Merge pull request #1207 from cncf/bug/687

[687] Resolves differences in test score and maximum points

embedded_files/points.yml

@@ -219,6 +219,12 @@
 - name: ingress_egress_blocked 
   tags: security, dynamic, workload
 
+- name: insecure_capabilities
+  tags: security, dynamic, workload
+
+- name: dangerous_capabilities
+  tags: security, dynamic, workload
+
 - name: log_output
   tags: observability, dynamic, workload
 - name: prometheus_traffic 

spec/utils/cnf_manager_spec.cr

@@ -153,7 +153,8 @@ describe "SampleUtils" do
             "linux_hardening", "resource_policies",
             "immutable_file_systems", "hostpath_mounts", "log_output",
             "prometheus_traffic", "open_metrics",
-            "ingress_egress_blocked", "routed_logs", "tracing", "elastic_volumes", "alpha_k8s_apis", "service_discovery", "shared_database"]
+            "ingress_egress_blocked", "dangerous_capabilities", "insecure_capabilities",
+            "routed_logs", "tracing", "elastic_volumes", "alpha_k8s_apis", "service_discovery", "shared_database"]
     (CNFManager::Points.all_task_test_names()).sort.should eq(tags.sort)
   end
 

src/tasks/utils/points.cr

@@ -193,11 +193,26 @@ module CNFManager
         tasks = all_task_test_names
         Log.debug { "all_task_test_names tasks: #{tasks}" }
       end
+
+      results_yaml = File.open("#{Results.file}") do |file|
+        YAML.parse(file)
+      end
+
+      skipped_tests = results_yaml["items"].as_a.reduce([] of String) do |acc, test_info|
+        if test_info["status"] == "skipped"
+          acc + [test_info["name"].as_s]
+        else
+          acc
+        end
+      end
+
       max = tasks.reduce(0) do |acc, x|
         #TODO remove, from the potential points, the actually assigned points that are assigned to 'na' in the results.yml
         if na_assigned?(x)
           Log.info { "na_assigned for #{x}" }
           acc
+        elsif skipped_tests.includes?(x)
+          acc
         else
           points = task_points(x)
           if points

src/tasks/workload/security.cr

@@ -29,24 +29,23 @@ end
 desc "Check if any containers are running in as root"
 task "non_root_user", ["install_falco"] do |_, args|
    unless KubectlClient::Get.resource_wait_for_install("Daemonset", "falco") 
-     LOGGING.info "Falco Failed to Start"
+     Log.info { "Falco Failed to Start" }
      upsert_skipped_task("non_root_user", "✖️  SKIPPED: Skipping non_root_user: Falco failed to install. Check Kernel Headers are installed on the Host Systems(K8s).")
      node_pods = KubectlClient::Get.pods_by_nodes(KubectlClient::Get.schedulable_nodes_list)
      pods = KubectlClient::Get.pods_by_label(node_pods, "app", "falco")
      falco_pod_name = pods[0].dig("metadata", "name")
-     LOGGING.info "Falco Pod Name: #{falco_pod_name}"
+     Log.info { "Falco Pod Name: #{falco_pod_name}" }
      resp = KubectlClient.logs(falco_pod_name)
-     puts "Falco Logs: #{resp[:output]}"
      next
    end
 
    CNFManager::Task.task_runner(args) do |args,config|
-     VERBOSE_LOGGING.info "non_root_user" if check_verbose(args)
-     LOGGING.debug "cnf_config: #{config}"
+     Log.for("verbose").info { "non_root_user" } if check_verbose(args)
+     Log.debug { "cnf_config: #{config}" }
      fail_msgs = [] of String
      task_response = CNFManager.workload_resource_test(args, config) do |resource, container, initialized|
        test_passed = true
-       LOGGING.info "Falco is Running"
+       Log.info { "Falco is Running" }
        kind = resource["kind"].as_s.downcase
        case kind 
        when  "deployment","statefulset","pod","replicaset", "daemonset"
@@ -84,7 +83,7 @@ end
 desc "Check if any containers are running in privileged mode"
 task "privileged" do |_, args|
   CNFManager::Task.task_runner(args) do |args, config|
-    VERBOSE_LOGGING.info "privileged" if check_verbose(args)
+    Log.for("verbose").info { "privileged" } if check_verbose(args)
     white_list_container_names = config.cnf_config[:white_list_container_names]
     VERBOSE_LOGGING.info "white_list_container_names #{white_list_container_names.inspect}" if check_verbose(args)
     violation_list = [] of String

utils/kubectl_client/kubectl_client.cr

@@ -41,8 +41,8 @@ module KubectlClient
                          shell: true,
                          output: output = IO::Memory.new,
                          error: stderr = IO::Memory.new)
-    LOGGING.info "KubectlClient.wait output: #{output.to_s}"
-    LOGGING.info "KubectlClient.wait stderr: #{stderr.to_s}"
+    Log.info { "KubectlClient.wait output: #{output.to_s}" }
+    Log.info { "KubectlClient.wait stderr: #{stderr.to_s}" }
     {status: status, output: output, error: stderr}
   end
 
@@ -51,8 +51,8 @@ module KubectlClient
                          shell: true,
                          output: output = IO::Memory.new,
                          error: stderr = IO::Memory.new)
-    LOGGING.debug "KubectlClient.logs output: #{output.to_s}"
-    LOGGING.info "KubectlClient.logs stderr: #{stderr.to_s}"
+    Log.debug { "KubectlClient.logs output: #{output.to_s}" }
+    Log.info { "KubectlClient.logs stderr: #{stderr.to_s}" }
     {status: status, output: output, error: stderr}
   end
 
@@ -62,8 +62,8 @@ module KubectlClient
                          shell: true,
                          output: output = IO::Memory.new,
                          error: stderr = IO::Memory.new)
-    LOGGING.debug "KubectlClient.describe output: #{output.to_s}"
-    LOGGING.info "KubectlClient.describe stderr: #{stderr.to_s}"
+    Log.debug { "KubectlClient.describe output: #{output.to_s}" }
+    Log.info { "KubectlClient.describe stderr: #{stderr.to_s}" }
     {status: status, output: output, error: stderr}
   end
 
@@ -622,7 +622,7 @@ module KubectlClient
           end
           sleep 1
           timeout = timeout - 1 
-          LOGGING.info "Waiting for CRI-Tools Pod"
+          Log.info { "Waiting for CRI-Tools Pod" }
         end
         if timeout <= 0
           break