From c2b3dacf26f852b28ed380b75fb2fba8bd6e8023 Mon Sep 17 00:00:00 2001 From: kooomix Date: Thu, 16 Jan 2025 14:01:52 +0200 Subject: [PATCH] Remove deprecated attack chain scenarios and update related documentation --- .../tests_cases/ks_microservice_test.py | 267 ------------------ readme.md | 12 - system_test_mapping.json | 102 ------- tests_scripts/helm/ks_microservice.py | 85 +----- 4 files changed, 3 insertions(+), 463 deletions(-) diff --git a/configurations/system/tests_cases/ks_microservice_test.py b/configurations/system/tests_cases/ks_microservice_test.py index 9aef880c..8f9be815 100644 --- a/configurations/system/tests_cases/ks_microservice_test.py +++ b/configurations/system/tests_cases/ks_microservice_test.py @@ -20,232 +20,8 @@ def scan_with_kubescape_helm_chart(): deployments=join(DEFAULT_DEPLOYMENT_PATH, "wikijs"), ) - @staticmethod - def ac_5_fix_control_with_relevancy(): - """ - install scenario #5 on the cluster, install the kubescape operator and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - - 'fix_object' parameter is used to determine which type of fix you want to apply, to test the attack-chain fix functionality. - fix_object = ["control", "image"] - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-5", - fix_object="control", - ) - @staticmethod - def ac_5_fix_control_no_relevancy(): - """ - install scenario #5 on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-5", - fix_object="control", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED}, - relevancy_enabled=False - ) - - @staticmethod - def ac_alpine_workload_external_track_fix_image(): - """ - install scenario 'alpine' on the cluster, install the kubescape operator and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new image scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="alpine", - fix_object="image" - ) - - @staticmethod - def ac_alpine_workload_external_track_fix_image_with_cronjob(): - """ - install scenario 'alpine' on the cluster, install the kubescape operator and run the scan triggered by a cronjob. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new image scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "cronjob", "operation": "create", "framework": [""], "hostsensor": True}], - test_scenario="alpine", - fix_object="image" - ) - @staticmethod - def ac_alpine_workload_external_track_fix_control(): - """ - install scenario 'alpine' on the cluster, install the kubescape operator and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="alpine", - fix_object="control" - ) - - @staticmethod - def ac_alpine_fix_image_no_relevancy(): - """ - install scenario 'alpine' on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new image scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="alpine", - fix_object="image", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED}, - relevancy_enabled=False - ) - - @staticmethod - def ac_alpine_fix_image_no_relevancy_with_cronjob(): - """ - install scenario 'alpine' on the cluster, install the kubescape operator disabling relevancy and run the scan triggered by a cronjob. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new image scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "cronjob", "operation": "create", "framework": [""], "hostsensor": True}], - test_scenario="alpine", - fix_object="image", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED}, - relevancy_enabled=False - ) - - @staticmethod - def ac_1_1_fix_control_no_relevancy(): - """ - install scenario 1.1 on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-1-1", - fix_object="control", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED}, - relevancy_enabled=False - ) - - @staticmethod - def ac_1_1_fix_image_no_relevancy(): - """ - install scenario 1.1 on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new image scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-1-1", - fix_object="image", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED}, - relevancy_enabled=False - ) - - @staticmethod - def ac_6_fix_control_with_relevancy(): - """ - install scenario 6 on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-6", - fix_object="control" - ) - - @staticmethod - def ac_6_fix_control_no_relevancy(): - """ - install scenario 6 on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-6", - fix_object="control", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED}, - relevancy_enabled=False - ) - - @staticmethod - def ac_3_fix_control_with_relevancy(): - """ - install scenario 3 on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-3", - fix_object="control" - ) - - @staticmethod - def ac_3_fix_control_no_relevancy(): - """ - install scenario 3 on the cluster, install the kubescape operator disabling relevancy and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-3", - fix_object="control", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED}, - relevancy_enabled=False - ) - - @staticmethod def attackchains_all(): """ @@ -269,49 +45,6 @@ def attackchains_all(): ) - - @staticmethod - def ac_8_external_workload_with_cluster_takeover(): - """ - install scenario #8 on the cluster, install the kubescape operator and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - - 'fix_object' parameter is used to determine which type of fix you want to apply, to test the attack-chain fix functionality. - fix_object = ["control", "image"] - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-8", - fix_object="control", - ) - - @staticmethod - def ac_9_unauthenticated_service(): - """ - install scenario #9 on the cluster, install the kubescape operator and run the scan. - once the attack chain has been detected on the backend, fix the attack chain and verify that is has been solved - by triggering a new control scan. - - 'fix_object' parameter is used to determine which type of fix you want to apply, to test the attack-chain fix functionality. - fix_object = ["control", "image"] - """ - from tests_scripts.helm.ks_microservice import ScanAttackChainsWithKubescapeHelmChart - return TestConfiguration( - name=inspect.currentframe().f_code.co_name, - test_obj=ScanAttackChainsWithKubescapeHelmChart, - test_job=[{"trigger_by": "scan_on_start"}], - test_scenario="attack-chain-9", - fix_object="control", - helm_kwargs={statics.HELM_RELEVANCY_FEATURE: statics.HELM_RELEVANCY_FEATURE_DISABLED, - statics.HELM_VULNERABILITY_SCAN: statics.HELM_VULNERABILITY_SCAN_DISABLED, - statics.HELM_OFFLINE_VULN_DB: False} - - ) - @staticmethod def ks_microservice_ns_creation(): from tests_scripts.helm.ks_microservice import ScanWithKubescapeAsServiceTest diff --git a/readme.md b/readme.md index 2d3f888f..02ba373c 100644 --- a/readme.md +++ b/readme.md @@ -61,18 +61,6 @@ Please ensure all these details are accurately filled to maintain the effectiven | `ks_microservice_update_cronjob_schedule` | helm-chart | | in-cluster kubescape, backend | | `ks_microservice_delete_cronjob` | helm-chart | | in-cluster kubescape, backend | | `ks_microservice_create_2_cronjob_mitre_and_nsa` | helm-chart | | in-cluster kubescape, backend | -| `ac_scenario_5_fix_control_no_relevancy` | helm-chart | | in-cluster kubescape, backend | -| `ac_5_fix_control_with_relevancy` | helm-chart | | in-cluster kubescape, backend | -| `ac_3_fix_control_no_relevancy` | helm-chart | | in-cluster kubescape, backend | -| `ac_3_fix_control_with_relevancy` | helm-chart | | in-cluster kubescape, backend | -| `ac_8_external_workload_with_cluster_takeover` | helm-chart | | in-cluster kubescape, backend | -| `ac_1_1_fix_control_no_relevancy` | helm-chart | | in-cluster kubescape, backend | -| `ac_1_1_fix_control_with_relevancy` | helm-chart | | in-cluster kubescape, backend | -| `ac_alpine_workload_external_track_fix_image` | helm-chart | | in-cluster kubescape, backend | -| `ac_alpine_workload_external_track_fix_image_with_cronjob` | helm-chart | | in-cluster kubescape, backend | -| `ac_alpine_workload_external_track_fix_control` | helm-chart | | in-cluster kubescape, backend | -| `ac_alpine_fix_image_no_relevancy` | helm-chart | | in-cluster kubescape, backend | -| `ac_alpine_fix_image_no_relevancy_with_cronjob` | helm-chart | | in-cluster kubescape, backend | | `attackchains_all` | helm-chart | | in-cluster kubescape, backend | | `ks_microservice_create_2_cronjob_mitre_and_nsa_proxy` | helm-chart | | in-cluster kubescape, backend | | `vuln_scan_triggering_with_cron_job` | helm-chart | | kubevuln, backend | | diff --git a/system_test_mapping.json b/system_test_mapping.json index cf1eb3fc..da1401e1 100644 --- a/system_test_mapping.json +++ b/system_test_mapping.json @@ -139,19 +139,6 @@ "skip_on_environment": "", "owner": "eranm@armosec.io" }, - "ac_alpine_fix_image_no_relevancy_with_cronjob": { - "target": [ - "CLI", - "Backend" - ], - "target_repositories": [ - "cadashboardbe-dummy", - "event-ingester-service-dummy" - ], - "description": "This test checks the scenario of fixing an AC by fixing the image without relevancy info with cronjob.", - "skip_on_environment": "", - "owner": "eranm@armosec.io" - }, "attackchains_all": { "target": [ "CLI", @@ -568,95 +555,6 @@ "skip_on_environment": "", "owner": "amirm@armosec.io" }, - "ac_5_fix_control_no_relevancy": { - "target": [ - "In cluster", - "Backend" - ], - "target_repositories": [ - "cadashboardbe-dummy", - "careportsreceiver-dummy", - "event-ingester-service-dummy", - "gateway-dummy" - ], - "description": "", - "skip_on_environment": "", - "owner": "eranm@armosec.io" - }, - "ac_5_fix_control_with_relevancy": { - "target": [ - "In cluster", - "Backend" - ], - "target_repositories": [ - "cadashboardbe-dummy", - "careportsreceiver-dummy", - "event-ingester-service-dummy", - "gateway-dummy" - ], - "description": "", - "skip_on_environment": "", - "owner": "eranm@armosec.io" - }, - "ac_alpine_workload_external_track_fix_image": { - "target": [ - "In cluster", - "Backend" - ], - "target_repositories": [ - "cadashboardbe-dummy", - "careportsreceiver-dummy", - "event-ingester-service-dummy", - "gateway-dummy" - ], - "description": "", - "skip_on_environment": "", - "owner": "eranm@armosec.io" - }, - "ac_alpine_workload_external_track_fix_control": { - "target": [ - "In cluster", - "Backend" - ], - "target_repositories": [ - "cadashboardbe-dummy", - "careportsreceiver-dummy", - "event-ingester-service-dummy", - "gateway-dummy" - ], - "description": "", - "skip_on_environment": "", - "owner": "eranm@armosec.io" - }, - "ac_8_external_workload_with_cluster_takeover": { - "target": [ - "In cluster", - "Backend" - ], - "target_repositories": [ - "cadashboardbe-dummy", - "careportsreceiver-dummy", - "event-ingester-service-dummy", - "gateway-dummy" - ], - "description": "", - "skip_on_environment": "", - "owner":"eranm@armosec.io" - }, - "ac_9_unauthenticated_service": { - "target": [ - "In cluster", - "Backend" - ], - "target_repositories": [ - "cadashboardbe-dummy", - "careportsreceiver-dummy", - "event-ingester-service-dummy" - ], - "description": "", - "skip_on_environment": "", - "owner": "eranm@armosec.io" - }, "smart_remediation_all_controls": { "target": [ "In cluster", diff --git a/tests_scripts/helm/ks_microservice.py b/tests_scripts/helm/ks_microservice.py index a561f633..c9930088 100644 --- a/tests_scripts/helm/ks_microservice.py +++ b/tests_scripts/helm/ks_microservice.py @@ -91,7 +91,7 @@ def start(self): class ScanSecurityRisksWithKubescapeHelmChart(BaseHelm, BaseKubescape): """ - ScanAttackChainsWithKubescapeHelmChart install the kubescape operator and run the scan to check attack-chains. + ScanSecurityRisksExceptionsWithKubescapeHelmChart install the kubescape operator and run the scan to check attack-chains. """ def __init__(self, test_obj=None, backend=None, kubernetes_obj=None, test_driver=None): @@ -195,7 +195,7 @@ def start(self): class ScanSecurityRisksExceptionsWithKubescapeHelmChart(BaseHelm, BaseKubescape): """ - ScanAttackChainsWithKubescapeHelmChart install the kubescape operator and run the scan to check attack-chains. + ScanSecurityRisksExceptionsWithKubescapeHelmChart install the kubescape operator and run the scan to check attack-chains. """ def __init__(self, test_obj=None, backend=None, kubernetes_obj=None, test_driver=None): @@ -329,7 +329,7 @@ def cleanup(self): class ScanAttackChainsWithKubescapeHelmChartMultiple(BaseHelm, BaseKubescape): """ - ScanAttackChainsWithKubescapeHelmChart install the kubescape operator and run the scan to check attack-chains. + ScanAttackChainsWithKubescapeHelmChartMultiple install the kubescape operator and run the scan to check attack-chains. """ def __init__(self, test_obj=None, backend=None, kubernetes_obj=None, test_driver=None): @@ -491,85 +491,6 @@ def verify_fixes(self, timeoutsec=600): nice_report = "\n".join([f"{key}: {value}" for key, value in verification_report.items()]) raise Exception(f"Failed to verify all fixes: {nice_report}") -class ScanAttackChainsWithKubescapeHelmChart(BaseHelm, BaseKubescape): - """ - ScanAttackChainsWithKubescapeHelmChart install the kubescape operator and run the scan to check attack-chains. - """ - - def __init__(self, test_obj=None, backend=None, kubernetes_obj=None, test_driver=None): - super(ScanAttackChainsWithKubescapeHelmChart, self).__init__(test_obj=test_obj, backend=backend, - kubernetes_obj=kubernetes_obj, - test_driver=test_driver) - self.helm_kwargs = { - "capabilities.runtimeObservability": "disable", - "capabilities.networkPolicyService": "disable", - "capabilities.relevancy": "disabled", - "capabilities.malwareDetection": "disable", - "capabilities.runtimeDetection": "disable", - "capabilities.seccompProfileService": "disable", - "capabilities.nodeProfileService": "disable", - - } - - if self.test_obj.get_arg("helm_kwargs", default={}) != {}: - self.helm_kwargs.update(self.test_obj.get_arg("helm_kwargs")) - - self.wait_for_agg_to_end = False - - def start(self): - """ - Agenda: - 1. Install attack-chains scenario manifests in the cluster - 2. Install kubescape with helm-chart - 3. Verify scenario on backend - 4. Apply attack chain fix - 5. trigger scan after fix - 6. verify fix - - """ - assert self.backend != None; - f'the test {self.test_driver.test_name} must run with backend' - - self.ignore_agent = True - cluster, namespace = self.setup(apply_services=False) - - current_datetime = datetime.now(timezone.utc) - - Logger.logger.info('1. Install attack-chains scenario manifests in the cluster') - Logger.logger.info( - f"1.1 construct AttackChainsScenarioManager with test_scenario: {self.test_obj[('test_scenario', None)]} and cluster {cluster}") - - # TODO: change namespace to use the one generated for the test, need to update all scanerios to support it (as in the security risk test) - scenarios_manager = AttackChainsScenarioManager(test_obj=self.test_obj, - backend=self.backend, cluster=cluster, namespace="default") - - Logger.logger.info("1.2 apply attack chains scenario manifests") - scenarios_manager.apply_scenario() - - Logger.logger.info("2. Install kubescape with helm-chart") - Logger.logger.info("2.1 Installing kubescape with helm-chart") - self.add_and_upgrade_armo_to_repo() - self.install_armo_helm_chart(helm_kwargs=self.helm_kwargs) - - Logger.logger.info("2.2 verify installation") - self.verify_running_pods(namespace=statics.CA_NAMESPACE_FROM_HELM_NAME) - - Logger.logger.info("3. Verify scenario on backend") - scenarios_manager.verify_scenario(current_datetime) - Logger.logger.info("attack chains detected, applying fix command") - - Logger.logger.info("4. Apply attack chain fix") - scenarios_manager.apply_fix(self.test_obj[("fix_object", "control")]) - - Logger.logger.info("5. trigger scan after fix") - scenarios_manager.trigger_scan(self.test_obj["test_job"][0]["trigger_by"]) - - Logger.logger.info("6. verify fix") - scenarios_manager.verify_fix() - - Logger.logger.info('attack-chain fixed properly') - return self.cleanup() - class ScanWithKubescapeHelmChart(BaseHelm, BaseKubescape): def __init__(self, test_obj=None, backend=None, kubernetes_obj=None, test_driver=None):