def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_ApiServerAuthorizationModeNotAlwaysAllow"
# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"Pod.kube-system.kube-apiserver-no-mode",
"Pod.kube-system.kube-apiserver-no-allow",
}
failing_resources = {
"Pod.kube-system.kube-apiserver-allow",
"Pod.kube-system.kube-apiserver-extra-allow",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_Seccomp"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passed_resources = [check.resource for check in report.passed_checks]
failed_resources = [check.resource for check in report.failed_checks]
self.assertEqual(summary["passed"], 7)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
expected_passed_resources = [
"CronJob.cronjob-passed.default",
"Deployment.seccomp-passed-deployment.default",
"Deployment.seccomp-passed-metadata-annotations.default",
"Pod.seccomp-passed-metadata-annotations-docker.default",
"Pod.seccomp-passed-metadata-annotations-runtime.default",
"Pod.seccomp-passed-security-context.default",
"StatefulSet.RELEASE-NAME.default",
]
expected_failed_resources = [
"Deployment.app-cert-manager.infra",
"Pod.seccomp-failed.default",
]
self.assertCountEqual(expected_passed_resources, passed_resources)
self.assertCountEqual(expected_failed_resources, failed_resources)
def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_ApiServerAuditLog"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"Pod.kube-system.kube-apiserver-pass",
}
failing_resources = {
"Pod.kube-system.kube-apiserver-fail",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_EtcdAutoTls"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"Pod.kube-system.etcd-default",
"Pod.kube-system.etcd-disabled",
}
failing_resources = {
"Pod.kube-system.etcd-enabled",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_RotateKubeletServerCertificate"
# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"Pod.kube-system.kube-controller-manager-enabled",
"Pod.kube-system.kubelet-enabled",
}
failing_resources = {
"Pod.kube-system.kube-controller-manager-disabled",
"Pod.kube-system.kubelet-disabled",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_summary(self):
# given
test_files_dir = Path(
__file__
).parent / "example_KubeControllerManagerServiceAccountPrivateKeyFile"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"Pod.kube-system.kube-controller-manager-pem",
"Pod.kube-system.kube-controller-manager-none",
}
failing_resources = {
"Pod.kube-system.kube-controller-manager-no-pem",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_summary(self):
# given
test_files_dir = Path(
__file__).parent / "example_KubeControllerManagerBlockProfiles"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"Pod.kube-system.kube-controller-manager-disabled",
}
failing_resources = {
"Pod.kube-system.kube-controller-manager-default",
"Pod.kube-system.kube-controller-manager-enabled",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(1, summary["passed"])
self.assertEqual(2, summary["failed"])
self.assertEqual(0, summary["skipped"])
self.assertEqual(0, summary["parsing_errors"])
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_AllowedCapabilities"
# when
report = Runner().run(root_folder=str(test_files_dir),
runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"CronJob.default.hello",
"Deployment.default.my-nginx",
}
failing_resources = {
"StatefulSet.default.cassandra",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 2)
self.assertEqual(summary["failed"], 1)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_summary(self):
# given
test_files_dir = Path(__file__).parent / "example_ApiServerKubeletClientCertAndKey"
# when
report = Runner().run(root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id]))
# then
summary = report.get_summary()
passing_resources = {
"Pod.kube-system.kube-apiserver-key-and-cert",
}
failing_resources = {
"Pod.kube-system.kube-apiserver-no-key",
"Pod.kube-system.kube-apiserver-both-missing",
}
passed_check_resources = {c.resource for c in report.passed_checks}
failed_check_resources = {c.resource for c in report.failed_checks}
self.assertEqual(summary["passed"], 1)
self.assertEqual(summary["failed"], 2)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
self.assertEqual(passing_resources, passed_check_resources)
self.assertEqual(failing_resources, failed_check_resources)
def test_runner(self):
root_dir = os.path.realpath(os.path.join(TEST_DIRNAME, "../runner/resources"))
report = Runner().run(root_dir)
assert any(
check.check_id == "CKV2_K8S_21" for check in itertools.chain(report.failed_checks, report.passed_checks))
summary = report.get_summary()
self.assertEqual(summary["passed"], 0)
self.assertEqual(summary["failed"], 5)
self.assertEqual(summary["skipped"], 0)
self.assertEqual(summary["parsing_errors"], 0)
