add smart remediation system tests

Signed-off-by: Matthias Bertschy <[email protected]>
armosec · Mar 28, 2024 · 518b7c9 · 518b7c9
1 parent b92fdfc
commit 518b7c9
Show file tree

Hide file tree

Showing 16 changed files with 773 additions and 102 deletions.
diff --git a/configurations/k8s_workloads/smart-remediation/c0016-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0016-fixed.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: false
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /host-docker.sock
+            - name: host-volume
+              mountPath: /host-etc
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+            type: Socket
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/k8s_workloads/smart-remediation/c0017-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0017-fixed.yaml
@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: true
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - name: cache
+              mountPath: /var/cache/nginx
+            - name: run
+              mountPath: /var/run
+            - name: docker-socket
+              mountPath: /host-docker.sock
+            - name: host-volume
+              mountPath: /host-etc
+      volumes:
+        - name: cache
+          emptyDir: {}
+        - name: run
+          emptyDir: {}
+        - name: docker-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+            type: Socket
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/k8s_workloads/smart-remediation/c0034-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0034-fixed.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: true
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /host-docker.sock
+            - name: host-volume
+              mountPath: /host-etc
+      automountServiceAccountToken: false
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+            type: Socket
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/k8s_workloads/smart-remediation/c0045-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0045-fixed.yaml
@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: true
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /host-docker.sock
+              readOnly: true
+            - name: host-volume
+              mountPath: /host-etc
+              readOnly: true
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+            type: Socket
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/k8s_workloads/smart-remediation/c0046-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0046-fixed.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /host-docker.sock
+            - name: host-volume
+              mountPath: /host-etc
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+            type: Socket
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/k8s_workloads/smart-remediation/c0048-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0048-fixed.yaml
@@ -0,0 +1,20 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: true
diff --git a/configurations/k8s_workloads/smart-remediation/c0057-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0057-fixed.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: false
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /host-docker.sock
+            - name: host-volume
+              mountPath: /host-etc
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+            type: Socket
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/k8s_workloads/smart-remediation/c0074-fixed.yaml b/configurations/k8s_workloads/smart-remediation/c0074-fixed.yaml
@@ -0,0 +1,28 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: true
+          volumeMounts:
+            - name: host-volume
+              mountPath: /host-etc
+      volumes:
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/k8s_workloads/smart-remediation/nginx-deployment.yaml b/configurations/k8s_workloads/smart-remediation/nginx-deployment.yaml
@@ -0,0 +1,34 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      containers:
+        - name: nginx
+          image: nginx
+          securityContext:
+            capabilities:
+              add: ["NET_ADMIN"]
+            privileged: true
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /host-docker.sock
+            - name: host-volume
+              mountPath: /host-etc
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /run/containerd/containerd.sock
+            type: Socket
+        - name: host-volume
+          hostPath:
+            path: /etc
+            type: Directory
diff --git a/configurations/system/tests.py b/configurations/system/tests.py
@@ -1,4 +1,5 @@
 from configurations.system.tests_cases.network_policy_tests import NetworkPolicyTests
+from configurations.system.tests_cases.smart_remediation_tests import SmartRemediationTests
 from configurations.system.tests_cases.synchronizer_tests import SynchronizerTests
 from systest_utils import TestUtil
 
@@ -22,6 +23,7 @@ def all_tests_names():
     tests.extend(TestUtil.get_class_methods(RelevantVulnerabilityScanningTests))
     tests.extend(TestUtil.get_class_methods(NetworkPolicyTests))
     tests.extend(TestUtil.get_class_methods(NotificationSTests))
+    tests.extend(TestUtil.get_class_methods(SmartRemediationTests))
     tests.extend(TestUtil.get_class_methods(SynchronizerTests))
     return tests
 
@@ -44,6 +46,8 @@ def get_test(test_name):
         return NetworkPolicyTests().__getattribute__(test_name)()
     if test_name in TestUtil.get_class_methods(NotificationSTests):
         return NotificationSTests().__getattribute__(test_name)()
+    if test_name in TestUtil.get_class_methods(SmartRemediationTests):
+        return SmartRemediationTests().__getattribute__(test_name)()
     if test_name in TestUtil.get_class_methods(SynchronizerTests):
         return SynchronizerTests().__getattribute__(test_name)()