diff --git a/.github/workflows/pre-main.yaml b/.github/workflows/pre-main.yaml index 17c4270cf6..9a569222a7 100644 --- a/.github/workflows/pre-main.yaml +++ b/.github/workflows/pre-main.yaml @@ -19,7 +19,7 @@ env: OCT_IMAGE_NAME: redhat-best-practices-for-k8s/oct OCT_IMAGE_TAG: latest PROBE_IMAGE_NAME: redhat-best-practices-for-k8s/certsuite-probe - PROBE_IMAGE_TAG: v0.0.6 + PROBE_IMAGE_TAG: v0.0.7 CERTSUITE_CONFIG_DIR: /tmp/certsuite/config CERTSUITE_OUTPUT_DIR: /tmp/certsuite/output SMOKE_TESTS_LOG_LEVEL: debug @@ -244,9 +244,6 @@ jobs: path: | certsuite-out/*.tar.gz - - name: Remove tarball(s) to save disk space. - run: rm -f certsuite-out/*.tar.gz - - name: Check the smoke test results against the expected results template run: ./certsuite check results --log-file="certsuite-out/certsuite.log" diff --git a/cmd/certsuite/run/run.go b/cmd/certsuite/run/run.go index 84e1a1340c..e983442a7f 100644 --- a/cmd/certsuite/run/run.go +++ b/cmd/certsuite/run/run.go @@ -40,7 +40,7 @@ func NewCommand() *cobra.Command { runCmd.PersistentFlags().Bool("enable-data-collection", false, "Allow sending test results to an external data collector") runCmd.PersistentFlags().Bool("create-xml-junit-file", false, "Create a JUnit file with the test results") runCmd.PersistentFlags().String("certsuite-image-repository", "quay.io/redhat-best-practices-for-k8s", "The repository where Certsuite images are stored") - runCmd.PersistentFlags().String("certsuite-debug-image", "certsuite-probe:v0.0.6", "Name of the certsuite-probe image") + runCmd.PersistentFlags().String("certsuite-debug-image", "certsuite-probe:v0.0.7", "Name of the certsuite-probe image") runCmd.PersistentFlags().String("daemonset-cpu-req", "100m", "CPU request for the debug DaemonSet container") runCmd.PersistentFlags().String("daemonset-cpu-lim", "100m", "CPU limit for the debug DaemonSet container") runCmd.PersistentFlags().String("daemonset-mem-req", "100M", "Memory request for the debug DaemonSet container") diff --git a/docs/runtime-env.md b/docs/runtime-env.md index b3cbf44359..996389328a 100644 --- a/docs/runtime-env.md +++ b/docs/runtime-env.md @@ -63,4 +63,4 @@ See more about this variable [here](https://github.com/redhat-openshift-ecosyste against a private container registry that has self-signed certificates. Note that you can also specify the debug pod image to use with `SUPPORT_IMAGE` -environment variable, default to `certsuite-probe:v0.0.6`. +environment variable, default to `certsuite-probe:v0.0.7`. diff --git a/go.mod b/go.mod index ea3ebce718..2d02bef280 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.22.6 require ( github.com/Masterminds/semver/v3 v3.2.1 - github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.45 + github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.46 github.com/sirupsen/logrus v1.9.3 github.com/spf13/cobra v1.8.1 github.com/stretchr/testify v1.9.0 @@ -215,8 +215,8 @@ require ( github.com/gorilla/websocket v1.5.3 github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.1 github.com/manifoldco/promptui v0.9.0 - github.com/redhat-best-practices-for-k8s/oct v0.0.19 - github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.31 + github.com/redhat-best-practices-for-k8s/oct v0.0.20 + github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.33 github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20240715111135-c9048da99aae github.com/robert-nix/ansihtml v1.0.1 golang.org/x/term v0.23.0 diff --git a/go.sum b/go.sum index 99cba758bd..ddbb1906c0 100644 --- a/go.sum +++ b/go.sum @@ -373,12 +373,12 @@ github.com/prometheus/procfs v0.0.2/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsT github.com/prometheus/procfs v0.0.3/go.mod h1:4A/X28fw3Fc593LaREMrKMqOKvUAntwMDaekg4FpcdQ= github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc= github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk= -github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.45 h1:lvsPZBl4owH80mX2fU879iIz0vYVbjj37CPnMifz5jw= -github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.45/go.mod h1:ymD8Lckn+C1k/QFalRv5srVro6w1GdcwtyRoSE4XWKM= -github.com/redhat-best-practices-for-k8s/oct v0.0.19 h1:4oy6ebgSFZs6OkNz+wvBbf9JWcDo34JOENpKDQjL+Hc= -github.com/redhat-best-practices-for-k8s/oct v0.0.19/go.mod h1:ucn2BTjdhHWZ7/c0tLmrxCvRedtV8FpjffsD8L233ro= -github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.31 h1:LBb6aB2zGUPyROM/C5LOOLvVtGfM4PxvLI5rW0q4ja4= -github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.31/go.mod h1:OGSlK+KdZ050HazHfs+9iQbv7fIqtaidNXgWRq5zMbg= +github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.46 h1:FIMxVB4qGIDIuvQ/oKgbMZoKqC2j6H9vorSGjcL441c= +github.com/redhat-best-practices-for-k8s/certsuite-claim v1.0.46/go.mod h1:zl22noTFxcP05POwr1aMNa13j4M1Fitq8TsxLrw/mJE= +github.com/redhat-best-practices-for-k8s/oct v0.0.20 h1:u2HhR6ilkHYVf1TaHaFstMz5AxnalmhvQ5gcKwO6058= +github.com/redhat-best-practices-for-k8s/oct v0.0.20/go.mod h1:BMcFp+p6SMrtjmkrl+eedhlaHZp1O7ZGuvs2TWhNrJI= +github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.33 h1:ZOfbO2vycaV2B154ddLmSszgp8jvcsz9VV0vLslDEXk= +github.com/redhat-best-practices-for-k8s/privileged-daemonset v1.0.33/go.mod h1:56S8vOnBhuSLJ/39uh3NWy5FgsazOB+vId0h1EmVfUs= github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20240715111135-c9048da99aae h1:ztCHw10EtpMfX1d9Xz/TenJ6XsZrwkGd2uetdrAAMkg= github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20240715111135-c9048da99aae/go.mod h1:e2SE87xDQYxted00f0zoB4ZhlnGiwaj90kpOcL2J/eA= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= diff --git a/pkg/autodiscover/autodiscover.go b/pkg/autodiscover/autodiscover.go index 8f8996f788..b764666cc0 100644 --- a/pkg/autodiscover/autodiscover.go +++ b/pkg/autodiscover/autodiscover.go @@ -80,6 +80,8 @@ type DiscoveredTestData struct { RoleBindings []rbacv1.RoleBinding // Contains all rolebindings from all namespaces Roles []rbacv1.Role // Contains all roles from all namespaces Services []*corev1.Service + ServiceAccounts []*corev1.ServiceAccount + AllServiceAccounts []*corev1.ServiceAccount Hpas []*scalingv1.HorizontalPodAutoscaler Subscriptions []olmv1Alpha.Subscription AllSubscriptions []olmv1Alpha.Subscription @@ -250,7 +252,14 @@ func DoAutoDiscover(config *configuration.TestConfiguration) DiscoveredTestData if err != nil { log.Fatal("Cannot get list of services, err: %v", err) } - + data.ServiceAccounts, err = getServiceAccounts(oc.K8sClient.CoreV1(), data.Namespaces) + if err != nil { + log.Fatal("Cannot get list of service accounts under test, err: %v", err) + } + data.AllServiceAccounts, err = getServiceAccounts(oc.K8sClient.CoreV1(), []string{metav1.NamespaceAll}) + if err != nil { + log.Fatal("Cannot get list of all service accounts, err: %v", err) + } data.ExecutedBy = config.ExecutedBy data.PartnerName = config.PartnerName data.CollectorAppPassword = config.CollectorAppPassword diff --git a/pkg/autodiscover/autodiscover_service_accounts.go b/pkg/autodiscover/autodiscover_service_accounts.go new file mode 100644 index 0000000000..4567c28333 --- /dev/null +++ b/pkg/autodiscover/autodiscover_service_accounts.go @@ -0,0 +1,37 @@ +// Copyright (C) 2022-2024 Red Hat, Inc. +// +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; either version 2 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +package autodiscover + +import ( + "context" + + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + corev1client "k8s.io/client-go/kubernetes/typed/core/v1" +) + +func getServiceAccounts(oc corev1client.CoreV1Interface, namespaces []string) (servicesAccounts []*corev1.ServiceAccount, err error) { + for _, ns := range namespaces { + s, err := oc.ServiceAccounts(ns).List(context.TODO(), metav1.ListOptions{}) + if err != nil { + return servicesAccounts, err + } + for i := range s.Items { + servicesAccounts = append(servicesAccounts, &s.Items[i]) + } + } + return servicesAccounts, nil +} diff --git a/pkg/autodiscover/autodiscover_services_accounts_test.go b/pkg/autodiscover/autodiscover_services_accounts_test.go new file mode 100644 index 0000000000..a61005bd72 --- /dev/null +++ b/pkg/autodiscover/autodiscover_services_accounts_test.go @@ -0,0 +1,65 @@ +// Copyright (C) 2020-2024 Red Hat, Inc. +// +// This program is free software; you can redistribute it and/or modify +// it under the terms of the GNU General Public License as published by +// the Free Software Foundation; either version 2 of the License, or +// (at your option) any later version. +// +// This program is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +// GNU General Public License for more details. +// +// You should have received a copy of the GNU General Public License along +// with this program; if not, write to the Free Software Foundation, Inc., +// 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. +package autodiscover + +import ( + "testing" + + "github.com/redhat-best-practices-for-k8s/certsuite/internal/clientsholder" + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" +) + +func TestGetServiceAccounts(t *testing.T) { + generateServiceAccount := func(name, namespace string) *corev1.ServiceAccount { + return &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Name: name, + Namespace: namespace, + }, + } + } + + testCases := []struct { + serviceAccountName string + serviceAccountNamespace string + expectedServiceAccounts []*corev1.ServiceAccount + }{ + { + serviceAccountName: "testServiceAccount", + serviceAccountNamespace: "tnf", + expectedServiceAccounts: []*corev1.ServiceAccount{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "testServiceAccount", + Namespace: "tnf", + }, + }, + }, + }, + } + + for _, tc := range testCases { + var testRuntimeObjects []runtime.Object + testRuntimeObjects = append(testRuntimeObjects, generateServiceAccount(tc.serviceAccountName, tc.serviceAccountNamespace)) + oc := clientsholder.GetTestClientsHolder(testRuntimeObjects) + services, err := getServiceAccounts(oc.K8sClient.CoreV1(), []string{tc.serviceAccountNamespace}) + assert.Nil(t, err) + assert.Equal(t, tc.expectedServiceAccounts, services) + } +} diff --git a/pkg/provider/pods.go b/pkg/provider/pods.go index 326e428f17..95a764c315 100644 --- a/pkg/provider/pods.go +++ b/pkg/provider/pods.go @@ -42,6 +42,7 @@ const ( type Pod struct { *corev1.Pod + AllServiceAccountsMap *map[string]*corev1.ServiceAccount Containers []*Container MultusNetworkInterfaces map[string]CniNetworkInterface MultusPCIs []string @@ -416,3 +417,17 @@ func (p *Pod) IsRunAsNonRoot() bool { func (p *Pod) GetTopOwner() (topOwners map[string]podhelper.TopOwner, err error) { return podhelper.GetPodTopOwner(p.Namespace, p.OwnerReferences) } + +// AutomountServiceAccountSetOnSA checks if the AutomountServiceAccountToken field is set on the pod's ServiceAccount. +// Returns: +// - A boolean pointer indicating whether the AutomountServiceAccountToken field is set. +// - An error if any occurred during the operation. +func (p *Pod) IsAutomountServiceAccountSetOnSA() (isSet *bool, err error) { + if p.AllServiceAccountsMap == nil { + return isSet, fmt.Errorf("AllServiceAccountsMap is not initialized for pod with ns: %s and name %s", p.Namespace, p.Name) + } + if _, ok := (*p.AllServiceAccountsMap)[p.Namespace+p.Spec.ServiceAccountName]; !ok { + return isSet, fmt.Errorf("could not find a service account with ns: %s and name %s", p.Namespace, p.Spec.ServiceAccountName) + } + return (*p.AllServiceAccountsMap)[p.Namespace+p.Spec.ServiceAccountName].AutomountServiceAccountToken, nil +} diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 78fa7ed91d..1baeac4aec 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -100,11 +100,14 @@ type TestEnvironment struct { // rename this with testTarget HorizontalScaler []*scalingv1.HorizontalPodAutoscaler `json:"testHorizontalScaler"` Services []*corev1.Service `json:"testServices"` - Nodes map[string]Node `json:"-"` - K8sVersion string `json:"-"` - OpenshiftVersion string `json:"-"` - OCPStatus string `json:"-"` - HelmChartReleases []*release.Release `json:"testHelmChartReleases"` + ServiceAccounts []*corev1.ServiceAccount `json:"testServiceAccounts"` + AllServiceAccounts []*corev1.ServiceAccount `json:"AllServiceAccounts"` + AllServiceAccountsMap map[string]*corev1.ServiceAccount + Nodes map[string]Node `json:"-"` + K8sVersion string `json:"-"` + OpenshiftVersion string `json:"-"` + OCPStatus string `json:"-"` + HelmChartReleases []*release.Release `json:"testHelmChartReleases"` ResourceQuotas []corev1.ResourceQuota PodDisruptionBudgets []policyv1.PodDisruptionBudget NetworkPolicies []networkingv1.NetworkPolicy @@ -240,9 +243,19 @@ func buildTestEnvironment() { //nolint:funlen aEvent := NewEvent(&data.AbnormalEvents[i]) env.AbnormalEvents = append(env.AbnormalEvents, &aEvent) } + // Service accounts + env.ServiceAccounts = data.ServiceAccounts + env.AllServiceAccounts = data.AllServiceAccounts + env.AllServiceAccountsMap = make(map[string]*corev1.ServiceAccount) + for i := 0; i < len(data.AllServiceAccounts); i++ { + mapIndex := data.AllServiceAccounts[i].ObjectMeta.Namespace + data.AllServiceAccounts[i].ObjectMeta.Name + env.AllServiceAccountsMap[mapIndex] = data.AllServiceAccounts[i] + } + // Pods pods := data.Pods for i := 0; i < len(pods); i++ { aNewPod := NewPod(&pods[i]) + aNewPod.AllServiceAccountsMap = &env.AllServiceAccountsMap env.Pods = append(env.Pods, &aNewPod) // Note: 'getPodContainers' is returning a filtered list of Container objects. env.Containers = append(env.Containers, getPodContainers(&pods[i], true)...) @@ -250,6 +263,7 @@ func buildTestEnvironment() { //nolint:funlen pods = data.AllPods for i := 0; i < len(pods); i++ { aNewPod := NewPod(&pods[i]) + aNewPod.AllServiceAccountsMap = &env.AllServiceAccountsMap env.AllPods = append(env.AllPods, &aNewPod) } env.DebugPods = make(map[string]*corev1.Pod) @@ -263,6 +277,7 @@ func buildTestEnvironment() { //nolint:funlen var pods []*Pod for i := 0; i < len(podList); i++ { aNewPod := NewPod(podList[i]) + aNewPod.AllServiceAccountsMap = &env.AllServiceAccountsMap pods = append(pods, &aNewPod) } env.CSVToPodListMap[k] = pods diff --git a/tests/accesscontrol/suite.go b/tests/accesscontrol/suite.go index 19d9a078a8..171f75869d 100644 --- a/tests/accesscontrol/suite.go +++ b/tests/accesscontrol/suite.go @@ -730,7 +730,7 @@ func testAutomountServiceToken(check *checksdb.Check, env *provider.TestEnvironm // Evaluate the pod's automount service tokens and any attached service accounts client := clientsholder.GetClientsHolder() - podPassed, newMsg := rbac.EvaluateAutomountTokens(client.K8sClient.CoreV1(), put.Pod) + podPassed, newMsg := rbac.EvaluateAutomountTokens(client.K8sClient.CoreV1(), put) if !podPassed { //nolint:govet check.LogError(newMsg) diff --git a/tests/common/rbac/automount.go b/tests/common/rbac/automount.go index 288d3a1f1d..b3760ce1c7 100644 --- a/tests/common/rbac/automount.go +++ b/tests/common/rbac/automount.go @@ -17,28 +17,12 @@ package rbac import ( - "context" "fmt" - "github.com/redhat-best-practices-for-k8s/certsuite/internal/log" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "github.com/redhat-best-practices-for-k8s/certsuite/pkg/provider" corev1typed "k8s.io/client-go/kubernetes/typed/core/v1" ) -// AutomountServiceAccountSetOnSA checks if the AutomountServiceAccountToken field is set on a ServiceAccount. -// Returns: -// - A boolean pointer indicating whether the AutomountServiceAccountToken field is set. -// - An error if any occurred during the operation. -func AutomountServiceAccountSetOnSA(client corev1typed.CoreV1Interface, serviceAccountName, podNamespace string) (*bool, error) { - sa, err := client.ServiceAccounts(podNamespace).Get(context.TODO(), serviceAccountName, metav1.GetOptions{}) - if err != nil { - log.Error("executing serviceaccount command failed with error: %v", err) - return nil, err - } - return sa.AutomountServiceAccountToken, nil -} - // EvaluateAutomountTokens evaluates whether the automountServiceAccountToken is correctly configured for the given Pod. // Checks if the token is explicitly set in the Pod's spec or if it is inherited from the associated ServiceAccount. // Returns: @@ -46,7 +30,7 @@ func AutomountServiceAccountSetOnSA(client corev1typed.CoreV1Interface, serviceA // - string: Error message if the Pod is misconfigured, otherwise an empty string. // //nolint:gocritic -func EvaluateAutomountTokens(client corev1typed.CoreV1Interface, put *corev1.Pod) (bool, string) { +func EvaluateAutomountTokens(client corev1typed.CoreV1Interface, put *provider.Pod) (bool, string) { // The token can be specified in the pod directly // or it can be specified in the service account of the pod // if no service account is configured, then the pod will use the configuration @@ -59,9 +43,9 @@ func EvaluateAutomountTokens(client corev1typed.CoreV1Interface, put *corev1.Pod } // Collect information about the service account attached to the pod. - saAutomountServiceAccountToken, err := AutomountServiceAccountSetOnSA(client, put.Spec.ServiceAccountName, put.Namespace) + saAutomountServiceAccountToken, err := put.IsAutomountServiceAccountSetOnSA() if err != nil { - return false, "" + return false, err.Error() } // The pod token is false means the pod is configured properly diff --git a/tests/common/rbac/automount_test.go b/tests/common/rbac/automount_test.go index 68db66e19b..c3c08fd48a 100644 --- a/tests/common/rbac/automount_test.go +++ b/tests/common/rbac/automount_test.go @@ -20,6 +20,7 @@ import ( "testing" "github.com/redhat-best-practices-for-k8s/certsuite/internal/clientsholder" + "github.com/redhat-best-practices-for-k8s/certsuite/pkg/provider" "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -56,43 +57,12 @@ func buildServiceAccountTokenTestObjects() []runtime.Object { return testRuntimeObjects } -func TestAutomountServiceAccountSetOnSA(t *testing.T) { - testCases := []struct { - automountServiceTokenSet bool - }{ - { - automountServiceTokenSet: true, - }, - { - automountServiceTokenSet: false, - }, - } - - for index, tc := range testCases { - testSA := corev1.ServiceAccount{ - ObjectMeta: metav1.ObjectMeta{ - Namespace: "podNS", - Name: "testSA", - }, - AutomountServiceAccountToken: &testCases[index].automountServiceTokenSet, - } - - var testRuntimeObjects []runtime.Object - testRuntimeObjects = append(testRuntimeObjects, &testSA) - - client := clientsholder.GetTestClientsHolder(testRuntimeObjects) - isSet, err := AutomountServiceAccountSetOnSA(client.K8sClient.CoreV1(), "testSA", "podNS") - assert.Nil(t, err) - assert.Equal(t, tc.automountServiceTokenSet, *isSet) - } -} - func TestEvaluateAutomountTokens(t *testing.T) { falseVar := false trueVar := true - generatePod := func(tokenStatus *bool, saName string) *corev1.Pod { - return &corev1.Pod{ + generatePod := func(tokenStatus, saTokenStatus *bool, saName string) provider.Pod { + aPod := provider.NewPod(&corev1.Pod{ Spec: corev1.PodSpec{ NodeName: "worker01", AutomountServiceAccountToken: tokenStatus, @@ -102,36 +72,45 @@ func TestEvaluateAutomountTokens(t *testing.T) { Name: "testPod", Namespace: "testNamespace", }, + }) + var sa corev1.ServiceAccount + + sa.Name = saName + sa.Namespace = aPod.Namespace + sa.AutomountServiceAccountToken = saTokenStatus + aPod.AllServiceAccountsMap = &map[string]*corev1.ServiceAccount{ + aPod.Namespace + saName: &sa, } + return aPod } testCases := []struct { - testPod *corev1.Pod + testPod provider.Pod expectedMsg string expectedResult bool }{ { // Test Case #1 - PASS - Automount Service Token on the pod is set to False - testPod: generatePod(&falseVar, "SAAutomountTrue"), + testPod: generatePod(&falseVar, &falseVar, "SAAutomountTrue"), expectedResult: true, expectedMsg: "", }, { // Test Case #2 - FAIL - Automount Service Token on the pod is set to True - testPod: generatePod(&trueVar, "SAAutomountTrue"), + testPod: generatePod(&trueVar, &falseVar, "SAAutomountTrue"), expectedResult: false, expectedMsg: "Pod testNamespace:testPod is configured with automountServiceAccountToken set to true", }, { // Test Case #3 - PASS - Pod SAT is nil, SA is false - testPod: generatePod(nil, "SAAutomountFalse"), + testPod: generatePod(nil, &falseVar, "SAAutomountFalse"), expectedResult: true, expectedMsg: "", }, { // Test Case #4 - FAIL - Pod SAT is nil, SA is true - testPod: generatePod(nil, "SAAutomountTrue"), + testPod: generatePod(nil, &trueVar, "SAAutomountTrue"), expectedResult: false, expectedMsg: "serviceaccount testNamespace:SAAutomountTrue is configured with automountServiceAccountToken set to true, impacting pod testPod", }, { // Test Case #5 - FAIL - Pod SAT is nil, SA is nil - testPod: generatePod(nil, "SAAutomountNil"), + testPod: generatePod(nil, nil, "SAAutomountNil"), expectedResult: false, expectedMsg: "serviceaccount testNamespace:SAAutomountNil is not configured with automountServiceAccountToken set to false, impacting pod testPod", }, @@ -139,7 +118,7 @@ func TestEvaluateAutomountTokens(t *testing.T) { for _, tc := range testCases { client := clientsholder.GetTestClientsHolder(buildServiceAccountTokenTestObjects()) - podPassed, msg := EvaluateAutomountTokens(client.K8sClient.CoreV1(), tc.testPod) + podPassed, msg := EvaluateAutomountTokens(client.K8sClient.CoreV1(), &tc.testPod) assert.Equal(t, tc.expectedMsg, msg) assert.Equal(t, tc.expectedResult, podPassed) } diff --git a/tests/operator/suite.go b/tests/operator/suite.go index 12d58f0feb..8c779de711 100644 --- a/tests/operator/suite.go +++ b/tests/operator/suite.go @@ -428,7 +428,7 @@ func testOperatorPodsAutomountTokens(check *checksdb.Check, env *provider.TestEn check.LogInfo("Testing Pod %q in namespace %q", pod.Name, pod.Namespace) // Evaluate the pod's automount service tokens and any attached service accounts client := clientsholder.GetClientsHolder() - podPassed, newMsg := rbac.EvaluateAutomountTokens(client.K8sClient.CoreV1(), pod.Pod) + podPassed, newMsg := rbac.EvaluateAutomountTokens(client.K8sClient.CoreV1(), pod) if !podPassed { check.LogInfo("Pod %q in namespace %q has automount service account token set to false", pod.Name, pod.Namespace) compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(pod.Namespace, pod.Name, "Pod has automount service account token set to false", true)) diff --git a/version.json b/version.json index 3af1f9246d..62fc3bc981 100644 --- a/version.json +++ b/version.json @@ -1,5 +1,5 @@ { - "debugTag": "v0.0.6", + "debugTag": "v0.0.7", "claimFormat": "v0.4.0", "parserTag": "v0.4.7" }