL3w= @@ -2290,10 +2315,15 @@ github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47 github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk= github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8AyFNU9d0= github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= +<<<<<<< HEAD github.com/onsi/ginkgo/v2 v2.5.0/go.mod h1:Luc4sArBICYCS8THh8v3i3i5CuSZO+RaQRaJoeNwomw= github.com/onsi/ginkgo/v2 v2.6.1/go.mod h1:yjiuMwPokqY1XauOgju45q3sJt6VzQ/Fict1LFVcsAo= github.com/onsi/ginkgo/v2 v2.11.0 h1:WgqUCUt/lT6yXoQ8Wef0fsNn5cAuMK7+KT9UFRz2tcU= github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7kR0iZvM= +======= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -2310,6 +2340,7 @@ github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeR github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc= github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM= github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= +<<<<<<< HEAD github.com/onsi/gomega v1.24.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= github.com/onsi/gomega v1.24.1/go.mod h1:3AOiACssS3/MajrniINInwbfOOtfZvplPzuRSmvt1jM= github.com/onsi/gomega v1.24.2/go.mod h1:gs3J10IS7Z7r7eXRoNJIrNqU4ToQukCJhFtKrWgHWnk= @@ -2318,6 +2349,12 @@ github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3ev github.com/open-policy-agent/opa v0.42.2/go.mod h1:MrmoTi/BsKWT58kXlVayBb+rYVeaMwuBm3nYAN3923s= github.com/open-policy-agent/opa v0.58.0 h1:S5qvevW8JoFizU7Hp66R/Y1SOXol0aCdFYVkzIqIpUo= github.com/open-policy-agent/opa v0.58.0/go.mod h1:EGWBwvmyt50YURNvL8X4W5hXdlKeNhAHn3QXsetmYcc= +======= +github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= +github.com/open-policy-agent/opa v0.66.0 h1:DbrvfJQja0FBRcPOB3Z/BOckocN+M4ApNWyNhSRJt0w= +github.com/open-policy-agent/opa v0.66.0/go.mod h1:EIgNnJcol7AvQR/IcWLwL13k64gHVbNAVG46b2G+/EY= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v0.0.0-20180430190053-c9281466c8b2/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= @@ -2892,7 +2929,12 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.14.0/go.mod h go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0 h1:3d+S281UTjM+AbF31XSOYn1qXn3BgIdWl8HNEpx08Jk= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.19.0/go.mod h1:0+KuTDyKL4gjKCF75pHOX4wuzYDUZYfAQdSu43o+Z2I= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.3.0/go.mod h1:QNX1aly8ehqqX1LEa6YniTU7VY9I6R3X/oPxhGdTceE= +<<<<<<< HEAD go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.14.0/go.mod h1:+N7zNjIJv4K+DeX67XXET0P+eIciESgaFDBqh+ZJFS4= +======= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 h1:j9+03ymgYhPKmeXGk5Zu+cIZOlVzd9Zv7QIiyItjFBU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0/go.mod h1:Y5+XiUG4Emn1hTfciPzGPJaSI+RpDts6BnCIir0SLqk= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= go.opentelemetry.io/otel/metric v0.30.0/go.mod h1:/ShZ7+TS4dHzDFmfi1kSXMhMVubNoP0oIaBp70J6UXU= go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= @@ -3902,8 +3944,13 @@ gotest.tools/v3 v3.3.0/go.mod h1:Mcr9QNxkg0uMvy/YElmo4SpXgJKWgQvYrT7Kw5RzJ1A= gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= helm.sh/helm/v3 v3.11.2/go.mod h1:Hw+09mfpDiRRKAgAIZlFkPSeOkvv7Acl5McBvQyNPVw= +<<<<<<< HEAD helm.sh/helm/v3 v3.12.3 h1:5y1+Sbty12t48T/t/CGNYUIME5BJ0WKfmW/sobYqkFg= helm.sh/helm/v3 v3.12.3/go.mod h1:KPKQiX9IP5HX7o5YnnhViMnNuKiL/lJBVQ47GHe1R0k= +======= +helm.sh/helm/v3 v3.14.2 h1:V71fv+NGZv0icBlr+in1MJXuUIHCiPG1hW9gEBISTIA= +helm.sh/helm/v3 v3.14.2/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -3924,11 +3971,19 @@ k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs= k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= k8s.io/api v0.26.2/go.mod h1:1kjMQsFE+QHPfskEcVNgL3+Hp88B80uj0QtSOlj8itU= k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= +<<<<<<< HEAD k8s.io/api v0.28.3 h1:Gj1HtbSdB4P08C8rs9AR94MfSGpRhJgsS+GF9V26xMM= k8s.io/api v0.28.3/go.mod h1:MRCV/jr1dW87/qJnZ57U5Pak65LGmQVkKTzf3AtKFHc= k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= k8s.io/apiextensions-apiserver v0.27.3 h1:xAwC1iYabi+TDfpRhxh4Eapl14Hs2OftM2DN5MpgKX4= k8s.io/apiextensions-apiserver v0.27.3/go.mod h1:BH3wJ5NsB9XE1w+R6SSVpKmYNyIiyIz9xAmBl8Mb+84= +======= +k8s.io/api v0.29.5 h1:levS+umUigHCfI3riD36pMY1vQEbrzh4r1ivVWAhHaI= +k8s.io/api v0.29.5/go.mod h1:7b18TtPcJzdjk7w5zWyIHgoAtpGeRvGGASxlS7UZXdQ= +k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= +k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= +k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= @@ -3938,13 +3993,19 @@ k8s.io/apimachinery v0.25.0/go.mod h1:qMx9eAk0sZQGsXGu86fab8tZdffHbwUfsvzqKn4mfB k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= k8s.io/apimachinery v0.26.2/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= +<<<<<<< HEAD k8s.io/apimachinery v0.28.3 h1:B1wYx8txOaCQG0HmYF6nbpU8dg6HvA06x5tEffvOe7A= k8s.io/apimachinery v0.28.3/go.mod h1:uQTKmIqs+rAYaq+DFaoD2X7pcjLOqbQX2AOiO0nIpb8= +======= +k8s.io/apimachinery v0.29.5 h1:Hofa2BmPfpoT+IyDTlcPdCHSnHtEQMoJYGVoQpRTfv4= +k8s.io/apimachinery v0.29.5/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ= k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84= +<<<<<<< HEAD k8s.io/apiserver v0.26.2/go.mod h1:GHcozwXgXsPuOJ28EnQ/jXEM9QeG6HT22YxSNmpYNh8= k8s.io/apiserver v0.27.3 h1:AxLvq9JYtveYWK+D/Dz/uoPCfz8JC9asR5z7+I/bbQ4= k8s.io/apiserver v0.27.3/go.mod h1:Y61+EaBMVWUBJtxD5//cZ48cHZbQD+yIyV/4iEBhhNA= @@ -3952,6 +4013,14 @@ k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY k8s.io/cli-runtime v0.26.3/go.mod h1:5YEhXLV4kLt/OSy9yQwtSSNZU2Z7aTEYta1A+Jg4VC4= k8s.io/cli-runtime v0.28.1 h1:7Njc4eD5kaO4tYdSYVJJEs54koYD/vT6gxOq8dEVf9g= k8s.io/cli-runtime v0.28.1/go.mod h1:yIThSWkAVLqeRs74CMkq6lNFW42GyJmvMtcNn01SZho= +======= +k8s.io/apiserver v0.29.0 h1:Y1xEMjJkP+BIi0GSEv1BBrf1jLU9UPfAnnGGbbDdp7o= +k8s.io/apiserver v0.29.0/go.mod h1:31n78PsRKPmfpee7/l9NYEv67u6hOL6AfcE761HapDM= +k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= +k8s.io/cli-runtime v0.26.3/go.mod h1:5YEhXLV4kLt/OSy9yQwtSSNZU2Z7aTEYta1A+Jg4VC4= +k8s.io/cli-runtime v0.29.0 h1:q2kC3cex4rOBLfPOnMSzV2BIrrQlx97gxHJs21KxKS4= +k8s.io/cli-runtime v0.29.0/go.mod h1:VKudXp3X7wR45L+nER85YUzOQIru28HQpXr0mTdeCrk= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= @@ -3959,8 +4028,13 @@ k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y= k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= k8s.io/client-go v0.26.2/go.mod h1:u5EjOuSyBa09yqqyY7m3abZeovO/7D/WehVVlZ2qcqU= k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ= +<<<<<<< HEAD k8s.io/client-go v0.28.3 h1:2OqNb72ZuTZPKCl+4gTKvqao0AMOl9f3o2ijbAj3LI4= k8s.io/client-go v0.28.3/go.mod h1:LTykbBp9gsA7SwqirlCXBWtK0guzfhpoW4qSm7i9dxo= +======= +k8s.io/client-go v0.29.5 h1:nlASXmPQy190qTteaVP31g3c/wi2kycznkTP7Sv1zPc= +k8s.io/client-go v0.29.5/go.mod h1:aY5CnqUUvXYccJhm47XHoPcRyX6vouHdIBHaKZGTbK4= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= k8s.io/code-generator v0.26.0/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= @@ -3968,9 +4042,14 @@ k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGw k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI= k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= +<<<<<<< HEAD k8s.io/component-base v0.26.2/go.mod h1:DxbuIe9M3IZPRxPIzhch2m1eT7uFrSBJUBuVCQEBivs= k8s.io/component-base v0.28.1 h1:LA4AujMlK2mr0tZbQDZkjWbdhTV5bRyEyAFe0TJxlWg= k8s.io/component-base v0.28.1/go.mod h1:jI11OyhbX21Qtbav7JkhehyBsIRfnO8oEgoAR12ArIU= +======= +k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= +k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) k8s.io/component-helpers v0.26.0/go.mod h1:jHN01qS/Jdj95WCbTe9S2VZ9yxpxXNY488WjF+yW4fo= k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= @@ -4008,8 +4087,13 @@ k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715/go.mod h1:+Axhij7bCpeqhkl k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= k8s.io/kubectl v0.26.0/go.mod h1:eInP0b+U9XUJWSYeU9XZnTA+cVYuWyl3iYPGtru0qhQ= +<<<<<<< HEAD k8s.io/kubectl v0.28.1 h1:jAq4yKEqQL+fwkWcEsUWxhJ7uIRcOYQraJxx4SyAMTY= k8s.io/kubectl v0.28.1/go.mod h1:a0nk/lMMeKBulp0lMTJAKbkjZg1ykqfLfz/d6dnv1ak= +======= +k8s.io/kubectl v0.29.0 h1:Oqi48gXjikDhrBF67AYuZRTcJV4lg2l42GmvsP7FmYI= +k8s.io/kubectl v0.29.0/go.mod h1:0jMjGWIcMIQzmUaMgAzhSELv5WtHo2a8pq67DtviAJs= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= k8s.io/metrics v0.26.0/go.mod h1:cf5MlG4ZgWaEFZrR9+sOImhZ2ICMpIdNurA+D8snIs8= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= diff --git a/resources/fetching/fetchers/k8s/kube_fetcher_test.go b/resources/fetching/fetchers/k8s/kube_fetcher_test.go index 5f757f0271..c51d925ee1 100644 --- a/resources/fetching/fetchers/k8s/kube_fetcher_test.go +++ b/resources/fetching/fetchers/k8s/kube_fetcher_test.go @@ -24,7 +24,11 @@ import ( "testing" "github.com/stretchr/testify/suite" +<<<<<<< HEAD:resources/fetching/fetchers/k8s/kube_fetcher_test.go v1 "k8s.io/api/core/v1" +======= + "k8s.io/api/core/v1" +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)):internal/resources/fetching/fetchers/k8s/kube_fetcher_test.go rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" diff --git a/resources/fetching/fetchers/k8s/kube_provider.go b/resources/fetching/fetchers/k8s/kube_provider.go index 5bd7f33daa..69df3c570e 100644 --- a/resources/fetching/fetchers/k8s/kube_provider.go +++ b/resources/fetching/fetchers/k8s/kube_provider.go @@ -118,8 +118,11 @@ func nullifyManagedFields(resource interface{}) { val.ManagedFields = nil case *kubernetes.ClusterRoleBinding: val.ManagedFields = nil +<<<<<<< HEAD:resources/fetching/fetchers/k8s/kube_provider.go case *kubernetes.PodSecurityPolicy: val.ManagedFields = nil +======= +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)):internal/resources/fetching/fetchers/k8s/kube_provider.go case *kubernetes.ServiceAccount: val.ManagedFields = nil case *kubernetes.NetworkPolicy: diff --git a/security-policies/RULES.md b/security-policies/RULES.md index ac935bea7f..7c1623d230 100644 --- a/security-policies/RULES.md +++ b/security-policies/RULES.md @@ -8,6 +8,7 @@ #### Manual rules: 19/51 (37%) +<<<<<<< HEAD | Rule Number | Section | Description | Status | Type | |:----------------------------------------------------:|:---------------------------------------|:---------------------------------------------------------------------------------------------------------|:------------------:|:---------:| | [1.1.1](bundle/compliance/cis_k8s/rules/cis_1_1_1) | Control Plane Node Configuration Files | Ensure that the API server pod specification file permissions are set to 644 or more restrictive | :white_check_mark: | Automated | @@ -135,6 +136,140 @@ | 5.7.2 | General Policies | Ensure that the seccomp profile is set to docker/default in your pod definitions | :x: | Manual | | 5.7.3 | General Policies | Apply Security Context to Your Pods and Containers | :x: | Manual | | 5.7.4 | General Policies | The default namespace should not be used | :x: | Manual | +======= +#### Integration Tests Coverage: 129/250 (52%) + +

Full Table 📋

 + +| Rule Number | Section | Description | Status | Integration Tests | Type | +|:----------------------------------------------------:|:---------------------------------------|:---------------------------------------------------------------------------------------------------------|:------------------:|:-----------------------------------------------------:|:----------| +| [1.1.1](bundle/compliance/cis_k8s/rules/cis_1_1_1) | Control Plane Node Configuration Files | Ensure that the API server pod specification file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| 1.1.10 | Control Plane Node Configuration Files | Ensure that the Container Network Interface file ownership is set to root:root | :x: | Passed :x: / Failed :x: | Manual | +| [1.1.11](bundle/compliance/cis_k8s/rules/cis_1_1_11) | Control Plane Node Configuration Files | Ensure that the etcd data directory permissions are set to 700 or more restrictive | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Automated | +| [1.1.12](bundle/compliance/cis_k8s/rules/cis_1_1_12) | Control Plane Node Configuration Files | Ensure that the etcd data directory ownership is set to etcd:etcd | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Automated | +| [1.1.13](bundle/compliance/cis_k8s/rules/cis_1_1_13) | Control Plane Node Configuration Files | Ensure that the admin.conf file permissions are set to 600 | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.14](bundle/compliance/cis_k8s/rules/cis_1_1_14) | Control Plane Node Configuration Files | Ensure that the admin.conf file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.15](bundle/compliance/cis_k8s/rules/cis_1_1_15) | Control Plane Node Configuration Files | Ensure that the scheduler.conf file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.16](bundle/compliance/cis_k8s/rules/cis_1_1_16) | Control Plane Node Configuration Files | Ensure that the scheduler.conf file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.17](bundle/compliance/cis_k8s/rules/cis_1_1_17) | Control Plane Node Configuration Files | Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.18](bundle/compliance/cis_k8s/rules/cis_1_1_18) | Control Plane Node Configuration Files | Ensure that the controller-manager.conf file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.19](bundle/compliance/cis_k8s/rules/cis_1_1_19) | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI directory and file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.2](bundle/compliance/cis_k8s/rules/cis_1_1_2) | Control Plane Node Configuration Files | Ensure that the API server pod specification file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.20](bundle/compliance/cis_k8s/rules/cis_1_1_20) | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| [1.1.21](bundle/compliance/cis_k8s/rules/cis_1_1_21) | Control Plane Node Configuration Files | Ensure that the Kubernetes PKI key file permissions are set to 600 | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| [1.1.3](bundle/compliance/cis_k8s/rules/cis_1_1_3) | Control Plane Node Configuration Files | Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.4](bundle/compliance/cis_k8s/rules/cis_1_1_4) | Control Plane Node Configuration Files | Ensure that the controller manager pod specification file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.5](bundle/compliance/cis_k8s/rules/cis_1_1_5) | Control Plane Node Configuration Files | Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.6](bundle/compliance/cis_k8s/rules/cis_1_1_6) | Control Plane Node Configuration Files | Ensure that the scheduler pod specification file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.7](bundle/compliance/cis_k8s/rules/cis_1_1_7) | Control Plane Node Configuration Files | Ensure that the etcd pod specification file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.1.8](bundle/compliance/cis_k8s/rules/cis_1_1_8) | Control Plane Node Configuration Files | Ensure that the etcd pod specification file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| 1.1.9 | Control Plane Node Configuration Files | Ensure that the Container Network Interface file permissions are set to 644 or more restrictive | :x: | Passed :x: / Failed :x: | Manual | +| 1.2.1 | API Server | Ensure that the --anonymous-auth argument is set to false | :x: | Passed :x: / Failed :x: | Manual | +| [1.2.10](bundle/compliance/cis_k8s/rules/cis_1_2_10) | API Server | Ensure that the admission control plugin EventRateLimit is set | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Manual | +| [1.2.11](bundle/compliance/cis_k8s/rules/cis_1_2_11) | API Server | Ensure that the admission control plugin AlwaysAdmit is not set | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.2.12](bundle/compliance/cis_k8s/rules/cis_1_2_12) | API Server | Ensure that the admission control plugin AlwaysPullImages is set | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Manual | +| [1.2.13](bundle/compliance/cis_k8s/rules/cis_1_2_13) | API Server | Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Manual | +| [1.2.14](bundle/compliance/cis_k8s/rules/cis_1_2_14) | API Server | Ensure that the admission control plugin ServiceAccount is set | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [1.2.15](bundle/compliance/cis_k8s/rules/cis_1_2_15) | API Server | Ensure that the admission control plugin NamespaceLifecycle is set | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Automated | +| [1.2.16](bundle/compliance/cis_k8s/rules/cis_1_2_16) | API Server | Ensure that the admission control plugin NodeRestriction is set | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.2.17](bundle/compliance/cis_k8s/rules/cis_1_2_17) | API Server | Ensure that the --secure-port argument is not set to 0 | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.18](bundle/compliance/cis_k8s/rules/cis_1_2_18) | API Server | Ensure that the --profiling argument is set to false | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.2.19](bundle/compliance/cis_k8s/rules/cis_1_2_19) | API Server | Ensure that the --audit-log-path argument is set | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Automated | +| [1.2.2](bundle/compliance/cis_k8s/rules/cis_1_2_2) | API Server | Ensure that the --token-auth-file parameter is not set | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.20](bundle/compliance/cis_k8s/rules/cis_1_2_20) | API Server | Ensure that the --audit-log-maxage argument is set to 30 or as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.2.21](bundle/compliance/cis_k8s/rules/cis_1_2_21) | API Server | Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.2.22](bundle/compliance/cis_k8s/rules/cis_1_2_22) | API Server | Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.2.23](bundle/compliance/cis_k8s/rules/cis_1_2_23) | API Server | Ensure that the --request-timeout argument is set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| [1.2.24](bundle/compliance/cis_k8s/rules/cis_1_2_24) | API Server | Ensure that the --service-account-lookup argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.2.25](bundle/compliance/cis_k8s/rules/cis_1_2_25) | API Server | Ensure that the --service-account-key-file argument is set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.26](bundle/compliance/cis_k8s/rules/cis_1_2_26) | API Server | Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.27](bundle/compliance/cis_k8s/rules/cis_1_2_27) | API Server | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.28](bundle/compliance/cis_k8s/rules/cis_1_2_28) | API Server | Ensure that the --client-ca-file argument is set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.29](bundle/compliance/cis_k8s/rules/cis_1_2_29) | API Server | Ensure that the --etcd-cafile argument is set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| 1.2.3 | API Server | Ensure that the --DenyServiceExternalIPs is not set | :x: | Passed :x: / Failed :x: | Automated | +| 1.2.30 | API Server | Ensure that the --encryption-provider-config argument is set as appropriate | :x: | Passed :x: / Failed :x: | Manual | +| 1.2.31 | API Server | Ensure that encryption providers are appropriately configured | :x: | Passed :x: / Failed :x: | Manual | +| [1.2.32](bundle/compliance/cis_k8s/rules/cis_1_2_32) | API Server | Ensure that the API Server only makes use of Strong Cryptographic Ciphers | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| [1.2.4](bundle/compliance/cis_k8s/rules/cis_1_2_4) | API Server | Ensure that the --kubelet-https argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.5](bundle/compliance/cis_k8s/rules/cis_1_2_5) | API Server | Ensure that the --kubelet-client-certificate and --kubelet-client-key arguments are set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.6](bundle/compliance/cis_k8s/rules/cis_1_2_6) | API Server | Ensure that the --kubelet-certificate-authority argument is set as appropriate | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Automated | +| [1.2.7](bundle/compliance/cis_k8s/rules/cis_1_2_7) | API Server | Ensure that the --authorization-mode argument is not set to AlwaysAllow | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.8](bundle/compliance/cis_k8s/rules/cis_1_2_8) | API Server | Ensure that the --authorization-mode argument includes Node | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.2.9](bundle/compliance/cis_k8s/rules/cis_1_2_9) | API Server | Ensure that the --authorization-mode argument includes RBAC | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| 1.3.1 | Controller Manager | Ensure that the --terminated-pod-gc-threshold argument is set as appropriate | :x: | Passed :x: / Failed :x: | Manual | +| [1.3.2](bundle/compliance/cis_k8s/rules/cis_1_3_2) | Controller Manager | Ensure that the --profiling argument is set to false | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.3.3](bundle/compliance/cis_k8s/rules/cis_1_3_3) | Controller Manager | Ensure that the --use-service-account-credentials argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.3.4](bundle/compliance/cis_k8s/rules/cis_1_3_4) | Controller Manager | Ensure that the --service-account-private-key-file argument is set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.3.5](bundle/compliance/cis_k8s/rules/cis_1_3_5) | Controller Manager | Ensure that the --root-ca-file argument is set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [1.3.6](bundle/compliance/cis_k8s/rules/cis_1_3_6) | Controller Manager | Ensure that the RotateKubeletServerCertificate argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.3.7](bundle/compliance/cis_k8s/rules/cis_1_3_7) | Controller Manager | Ensure that the --bind-address argument is set to 127.0.0.1 | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.4.1](bundle/compliance/cis_k8s/rules/cis_1_4_1) | Scheduler | Ensure that the --profiling argument is set to false | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [1.4.2](bundle/compliance/cis_k8s/rules/cis_1_4_2) | Scheduler | Ensure that the --bind-address argument is set to 127.0.0.1 | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [2.1](bundle/compliance/cis_k8s/rules/cis_2_1) | etcd | Ensure that the --cert-file and --key-file arguments are set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [2.2](bundle/compliance/cis_k8s/rules/cis_2_2) | etcd | Ensure that the --client-cert-auth argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [2.3](bundle/compliance/cis_k8s/rules/cis_2_3) | etcd | Ensure that the --auto-tls argument is not set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [2.4](bundle/compliance/cis_k8s/rules/cis_2_4) | etcd | Ensure that the --peer-cert-file and --peer-key-file arguments are set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [2.5](bundle/compliance/cis_k8s/rules/cis_2_5) | etcd | Ensure that the --peer-client-cert-auth argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [2.6](bundle/compliance/cis_k8s/rules/cis_2_6) | etcd | Ensure that the --peer-auto-tls argument is not set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| 2.7 | etcd | Ensure that a unique Certificate Authority is used for etcd | :x: | Passed :x: / Failed :x: | Manual | +| 3.1.1 | Authentication and Authorization | Client certificate authentication should not be used for users | :x: | Passed :x: / Failed :x: | Manual | +| 3.2.1 | Logging | Ensure that a minimal audit policy is created | :x: | Passed :x: / Failed :x: | Manual | +| 3.2.2 | Logging | Ensure that the audit policy covers key security concerns | :x: | Passed :x: / Failed :x: | Manual | +| [4.1.1](bundle/compliance/cis_k8s/rules/cis_4_1_1) | Worker Node Configuration Files | Ensure that the kubelet service file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.1.10](bundle/compliance/cis_k8s/rules/cis_4_1_10) | Worker Node Configuration Files | Ensure that the kubelet --config configuration file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.1.2](bundle/compliance/cis_k8s/rules/cis_4_1_2) | Worker Node Configuration Files | Ensure that the kubelet service file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| 4.1.3 | Worker Node Configuration Files | If proxy kubeconfig file exists ensure permissions are set to 644 or more restrictive | :x: | Passed :x: / Failed :x: | Manual | +| 4.1.4 | Worker Node Configuration Files | If proxy kubeconfig file exists ensure ownership is set to root:root | :x: | Passed :x: / Failed :x: | Manual | +| [4.1.5](bundle/compliance/cis_k8s/rules/cis_4_1_5) | Worker Node Configuration Files | Ensure that the --kubeconfig kubelet.conf file permissions are set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.1.6](bundle/compliance/cis_k8s/rules/cis_4_1_6) | Worker Node Configuration Files | Ensure that the --kubeconfig kubelet.conf file ownership is set to root:root | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| 4.1.7 | Worker Node Configuration Files | Ensure that the certificate authorities file permissions are set to 644 or more restrictive | :x: | Passed :x: / Failed :x: | Manual | +| 4.1.8 | Worker Node Configuration Files | Ensure that the client certificate authorities file ownership is set to root:root | :x: | Passed :x: / Failed :x: | Manual | +| [4.1.9](bundle/compliance/cis_k8s/rules/cis_4_1_9) | Worker Node Configuration Files | Ensure that the kubelet --config configuration file has permissions set to 644 or more restrictive | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.2.1](bundle/compliance/cis_k8s/rules/cis_4_2_1) | Kubelet | Ensure that the --anonymous-auth argument is set to false | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.2.10](bundle/compliance/cis_k8s/rules/cis_4_2_10) | Kubelet | Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate | :white_check_mark: | Passed :x: / Failed :x: | Manual | +| [4.2.11](bundle/compliance/cis_k8s/rules/cis_4_2_11) | Kubelet | Ensure that the --rotate-certificates argument is not set to false | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [4.2.12](bundle/compliance/cis_k8s/rules/cis_4_2_12) | Kubelet | Verify that the RotateKubeletServerCertificate argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Manual | +| [4.2.13](bundle/compliance/cis_k8s/rules/cis_4_2_13) | Kubelet | Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Manual | +| [4.2.2](bundle/compliance/cis_k8s/rules/cis_4_2_2) | Kubelet | Ensure that the --authorization-mode argument is not set to AlwaysAllow | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.2.3](bundle/compliance/cis_k8s/rules/cis_4_2_3) | Kubelet | Ensure that the --client-ca-file argument is set as appropriate | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Automated | +| [4.2.4](bundle/compliance/cis_k8s/rules/cis_4_2_4) | Kubelet | Verify that the --read-only-port argument is set to 0 | :white_check_mark: | Passed :x: / Failed :white_check_mark: | Manual | +| [4.2.5](bundle/compliance/cis_k8s/rules/cis_4_2_5) | Kubelet | Ensure that the --streaming-connection-idle-timeout argument is not set to 0 | :white_check_mark: | Passed :white_check_mark: / Failed :x: | Manual | +| [4.2.6](bundle/compliance/cis_k8s/rules/cis_4_2_6) | Kubelet | Ensure that the --protect-kernel-defaults argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.2.7](bundle/compliance/cis_k8s/rules/cis_4_2_7) | Kubelet | Ensure that the --make-iptables-util-chains argument is set to true | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [4.2.8](bundle/compliance/cis_k8s/rules/cis_4_2_8) | Kubelet | Ensure that the --hostname-override argument is not set | :white_check_mark: | Passed :x: / Failed :x: | Manual | +| [4.2.9](bundle/compliance/cis_k8s/rules/cis_4_2_9) | Kubelet | Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| 5.1.1 | RBAC and Service Accounts | Ensure that the cluster-admin role is only used where required | :x: | Passed :x: / Failed :x: | Manual | +| 5.1.2 | RBAC and Service Accounts | Minimize access to secrets | :x: | Passed :x: / Failed :x: | Manual | +| [5.1.3](bundle/compliance/cis_k8s/rules/cis_5_1_3) | RBAC and Service Accounts | Minimize wildcard use in Roles and ClusterRoles | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| 5.1.4 | RBAC and Service Accounts | Minimize access to create pods | :x: | Passed :x: / Failed :x: | Manual | +| [5.1.5](bundle/compliance/cis_k8s/rules/cis_5_1_5) | RBAC and Service Accounts | Ensure that default service accounts are not actively used. | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| [5.1.6](bundle/compliance/cis_k8s/rules/cis_5_1_6) | RBAC and Service Accounts | Ensure that Service Account Tokens are only mounted where necessary | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| 5.1.7 | RBAC and Service Accounts | Avoid use of system:masters group | :x: | Passed :x: / Failed :x: | Manual | +| 5.1.8 | RBAC and Service Accounts | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | :x: | Passed :x: / Failed :x: | Manual | +| 5.2.1 | Pod Security Standards | Ensure that the cluster has at least one active policy control mechanism in place | :x: | Passed :x: / Failed :x: | Manual | +| [5.2.10](bundle/compliance/cis_k8s/rules/cis_5_2_10) | Pod Security Standards | Minimize the admission of containers with capabilities assigned | :white_check_mark: | Passed :x: / Failed :x: | Manual | +| 5.2.11 | Pod Security Standards | Minimize the admission of Windows HostProcess Containers | :x: | Passed :x: / Failed :x: | Manual | +| 5.2.12 | Pod Security Standards | Minimize the admission of HostPath volumes | :x: | Passed :x: / Failed :x: | Manual | +| 5.2.13 | Pod Security Standards | Minimize the admission of containers which use HostPorts | :x: | Passed :x: / Failed :x: | Manual | +| [5.2.2](bundle/compliance/cis_k8s/rules/cis_5_2_2) | Pod Security Standards | Minimize the admission of privileged containers | :white_check_mark: | Passed :x: / Failed :x: | Manual | +| [5.2.3](bundle/compliance/cis_k8s/rules/cis_5_2_3) | Pod Security Standards | Minimize the admission of containers wishing to share the host process ID namespace | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.4](bundle/compliance/cis_k8s/rules/cis_5_2_4) | Pod Security Standards | Minimize the admission of containers wishing to share the host IPC namespace | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.5](bundle/compliance/cis_k8s/rules/cis_5_2_5) | Pod Security Standards | Minimize the admission of containers wishing to share the host network namespace | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.6](bundle/compliance/cis_k8s/rules/cis_5_2_6) | Pod Security Standards | Minimize the admission of containers with allowPrivilegeEscalation | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.7](bundle/compliance/cis_k8s/rules/cis_5_2_7) | Pod Security Standards | Minimize the admission of root containers | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.8](bundle/compliance/cis_k8s/rules/cis_5_2_8) | Pod Security Standards | Minimize the admission of containers with the NET_RAW capability | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.9](bundle/compliance/cis_k8s/rules/cis_5_2_9) | Pod Security Standards | Minimize the admission of containers with added capabilities | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| 5.3.1 | Network Policies and CNI | Ensure that the CNI in use supports Network Policies | :x: | Passed :x: / Failed :x: | Manual | +| 5.3.2 | Network Policies and CNI | Ensure that all Namespaces have Network Policies defined | :x: | Passed :x: / Failed :x: | Manual | +| 5.4.1 | Secrets Management | Prefer using secrets as files over secrets as environment variables | :x: | Passed :x: / Failed :x: | Manual | +| 5.4.2 | Secrets Management | Consider external secret storage | :x: | Passed :x: / Failed :x: | Manual | +| 5.5.1 | Extensible Admission Control | Configure Image Provenance using ImagePolicyWebhook admission controller | :x: | Passed :x: / Failed :x: | Manual | +| 5.7.1 | General Policies | Create administrative boundaries between resources using namespaces | :x: | Passed :x: / Failed :x: | Manual | +| 5.7.2 | General Policies | Ensure that the seccomp profile is set to docker/default in your pod definitions | :x: | Passed :x: / Failed :x: | Manual | +| 5.7.3 | General Policies | Apply Security Context to Your Pods and Containers | :x: | Passed :x: / Failed :x: | Manual | +| 5.7.4 | General Policies | The default namespace should not be used | :x: | Passed :x: / Failed :x: | Manual | +
+>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)) ## EKS CIS Benchmark diff --git a/tests/commonlib/kubernetes.py b/tests/commonlib/kubernetes.py index dca2a2c353..ef0958ba71 100644 --- a/tests/commonlib/kubernetes.py +++ b/tests/commonlib/kubernetes.py @@ -29,7 +29,7 @@ def __init__(self, is_in_cluster_config: bool = False): else: self.config = config.load_kube_config() - self.policy_c1_api = client.PolicyV1beta1Api() + # self.policy_c1_api = client.PolicyV1beta1Api() self.core_v1_client = client.CoreV1Api() self.app_api = client.AppsV1Api() self.rbac_api = client.RbacAuthorizationV1Api() @@ -45,7 +45,7 @@ def __init__(self, is_in_cluster_config: bool = False): "RoleBinding": self.rbac_api.list_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.list_cluster_role_binding, "ClusterRole": self.rbac_api.list_cluster_role, - "PodSecurityPolicy": self.policy_c1_api.list_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.list_pod_security_policy, "Lease": self.coordination_v1_api.list_namespaced_lease, } @@ -57,7 +57,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.delete_namespaced_role, "RoleBinding": self.rbac_api.delete_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.delete_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.delete_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.delete_pod_security_policy, "ClusterRole": self.rbac_api.delete_cluster_role, "Lease": self.coordination_v1_api.delete_namespaced_lease, } @@ -70,7 +70,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.patch_namespaced_role, "RoleBinding": self.rbac_api.patch_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.patch_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.patch_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.patch_pod_security_policy, "ClusterRole": self.rbac_api.patch_cluster_role, "Lease": self.coordination_v1_api.patch_namespaced_lease, } @@ -83,7 +83,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.create_namespaced_role, "RoleBinding": self.rbac_api.create_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.create_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.create_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.create_pod_security_policy, "ClusterRole": self.rbac_api.create_cluster_role, "Lease": self.coordination_v1_api.create_namespaced_lease, } @@ -96,7 +96,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.read_namespaced_role, "RoleBinding": self.rbac_api.read_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.read_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.read_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.read_pod_security_policy, "ClusterRole": self.rbac_api.read_cluster_role, "Lease": self.coordination_v1_api.read_namespaced_lease, } diff --git a/tests/deploy/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml b/tests/deploy/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml index a4fb2dbfc0..84a58d66a8 100644 --- a/tests/deploy/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml +++ b/tests/deploy/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml @@ -119,14 +119,14 @@ rules: - get - list - watch - - apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - get - - list - - watch + # - apiGroups: + # - policy + # resources: + # - podsecuritypolicies + # verbs: + # - get + # - list + # - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/tests/deploy/k8s-cloudbeat-tests/templates/standalone-agent.yml b/tests/deploy/k8s-cloudbeat-tests/templates/standalone-agent.yml index 1fa0931086..612534f929 100644 --- a/tests/deploy/k8s-cloudbeat-tests/templates/standalone-agent.yml +++ b/tests/deploy/k8s-cloudbeat-tests/templates/standalone-agent.yml @@ -689,10 +689,10 @@ rules: - roles verbs: ["get", "list", "watch"] # Needed for cloudbeat - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/tests/deploy/mock-pod.yml b/tests/deploy/mock-pod.yml index abad719de7..813a837d05 100644 --- a/tests/deploy/mock-pod.yml +++ b/tests/deploy/mock-pod.yml @@ -27,47 +27,47 @@ metadata: namespace: kube-system automountServiceAccountToken: false --- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: test-psp - annotations: - # docker/default identifies a profile for seccomp, but it is not particularly tied to the Docker runtime - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - # Allow core volume types. - volumes: - - 'csi' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false ---- +# apiVersion: policy/v1beta1 +# kind: PodSecurityPolicy +# metadata: +# name: test-psp +# annotations: +# # docker/default identifies a profile for seccomp, but it is not particularly tied to the Docker runtime +# seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' +# apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' +# apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +# spec: +# privileged: false +# # Required to prevent escalations to root. +# allowPrivilegeEscalation: false +# requiredDropCapabilities: +# - ALL +# # Allow core volume types. +# volumes: +# - 'csi' +# hostNetwork: false +# hostIPC: false +# hostPID: false +# runAsUser: +# # Require the container to run without root privileges. +# rule: 'MustRunAsNonRoot' +# seLinux: +# # This policy assumes the nodes are using AppArmor rather than SELinux. +# rule: 'RunAsAny' +# supplementalGroups: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# fsGroup: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# readOnlyRootFilesystem: false +# --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -86,10 +86,10 @@ rules: - apiGroups: [ "" ] # "" indicates the core API group resources: [ "pods" ] verbs: [ "get", "watch", "list" ] - - apiGroups: [ 'policy' ] - resources: [ 'podsecuritypolicies' ] - verbs: [ 'use' ] - resourceNames: [ 'test-psp' ] + # - apiGroups: [ 'policy' ] + # resources: [ 'podsecuritypolicies' ] + # verbs: [ 'use' ] + # resourceNames: [ 'test-psp' ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/tests/deploy/sa-agent-pytest.yml b/tests/deploy/sa-agent-pytest.yml index ded3c60719..1c86cfcbb2 100644 --- a/tests/deploy/sa-agent-pytest.yml +++ b/tests/deploy/sa-agent-pytest.yml @@ -583,10 +583,10 @@ rules: - roles verbs: ["get", "list", "watch"] # Needed for cloudbeat - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/tests/product/tests/data/k8s/k8s_object_cases.py b/tests/product/tests/data/k8s/k8s_object_cases.py new file mode 100644 index 0000000000..19396c76d4 --- /dev/null +++ b/tests/product/tests/data/k8s/k8s_object_cases.py @@ -0,0 +1,264 @@ +""" +This module defines k8s objects and psp test cases +""" + +from ..constants import RULE_FAIL_STATUS, RULE_PASS_STATUS +from .k8s_test_case import K8sTestCase + +K8S_CIS_5_1_3 = "CIS 5.1.3" +K8S_CIS_5_1_5 = "CIS 5.1.5" +K8S_CIS_5_1_6 = "CIS 5.1.6" +K8S_CIS_5_2_2 = "CIS 5.2.2" +K8S_CIS_5_2_3 = "CIS 5.2.3" +K8S_CIS_5_2_4 = "CIS 5.2.4" +K8S_CIS_5_2_5 = "CIS 5.2.5" +K8S_CIS_5_2_6 = "CIS 5.2.6" +K8S_CIS_5_2_7 = "CIS 5.2.7" +K8S_CIS_5_2_8 = "CIS 5.2.8" +K8S_CIS_5_2_10 = "CIS 5.2.10" + +TEST_FAIL_POD = "test-k8s-bad-pod" +TEST_PASS_POD = "test-k8s-good-pod" +TEST_PASS_ROLE = "test-role-pass" +TEST_FAIL_ROLE = "test-role-fail" +TEST_PASS_CLUSTER_ROLE = "test-cluster-role-pass" +TEST_FAIL_CLUSTER_ROLE = "test-cluster-role-fail" +TEST_PASS_SERVICE_ACCOUNT = "test-service-account-pass" +TEST_FAIL_SERVICE_ACCOUNT = "test-service-account-fail" + +cis_5_1_3_role_pass = K8sTestCase( + rule_tag=K8S_CIS_5_1_3, + resource_name=TEST_PASS_ROLE, + expected=RULE_PASS_STATUS, +) + +cis_5_1_3_cluster_role_pass = K8sTestCase( + rule_tag=K8S_CIS_5_1_3, + resource_name=TEST_PASS_CLUSTER_ROLE, + expected=RULE_PASS_STATUS, +) + +cis_5_1_3_role_fail = K8sTestCase( + rule_tag=K8S_CIS_5_1_3, + resource_name=TEST_FAIL_ROLE, + expected=RULE_FAIL_STATUS, +) + +cis_5_1_3_cluster_role_fail = K8sTestCase( + rule_tag=K8S_CIS_5_1_3, + resource_name=TEST_FAIL_CLUSTER_ROLE, + expected=RULE_FAIL_STATUS, +) + +cis_5_1_3 = { + "5.1.3 Role with wildcards": cis_5_1_3_role_fail, + "5.1.3 Role with no wildcards": cis_5_1_3_role_pass, + "5.1.3 ClusterRole with wildcards": cis_5_1_3_cluster_role_fail, + "5.1.3 ClusterRole with no wildcards": cis_5_1_3_cluster_role_pass, +} + +cis_5_1_5_sa_pass = K8sTestCase( + rule_tag=K8S_CIS_5_1_5, + resource_name=TEST_PASS_SERVICE_ACCOUNT, + expected=RULE_PASS_STATUS, +) + +cis_5_1_5_pod_sa_default_fail = K8sTestCase( + rule_tag=K8S_CIS_5_1_5, + resource_name="test-pod-sa-default", + expected=RULE_FAIL_STATUS, +) + +cis_5_1_5_pod_sa_name_default_fail = K8sTestCase( + rule_tag=K8S_CIS_5_1_5, + resource_name="test-pod-sa-name-default", + expected=RULE_FAIL_STATUS, +) + +cis_5_1_5 = { + "5.1.5 ServiceAccount not default": cis_5_1_5_sa_pass, + "5.1.5 Pod.serviceAccount == default": cis_5_1_5_pod_sa_default_fail, + "5.1.5 Pod.serviceAccountName == default": cis_5_1_5_pod_sa_name_default_fail, +} + +cis_5_1_6_sa_fail = K8sTestCase( + rule_tag=K8S_CIS_5_1_6, + resource_name=TEST_FAIL_SERVICE_ACCOUNT, + expected=RULE_FAIL_STATUS, +) + +cis_5_1_6_pod_fail = K8sTestCase( + rule_tag=K8S_CIS_5_1_6, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_5_1_6_sa_pass = K8sTestCase( + rule_tag=K8S_CIS_5_1_6, + resource_name=TEST_PASS_SERVICE_ACCOUNT, + expected=RULE_PASS_STATUS, +) + +cis_5_1_6_pod_pass = K8sTestCase( + rule_tag=K8S_CIS_5_1_6, + resource_name="test-pod-sa-default", + expected=RULE_PASS_STATUS, +) + +cis_5_1_6 = { + "5.1.6 Pod.spec.automountServiceAccountToken == true": cis_5_1_6_pod_fail, + "5.1.6 Pod.spec.automountServiceAccountToken == false": cis_5_1_6_pod_pass, + "5.1.6 ServiceAccount.automountServiceAccountToken == true": cis_5_1_6_sa_pass, + "5.1.6 ServiceAccount.automountServiceAccountToken == false": cis_5_1_6_sa_fail, +} + +cis_psp_5_2_2_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_2, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_2_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_2, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_2 = { + "5.2.2 PSP spec.securityContext.privileged==false eval passed": cis_psp_5_2_2_pass, + "5.2.2 PSP spec.securityContext.privileged==true eval failed": cis_psp_5_2_2_fail, +} + +cis_psp_5_2_3_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_3, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_3_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_3, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_3 = { + "5.2.3 PSP Pod.spec.hostPID == true eval passed": cis_psp_5_2_3_pass, + "5.2.3 PSP Pod.spec.hostPID == false eval failed": cis_psp_5_2_3_fail, +} + +cis_psp_5_2_4_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_4, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_4_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_4, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_4 = { + "5.2.4 PSP Pod.spec.hostIPC == true eval passed": cis_psp_5_2_4_pass, + "5.2.4 PSP Pod.spec.hostIPC == false eval failed": cis_psp_5_2_4_fail, +} + +cis_psp_5_2_5_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_5, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_5_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_5, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_5 = { + "5.2.5 PSP Pod.spec.hostNetwork == true eval passed": cis_psp_5_2_5_pass, + "5.2.5 PSP Pod.spec.hostNetwork == false eval failed": cis_psp_5_2_5_fail, +} + +cis_psp_5_2_6_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_6, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_6_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_6, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_6 = { + "5.2.6 PSP Pod.spec.containers.securityContext.allowPrivilegeEscalation == true eval passed": cis_psp_5_2_6_pass, + "5.2.6 PSP Pod.spec.containers.securityContext.allowPrivilegeEscalation == true eval failed": cis_psp_5_2_6_fail, +} + +cis_psp_5_2_7_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_7, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_7_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_7, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_7 = { + "5.2.7 PSP Pod.spec.runAsUser forbids root eval passed": cis_psp_5_2_7_pass, + "5.2.7 PSP Pod.spec.runAsUser allows root eval failed": cis_psp_5_2_7_fail, +} + +cis_psp_5_2_8_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_8, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_8_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_8, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_8 = { + "5.2.8 PSP Pod.container.spec.securityContext.capabilities drop all eval passed": cis_psp_5_2_8_pass, + "5.2.8 PSP Pod.container.spec.securityContext.runAsUser == root eval failed": cis_psp_5_2_8_fail, +} + +cis_psp_5_2_10_pass = K8sTestCase( + rule_tag=K8S_CIS_5_2_10, + resource_name=TEST_PASS_POD, + expected=RULE_PASS_STATUS, +) + +cis_psp_5_2_10_fail = K8sTestCase( + rule_tag=K8S_CIS_5_2_10, + resource_name=TEST_FAIL_POD, + expected=RULE_FAIL_STATUS, +) + +cis_psp_5_2_10 = { + "5.2.10 PSP Pod.container.spec.securityContext.capabilities drop all eval passed": cis_psp_5_2_10_pass, + "5.2.10 PSP Pod.container.spec.securityContext.capabilities assigned eval failed": cis_psp_5_2_10_fail, +} + +# The name of this variable needs to be `tests_cases` in order to CIS Rules coverage stats to be generated +test_cases = { + **cis_5_1_3, + **cis_5_1_5, + **cis_5_1_6, + # **cis_psp_5_2_2, + # **cis_psp_5_2_3, + # **cis_psp_5_2_4, + # **cis_psp_5_2_5, + # **cis_psp_5_2_6, + # **cis_psp_5_2_7, + # **cis_psp_5_2_8, + # **cis_psp_5_2_10, +} diff --git a/tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py b/tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py index e2ef78c1e8..b222134af9 100644 --- a/tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py +++ b/tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py @@ -3,6 +3,11 @@ Cases are organized as rules. Each rule has one or more test cases. """ +<<<<<<< HEAD:tests/product/tests/data/k8s_object/eks_k8s_object_test_cases.py +======= + +# from commonlib.framework.reporting import SkipReportData, skip_param_case +>>>>>>> 0029a1ad (Upgrade helm to v3.14.2 (#2356)):tests/product/tests/data/eks/eks_k8s_object_test_cases.py from configuration import eks from commonlib.framework.reporting import skip_param_case, SkipReportData from ..eks_test_case import EksKubeObjectCase @@ -163,25 +168,25 @@ } k8s_object_config_1 = { - **cis_eks_4_2_7, - **skip_param_case( - cis_eks_4_2_8, - data_to_report=SkipReportData( - skip_reason="Retest after testing configuration will be fixed.", - url_title="cloudbeat: #500", - url_link="https://github.com/elastic/cloudbeat/issues/500", - ), - ), - **cis_eks_4_2_9, + # **cis_eks_4_2_7, + # **skip_param_case( + # cis_eks_4_2_8, + # data_to_report=SkipReportData( + # skip_reason="Retest after testing configuration will be fixed.", + # url_title="cloudbeat: #500", + # url_link="https://github.com/elastic/cloudbeat/issues/500", + # ), + # ), + # **cis_eks_4_2_9, } k8s_object_config_2 = { - **cis_eks_4_2_1, - **cis_eks_4_2_2, - **cis_eks_4_2_3, - **cis_eks_4_2_4, - **cis_eks_4_2_5, - **cis_eks_4_2_6, + # **cis_eks_4_2_1, + # **cis_eks_4_2_2, + # **cis_eks_4_2_3, + # **cis_eks_4_2_4, + # **cis_eks_4_2_5, + # **cis_eks_4_2_6, } cis_eks_all = { diff --git a/tests/test_environments/k8s-objects-all-cases.yml b/tests/test_environments/k8s-objects-all-cases.yml new file mode 100644 index 0000000000..9893b38ff3 --- /dev/null +++ b/tests/test_environments/k8s-objects-all-cases.yml @@ -0,0 +1,240 @@ +apiVersion: v1 +kind: Pod +metadata: + name: busybox-pod + namespace: kube-system +spec: + hostPID: false + hostNetwork: false + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox + imagePullPolicy: IfNotPresent + command: + - sleep + - "3600" + securityContext: + privileged: false + allowPrivilegeEscalation: true + capabilities: + add: [ "NET_ADMIN", "SYS_TIME" ] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-service-account-pass + namespace: kube-system +automountServiceAccountToken: false +--- +# apiVersion: policy/v1beta1 +# kind: PodSecurityPolicy +# metadata: +# name: test-psp +# annotations: +# # docker/default identifies a profile for seccomp, but it is not particularly tied to the Docker runtime +# seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' +# apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' +# apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +# spec: +# privileged: false +# # Required to prevent escalations to root. +# allowPrivilegeEscalation: false +# requiredDropCapabilities: +# - ALL +# # Allow core volume types. +# volumes: +# - 'csi' +# hostNetwork: false +# hostIPC: false +# hostPID: false +# runAsUser: +# # Require the container to run without root privileges. +# rule: 'MustRunAsNonRoot' +# seLinux: +# # This policy assumes the nodes are using AppArmor rather than SELinux. +# rule: 'RunAsAny' +# supplementalGroups: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# fsGroup: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# readOnlyRootFilesystem: false +# --- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: kube-system + name: test-role-pass +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: [ "pods" ] + verbs: [ "get", "watch", "list" ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test-cluster-role-pass +rules: + - apiGroups: [ "" ] # "" indicates the core API group + resources: [ "pods" ] + verbs: [ "get", "watch", "list" ] + # - apiGroups: [ 'policy' ] + # resources: [ 'podsecuritypolicies' ] + # verbs: [ 'use' ] + # resourceNames: [ 'test-psp' ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-cluster-role-binding +roleRef: + kind: ClusterRole + name: test-cluster-role-pass + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: test-service-account-pass + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: test-cluster-role-fail +rules: + - apiGroups: [ "*" ] # "" indicates the core API group + resources: [ "*" ] + verbs: [ "*" ] + # - apiGroups: [ 'policy' ] + # resources: [ 'podsecuritypolicies' ] + # verbs: [ 'use' ] + # resourceNames: [ 'test-psp-fail' ] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: test-cluster-role-binding-fail +roleRef: + kind: ClusterRole + name: test-cluster-role-fail + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: test-service-account-fail + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: kube-system + name: test-role-fail +rules: + - apiGroups: [ "*" ] # "" indicates the core API group + resources: [ "*" ] + verbs: [ "*" ] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: test-service-account-fail + namespace: kube-system +automountServiceAccountToken: true +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-k8s-good-pod + namespace: kube-system + labels: + app: k8s-good-pod + testResourceId: k8s-pass +spec: + hostPID: false + hostIPC: false + hostNetwork: false + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox:latest + imagePullPolicy: Always + command: + - sleep + - "3600" + securityContext: + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + runAsUser: 10001 + capabilities: + drop: ["ALL"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-k8s-bad-pod + namespace: kube-system + labels: + app: k8s-bad-pod + testResourceId: k8s-psp-failures +spec: + hostPID: true + hostIPC: true + hostNetwork: true + automountServiceAccountToken: true + containers: + - name: busybox + image: busybox:latest + imagePullPolicy: Always + command: + - sleep + - "3600" + securityContext: + privileged: true + allowPrivilegeEscalation: true + runAsUser: 0 + capabilities: + add: ["NET_ADMIN", "SYS_TIME", "NET_RAW"] +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-sa-name-default + namespace: kube-system +spec: + serviceAccountName: default + hostPID: false + hostNetwork: false + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox + imagePullPolicy: IfNotPresent + command: + - sleep + - "3600" +--- +apiVersion: v1 +kind: Pod +metadata: + name: test-pod-sa-default + namespace: kube-system +spec: + serviceAccount: default + hostPID: false + hostNetwork: false + automountServiceAccountToken: false + containers: + - name: busybox + image: busybox + imagePullPolicy: IfNotPresent + command: + - sleep + - "3600" +---