diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4b1a90c60e..f6ef06eefd 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -168,9 +168,9 @@ jobs: - test-target: k8s_file_system_rules kind-config: kind-test-files values-file: tests/test_environments/values/ci-test-k8s-files.yml - - test-target: k8s_object_psp_rules - kind-config: kind-multi - values-file: tests/test_environments/values/ci-test-k8s-objects.yml + # - test-target: k8s_object_psp_rules + # kind-config: kind-multi + # values-file: tests/test_environments/values/ci-test-k8s-objects.yml - test-target: k8s_process_rules kind-config: kind-test-proc-conf1 values-file: tests/test_environments/values/ci-test-k8s-proc-conf1.yml diff --git a/deploy/k8s/fleet-managed-agent.yml b/deploy/k8s/fleet-managed-agent.yml index 8558cf512e..8e69b0aece 100644 --- a/deploy/k8s/fleet-managed-agent.yml +++ b/deploy/k8s/fleet-managed-agent.yml @@ -217,10 +217,10 @@ rules: - ingresses - networkpolicies verbs: ["get", "list", "watch"] - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/deploy/k8s/standalone-agent.yml b/deploy/k8s/standalone-agent.yml index e2c926c113..8d242b3042 100644 --- a/deploy/k8s/standalone-agent.yml +++ b/deploy/k8s/standalone-agent.yml @@ -641,10 +641,10 @@ rules: - ingresses - networkpolicies verbs: ["get", "list", "watch"] - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/deploy/kustomize/base/role.yml b/deploy/kustomize/base/role.yml index 03e87c1242..fbe6d2fdab 100644 --- a/deploy/kustomize/base/role.yml +++ b/deploy/kustomize/base/role.yml @@ -58,10 +58,10 @@ rules: - ingresses - networkpolicies verbs: ["get", "list", "watch"] - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml b/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml index 0ecde4d011..146ed2d9e0 100644 --- a/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml +++ b/deploy/kustomize/overlays/cloudbeat-vanilla-agent/manifests.yaml @@ -248,10 +248,10 @@ rules: - roles verbs: ["get", "list", "watch"] # Needed for cloudbeat - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/go.mod b/go.mod index c948b170d7..6ad75ff75a 100644 --- a/go.mod +++ b/go.mod @@ -49,7 +49,7 @@ require ( github.com/djherbis/times v1.6.0 github.com/elastic/beats/v7 v7.0.0-alpha2.0.20240524163615-2d687ac9d228 github.com/elastic/e2e-testing v1.99.2-0.20231005090720-556e60d449dc - github.com/elastic/elastic-agent-autodiscover v0.6.14 + github.com/elastic/elastic-agent-autodiscover v0.8.0 github.com/elastic/elastic-agent-client/v7 v7.15.0 github.com/elastic/elastic-agent-libs v0.9.15 github.com/elastic/go-licenser v0.4.2 @@ -79,9 +79,9 @@ require ( google.golang.org/api v0.189.0 gopkg.in/yaml.v2 v2.4.0 gotest.tools/gotestsum v1.12.0 - k8s.io/api v0.28.10 - k8s.io/apimachinery v0.28.10 - k8s.io/client-go v0.28.10 + k8s.io/api v0.29.5 + k8s.io/apimachinery v0.29.5 + k8s.io/client-go v0.29.5 k8s.io/klog/v2 v2.120.1 modernc.org/sqlite v1.30.2 ) @@ -108,7 +108,9 @@ require ( github.com/google/gnostic-models v0.6.8 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.1 // indirect github.com/mattn/go-shellwords v1.0.12 // indirect + github.com/moby/docker-image-spec v1.3.1 // indirect github.com/moby/sys/user v0.1.0 // indirect + github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/sagikazarmark/locafero v0.4.0 // indirect @@ -231,7 +233,7 @@ require ( github.com/dnephin/pflag v1.0.7 // indirect github.com/docker/cli v25.0.5+incompatible // indirect github.com/docker/distribution v2.8.3+incompatible // indirect - github.com/docker/docker v25.0.5+incompatible // indirect + github.com/docker/docker v26.1.4+incompatible // indirect github.com/docker/docker-credential-helpers v0.7.0 // indirect github.com/docker/go-connections v0.5.0 // indirect github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c // indirect @@ -255,7 +257,7 @@ require ( github.com/elliotchance/orderedmap v1.6.0 // indirect github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/emirpasic/gods v1.18.1 // indirect - github.com/evanphx/json-patch v5.6.0+incompatible // indirect + github.com/evanphx/json-patch v5.7.0+incompatible // indirect github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f // indirect github.com/fatih/color v1.17.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect @@ -496,14 +498,14 @@ require ( gopkg.in/op/go-logging.v1 v1.0.0-20160211212156-b2cb9fa56473 // indirect gopkg.in/warnings.v0 v0.1.2 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - helm.sh/helm/v3 v3.13.0 // indirect + helm.sh/helm/v3 v3.14.2 // indirect howett.net/plist v1.0.1 // indirect - k8s.io/apiextensions-apiserver v0.28.2 // indirect - k8s.io/apiserver v0.28.2 // indirect - k8s.io/cli-runtime v0.28.4 // indirect - k8s.io/component-base v0.28.3 // indirect + k8s.io/apiextensions-apiserver v0.29.0 // indirect + k8s.io/apiserver v0.29.0 // indirect + k8s.io/cli-runtime v0.29.0 // indirect + k8s.io/component-base v0.29.0 // indirect k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect - k8s.io/kubectl v0.28.3 // indirect + k8s.io/kubectl v0.29.0 // indirect k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect modernc.org/libc v1.52.1 // indirect modernc.org/mathutil v1.6.0 // indirect diff --git a/go.sum b/go.sum index 604f70ec30..369e336561 100644 --- a/go.sum +++ b/go.sum @@ -1097,8 +1097,8 @@ github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4Kfc github.com/docker/docker v1.4.2-0.20190924003213-a8608b5b67c7/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.11+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker v20.10.21+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= -github.com/docker/docker v25.0.5+incompatible h1:UmQydMduGkrD5nQde1mecF/YnSbTOaPeFIeP5C4W+DE= -github.com/docker/docker v25.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= +github.com/docker/docker v26.1.4+incompatible h1:vuTpXDuoga+Z38m1OZHzl7NKisKWaWlhjQk7IDPSLsU= +github.com/docker/docker v26.1.4+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk= github.com/docker/docker-credential-helpers v0.6.3/go.mod h1:WRaJzqw3CTB9bk10avuGsjVBZsD05qeibJ1/TYlvc0Y= github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A= github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNkFR1R1V12OJRRO5lzt2D1b5X0= @@ -1138,8 +1138,8 @@ github.com/elastic/beats/v7 v7.0.0-alpha2.0.20240524163615-2d687ac9d228 h1:e8TwY github.com/elastic/beats/v7 v7.0.0-alpha2.0.20240524163615-2d687ac9d228/go.mod h1:HjUJr+gw2jebZYFMKc9TNbgwjHsNSo6HUSonhC0u62U= github.com/elastic/e2e-testing v1.99.2-0.20231005090720-556e60d449dc h1:3hGO3+tipLIULlrabnXpXpOV5qSDbN/EJo9Xsj3hqyo= github.com/elastic/e2e-testing v1.99.2-0.20231005090720-556e60d449dc/go.mod h1:8q2d8dmwavJXISowwaoreHFBnbR/uK4qanfRGhC/W9A= -github.com/elastic/elastic-agent-autodiscover v0.6.14 h1:0zJYNyv9GKTOiNqCHqEVboP+WioV73ia17Et+UlFbz8= -github.com/elastic/elastic-agent-autodiscover v0.6.14/go.mod h1:39/fHHlnyTK6oUNZfAhxJwBTVahO9tNasEIjzsxGMu8= +github.com/elastic/elastic-agent-autodiscover v0.8.0 h1:euHfPSsOE1z8GsPaFoc7lBB8pwyGGUiaE2lXHt0WwQI= +github.com/elastic/elastic-agent-autodiscover v0.8.0/go.mod h1:lSHCpBzQj2DU0U5RX7Z1Kpt12R6WGca6598MorwlJsY= github.com/elastic/elastic-agent-client/v7 v7.15.0 h1:nDB7v8TBoNuD6IIzC3z7Q0y+7bMgXoT2DsHfolO2CHE= github.com/elastic/elastic-agent-client/v7 v7.15.0/go.mod h1:6h+f9QdIr3GO2ODC0Y8+aEXRwzbA5W4eV4dd/67z7nI= github.com/elastic/elastic-agent-libs v0.9.15 h1:WCLtuErafUxczT/rXJa4Vr6mxwC8dgtqMbEq+qWGD4M= @@ -1213,8 +1213,9 @@ github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7 github.com/evanphx/json-patch v4.9.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.11.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= +github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= +github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= github.com/exponent-io/jsonpath v0.0.0-20151013193312-d6023ce2651d/go.mod h1:ZZMPRZwes7CROmyNKgQzC3XPs6L/G2EJLHddWejkmf4= github.com/exponent-io/jsonpath v0.0.0-20210407135951-1de76d718b3f h1:Wl78ApPPB2Wvf/TIe2xdyJxTlb6obmF18d8QdkxNDu4= @@ -2021,6 +2022,8 @@ github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx github.com/mmcloughlin/avo v0.5.0/go.mod h1:ChHFdoV7ql95Wi7vuq2YT1bwCJqiWdZrQ1im3VujLYM= github.com/moby/buildkit v0.12.5 h1:RNHH1l3HDhYyZafr5EgstEu8aGNCwyfvMtrQDtjH9T0= github.com/moby/buildkit v0.12.5/go.mod h1:YGwjA2loqyiYfZeEo8FtI7z4x5XponAaIWsWcSjWwso= +github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0= +github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= @@ -2066,6 +2069,7 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= github.com/mwitkow/go-conntrack v0.0.0-20190716064945-2f068394615f/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= @@ -2104,8 +2108,8 @@ github.com/onsi/ginkgo/v2 v2.1.4/go.mod h1:um6tUpWM/cxCK3/FK8BXqEiUMUwRgSM4JXG47 github.com/onsi/ginkgo/v2 v2.1.6/go.mod h1:MEH45j8TBi6u9BMogfbp0stKC5cdGjumZj5Y7AG4VIk= github.com/onsi/ginkgo/v2 v2.3.0/go.mod h1:Eew0uilEqZmIEZr8JrvYlvOM7Rr6xzTmMV8AyFNU9d0= github.com/onsi/ginkgo/v2 v2.4.0/go.mod h1:iHkDK1fKGcBoEHT5W7YBq4RFWaQulw+caOMkAt4OrFo= -github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= -github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= +github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4= +github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/gomega v0.0.0-20151007035656-2152b45fa28a/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.4.3/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= @@ -2122,8 +2126,8 @@ github.com/onsi/gomega v1.20.1/go.mod h1:DtrZpjmvpn2mPm4YWQa0/ALMDj9v4YxLgojwPeR github.com/onsi/gomega v1.21.1/go.mod h1:iYAIXgPSaDHak0LCMA+AWBpIKBr8WZicMxnE8luStNc= github.com/onsi/gomega v1.22.1/go.mod h1:x6n7VNe4hw0vkyYUM4mjIXx3JbLiPaBPNgB7PRQ1tuM= github.com/onsi/gomega v1.23.0/go.mod h1:Z/NWtiqwBrwUt4/2loMmHL63EDLnYHmVbuBpDr2vQAg= -github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= -github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= +github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= +github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/open-policy-agent/opa v0.66.0 h1:DbrvfJQja0FBRcPOB3Z/BOckocN+M4ApNWyNhSRJt0w= github.com/open-policy-agent/opa v0.66.0/go.mod h1:EIgNnJcol7AvQR/IcWLwL13k64gHVbNAVG46b2G+/EY= github.com/opencontainers/go-digest v0.0.0-20170106003457-a6d0ee40d420/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= @@ -2662,8 +2666,8 @@ go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.10.0/go.mod h go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0 h1:Mw5xcxMwlqoJd97vwPxA8isEaIoxsta9/Q51+TTJLGE= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.24.0/go.mod h1:CQNu9bj7o7mC6U7+CA/schKEYakYXWr79ucDHTMGhCM= go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.3.0/go.mod h1:QNX1aly8ehqqX1LEa6YniTU7VY9I6R3X/oPxhGdTceE= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0 h1:IeMeyr1aBvBiPVYihXIaeIZba6b8E1bYp7lbdxK8CQg= -go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.19.0/go.mod h1:oVdCUtjq9MK9BlS7TtucsQwUcXcymNiEDjgDD2jMtZU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0 h1:j9+03ymgYhPKmeXGk5Zu+cIZOlVzd9Zv7QIiyItjFBU= +go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.28.0/go.mod h1:Y5+XiUG4Emn1hTfciPzGPJaSI+RpDts6BnCIir0SLqk= go.opentelemetry.io/otel/metric v0.20.0/go.mod h1:598I5tYlH1vzBjn+BTuhzTCSb/9debfNp6R3s7Pr1eU= go.opentelemetry.io/otel/metric v0.31.0/go.mod h1:ohmwj9KTSIeBnDBm/ZwH2PSZxZzoOaG2xZeekTRzL5A= go.opentelemetry.io/otel/metric v1.28.0 h1:f0HGvSl1KRAU1DLgLGFjrwVyismPlnuU6JD6bOeuA5Q= @@ -3628,8 +3632,8 @@ gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= gotest.tools/v3 v3.5.1 h1:EENdUnS3pdur5nybKYIh2Vfgc8IUNBjxDPSjtiJcOzU= gotest.tools/v3 v3.5.1/go.mod h1:isy3WKz7GK6uNw/sbHzfKBLvlvXwUyV06n6brMxxopU= helm.sh/helm/v3 v3.11.2/go.mod h1:Hw+09mfpDiRRKAgAIZlFkPSeOkvv7Acl5McBvQyNPVw= -helm.sh/helm/v3 v3.13.0 h1:XPJKIU30K4JTQ6VX/6e0hFAmEIonYa8E7wx5aqv4xOc= -helm.sh/helm/v3 v3.13.0/go.mod h1:2PBEKsMWKLVZTojUOqMS3Eadv5mP43FBWrRgLNkNm9Y= +helm.sh/helm/v3 v3.14.2 h1:V71fv+NGZv0icBlr+in1MJXuUIHCiPG1hW9gEBISTIA= +helm.sh/helm/v3 v3.14.2/go.mod h1:2itvvDv2WSZXTllknfQo6j7u3VVgMAvm8POCDgYH424= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190418001031-e561f6794a2a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= @@ -3648,11 +3652,11 @@ k8s.io/api v0.20.6/go.mod h1:X9e8Qag6JV/bL5G6bU8sdVRltWKmdHsFUGS3eVndqE8= k8s.io/api v0.22.5/go.mod h1:mEhXyLaSD1qTOf40rRiKXkc+2iCem09rWLlFwhCEiAs= k8s.io/api v0.26.0/go.mod h1:k6HDTaIFC8yn1i6pSClSqIwLABIcLV9l5Q4EcngKnQg= k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE= -k8s.io/api v0.28.10 h1:q1Y+h3F+siuwP/qCQuqgqGJjaIuQWN0yFE7z367E3Q0= -k8s.io/api v0.28.10/go.mod h1:u6EzGdzmEC2vfhyw4sD89i7OIc/2v1EAwvd1t4chQac= +k8s.io/api v0.29.5 h1:levS+umUigHCfI3riD36pMY1vQEbrzh4r1ivVWAhHaI= +k8s.io/api v0.29.5/go.mod h1:7b18TtPcJzdjk7w5zWyIHgoAtpGeRvGGASxlS7UZXdQ= k8s.io/apiextensions-apiserver v0.26.0/go.mod h1:7ez0LTiyW5nq3vADtK6C3kMESxadD51Bh6uz3JOlqWQ= -k8s.io/apiextensions-apiserver v0.28.2 h1:J6/QRWIKV2/HwBhHRVITMLYoypCoPY1ftigDM0Kn+QU= -k8s.io/apiextensions-apiserver v0.28.2/go.mod h1:5tnkxLGa9nefefYzWuAlWZ7RZYuN/765Au8cWLA6SRg= +k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0= +k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc= k8s.io/apimachinery v0.20.1/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.4/go.mod h1:WlLqWAHZGg07AeltaI0MV5uk1Omp8xaN0JGLY6gkRpU= k8s.io/apimachinery v0.20.6/go.mod h1:ejZXtW1Ra6V1O5H8xPBGz+T3+4gfkTCeExAHKU57MAc= @@ -3660,27 +3664,27 @@ k8s.io/apimachinery v0.22.1/go.mod h1:O3oNtNadZdeOMxHFVxOreoznohCpy0z6mocxbZr7oJ k8s.io/apimachinery v0.22.5/go.mod h1:xziclGKwuuJ2RM5/rSFQSYAj0zdbci3DH8kj+WvyN0U= k8s.io/apimachinery v0.26.0/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74= k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I= -k8s.io/apimachinery v0.28.10 h1:cWonrYsJK3lbuf9IgMs5+L5Jzw6QR3ZGA3hzwG0HDeI= -k8s.io/apimachinery v0.28.10/go.mod h1:zUG757HaKs6Dc3iGtKjzIpBfqTM4yiRsEe3/E7NX15o= +k8s.io/apimachinery v0.29.5 h1:Hofa2BmPfpoT+IyDTlcPdCHSnHtEQMoJYGVoQpRTfv4= +k8s.io/apimachinery v0.29.5/go.mod h1:i3FJVwhvSp/6n8Fl4K97PJEP8C+MM+aoDq4+ZJBf70Y= k8s.io/apiserver v0.20.1/go.mod h1:ro5QHeQkgMS7ZGpvf4tSMx6bBOgPfE+f52KwvXfScaU= k8s.io/apiserver v0.20.4/go.mod h1:Mc80thBKOyy7tbvFtB4kJv1kbdD0eIH8k8vianJcbFM= k8s.io/apiserver v0.20.6/go.mod h1:QIJXNt6i6JB+0YQRNcS0hdRHJlMhflFmsBDeSgT1r8Q= k8s.io/apiserver v0.22.5/go.mod h1:s2WbtgZAkTKt679sYtSudEQrTGWUSQAPe6MupLnlmaQ= k8s.io/apiserver v0.26.0/go.mod h1:aWhlLD+mU+xRo+zhkvP/gFNbShI4wBDHS33o0+JGI84= -k8s.io/apiserver v0.28.2 h1:rBeYkLvF94Nku9XfXyUIirsVzCzJBs6jMn3NWeHieyI= -k8s.io/apiserver v0.28.2/go.mod h1:f7D5e8wH8MWcKD7azq6Csw9UN+CjdtXIVQUyUhrtb+E= +k8s.io/apiserver v0.29.0 h1:Y1xEMjJkP+BIi0GSEv1BBrf1jLU9UPfAnnGGbbDdp7o= +k8s.io/apiserver v0.29.0/go.mod h1:31n78PsRKPmfpee7/l9NYEv67u6hOL6AfcE761HapDM= k8s.io/cli-runtime v0.26.0/go.mod h1:o+4KmwHzO/UK0wepE1qpRk6l3o60/txUZ1fEXWGIKTY= k8s.io/cli-runtime v0.26.3/go.mod h1:5YEhXLV4kLt/OSy9yQwtSSNZU2Z7aTEYta1A+Jg4VC4= -k8s.io/cli-runtime v0.28.4 h1:IW3aqSNFXiGDllJF4KVYM90YX4cXPGxuCxCVqCD8X+Q= -k8s.io/cli-runtime v0.28.4/go.mod h1:MLGRB7LWTIYyYR3d/DOgtUC8ihsAPA3P8K8FDNIqJ0k= +k8s.io/cli-runtime v0.29.0 h1:q2kC3cex4rOBLfPOnMSzV2BIrrQlx97gxHJs21KxKS4= +k8s.io/cli-runtime v0.29.0/go.mod h1:VKudXp3X7wR45L+nER85YUzOQIru28HQpXr0mTdeCrk= k8s.io/client-go v0.20.1/go.mod h1:/zcHdt1TeWSd5HoUe6elJmHSQ6uLLgp4bIJHVEuy+/Y= k8s.io/client-go v0.20.4/go.mod h1:LiMv25ND1gLUdBeYxBIwKpkSC5IsozMMmOOeSJboP+k= k8s.io/client-go v0.20.6/go.mod h1:nNQMnOvEUEsOzRRFIIkdmYOjAZrC8bgq0ExboWSU1I0= k8s.io/client-go v0.22.5/go.mod h1:cs6yf/61q2T1SdQL5Rdcjg9J1ElXSwbjSrW2vFImM4Y= k8s.io/client-go v0.26.0/go.mod h1:I2Sh57A79EQsDmn7F7ASpmru1cceh3ocVT9KlX2jEZg= k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ= -k8s.io/client-go v0.28.10 h1:y+mvUei3+RU0rE7r2BZFA2ApTAsXSN1glGs4QfULLt4= -k8s.io/client-go v0.28.10/go.mod h1:JLwjCWhQhvm1F4J+7YAr9WVhSRNmfkRofPWU43m8LZk= +k8s.io/client-go v0.29.5 h1:nlASXmPQy190qTteaVP31g3c/wi2kycznkTP7Sv1zPc= +k8s.io/client-go v0.29.5/go.mod h1:aY5CnqUUvXYccJhm47XHoPcRyX6vouHdIBHaKZGTbK4= k8s.io/code-generator v0.19.7/go.mod h1:lwEq3YnLYb/7uVXLorOJfxg+cUu2oihFhHZ0n9NIla0= k8s.io/code-generator v0.26.0/go.mod h1:OMoJ5Dqx1wgaQzKgc+ZWaZPfGjdRq/Y3WubFrZmeI3I= k8s.io/component-base v0.20.1/go.mod h1:guxkoJnNoh8LNrbtiQOlyp2Y2XFCZQmrcg2n/DeYNLk= @@ -3688,8 +3692,8 @@ k8s.io/component-base v0.20.4/go.mod h1:t4p9EdiagbVCJKrQ1RsA5/V4rFQNDfRlevJajlGw k8s.io/component-base v0.20.6/go.mod h1:6f1MPBAeI+mvuts3sIdtpjljHWBQ2cIy38oBIWMYnrM= k8s.io/component-base v0.22.5/go.mod h1:VK3I+TjuF9eaa+Ln67dKxhGar5ynVbwnGrUiNF4MqCI= k8s.io/component-base v0.26.0/go.mod h1:lqHwlfV1/haa14F/Z5Zizk5QmzaVf23nQzCwVOQpfC8= -k8s.io/component-base v0.28.3 h1:rDy68eHKxq/80RiMb2Ld/tbH8uAE75JdCqJyi6lXMzI= -k8s.io/component-base v0.28.3/go.mod h1:fDJ6vpVNSk6cRo5wmDa6eKIG7UlIQkaFmZN2fYgIUD8= +k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s= +k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M= k8s.io/component-helpers v0.26.0/go.mod h1:jHN01qS/Jdj95WCbTe9S2VZ9yxpxXNY488WjF+yW4fo= k8s.io/cri-api v0.17.3/go.mod h1:X1sbHmuXhwaHs9xxYffLqJogVsnI+f6cPRcgPel7ywM= k8s.io/cri-api v0.20.1/go.mod h1:2JRbKt+BFLTjtrILYVqQK5jqhI+XNdF6UiGMgczeBCI= @@ -3721,8 +3725,8 @@ k8s.io/kube-openapi v0.0.0-20221207184640-f3cff1453715/go.mod h1:+Axhij7bCpeqhkl k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/kubectl v0.26.0/go.mod h1:eInP0b+U9XUJWSYeU9XZnTA+cVYuWyl3iYPGtru0qhQ= -k8s.io/kubectl v0.28.3 h1:H1Peu1O3EbN9zHkJCcvhiJ4NUj6lb88sGPO5wrWIM6k= -k8s.io/kubectl v0.28.3/go.mod h1:RDAudrth/2wQ3Sg46fbKKl4/g+XImzvbsSRZdP2RiyE= +k8s.io/kubectl v0.29.0 h1:Oqi48gXjikDhrBF67AYuZRTcJV4lg2l42GmvsP7FmYI= +k8s.io/kubectl v0.29.0/go.mod h1:0jMjGWIcMIQzmUaMgAzhSELv5WtHo2a8pq67DtviAJs= k8s.io/kubernetes v1.13.0/go.mod h1:ocZa8+6APFNC2tX1DZASIbocyYT5jHzqFVsY5aoB7Jk= k8s.io/metrics v0.26.0/go.mod h1:cf5MlG4ZgWaEFZrR9+sOImhZ2ICMpIdNurA+D8snIs8= k8s.io/utils v0.0.0-20201110183641-67b214c5f920/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= diff --git a/internal/resources/fetching/fetchers/k8s/kube_fetcher.go b/internal/resources/fetching/fetchers/k8s/kube_fetcher.go index 909ffdf23b..3284f73ef4 100644 --- a/internal/resources/fetching/fetchers/k8s/kube_fetcher.go +++ b/internal/resources/fetching/fetchers/k8s/kube_fetcher.go @@ -25,7 +25,6 @@ import ( "github.com/elastic/elastic-agent-autodiscover/kubernetes" "github.com/elastic/elastic-agent-libs/logp" - policyv1beta1 "k8s.io/api/policy/v1beta1" "k8s.io/apimachinery/pkg/runtime" k8s "k8s.io/client-go/kubernetes" "k8s.io/client-go/kubernetes/scheme" @@ -77,16 +76,6 @@ var ( // allNamespaces, // }, } - - // optionalClusterResources are treated equally to vanillaClusterResources, - // but do NOT produce an error if they are not found. For example PSPs are - // deprecated for k8s >= v1.25. - optionalClusterResources = []requiredResource{ - { - &policyv1beta1.PodSecurityPolicy{}, - allNamespaces, - }, - } ) type requiredResource struct { @@ -156,13 +145,6 @@ func (f *KubeFetcher) initWatchers() error { } } - for _, r := range optionalClusterResources { - err := f.initWatcher(f.k8sProvider, r) - if err != nil { - f.log.Warn(err.Error()) - } - } - f.log.Info("Kubernetes Watchers initiated") return nil diff --git a/internal/resources/fetching/fetchers/k8s/kube_fetcher_test.go b/internal/resources/fetching/fetchers/k8s/kube_fetcher_test.go index 6807c60b56..2a154e8ab0 100644 --- a/internal/resources/fetching/fetchers/k8s/kube_fetcher_test.go +++ b/internal/resources/fetching/fetchers/k8s/kube_fetcher_test.go @@ -25,7 +25,6 @@ import ( "github.com/stretchr/testify/suite" "k8s.io/api/core/v1" - policyv1beta1 "k8s.io/api/policy/v1beta1" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" @@ -74,8 +73,6 @@ func MapItems(resources runtime.Object) []any { return PtrMap(items) case []rbacv1.Role: return PtrMap(items) - case []policyv1beta1.PodSecurityPolicy: - return PtrMap(items) default: return nil } @@ -180,29 +177,11 @@ func (s *KubeFetcherTestSuite) TestKubeFetcher_TestFetch() { }, }, }} - podSecurityPolicies := policyv1beta1.PodSecurityPolicyList{Items: []policyv1beta1.PodSecurityPolicy{ - { - TypeMeta: metav1.TypeMeta{ - Kind: "PodSecurityPolicy", - APIVersion: policyv1beta1.SchemeGroupVersion.String(), - }, - ObjectMeta: metav1.ObjectMeta{ - Name: "test-psp", - Namespace: "default", - }, - Spec: policyv1beta1.PodSecurityPolicySpec{ - RunAsUser: policyv1beta1.RunAsUserStrategyOptions{ - Rule: policyv1beta1.RunAsUserStrategyMustRunAsNonRoot, - }, - }, - }, - }} tests := []runtime.Object{ &v1.PodList{}, &v1.PodList{Items: []v1.Pod{myPod}}, &threePods, &threeRoles, - &podSecurityPolicies, } for i, tt := range tests { diff --git a/internal/resources/fetching/fetchers/k8s/kube_provider.go b/internal/resources/fetching/fetchers/k8s/kube_provider.go index a795a72566..3102bfbdcd 100644 --- a/internal/resources/fetching/fetchers/k8s/kube_provider.go +++ b/internal/resources/fetching/fetchers/k8s/kube_provider.go @@ -22,7 +22,6 @@ import ( "github.com/elastic/elastic-agent-autodiscover/kubernetes" "github.com/elastic/elastic-agent-libs/logp" - policyv1beta1 "k8s.io/api/policy/v1beta1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "github.com/elastic/cloudbeat/internal/resources/fetching" @@ -136,8 +135,6 @@ func nullifyManagedFields(resource any) { val.ManagedFields = nil case *kubernetes.ClusterRoleBinding: val.ManagedFields = nil - case *policyv1beta1.PodSecurityPolicy: - val.ManagedFields = nil case *kubernetes.ServiceAccount: val.ManagedFields = nil case *kubernetes.NetworkPolicy: diff --git a/security-policies/RULES.md b/security-policies/RULES.md index 9be46ba226..bf2228ca3d 100644 --- a/security-policies/RULES.md +++ b/security-policies/RULES.md @@ -16,7 +16,7 @@ #### Manual rules: 19/51 (37%) -#### Integration Tests Coverage: 145/250 (58%) +#### Integration Tests Coverage: 129/250 (52%)

Full Table 📋

@@ -126,17 +126,17 @@ | 5.1.7 | RBAC and Service Accounts | Avoid use of system:masters group | :x: | Passed :x: / Failed :x: | Manual | | 5.1.8 | RBAC and Service Accounts | Limit use of the Bind, Impersonate and Escalate permissions in the Kubernetes cluster | :x: | Passed :x: / Failed :x: | Manual | | 5.2.1 | Pod Security Standards | Ensure that the cluster has at least one active policy control mechanism in place | :x: | Passed :x: / Failed :x: | Manual | -| [5.2.10](bundle/compliance/cis_k8s/rules/cis_5_2_10) | Pod Security Standards | Minimize the admission of containers with capabilities assigned | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | +| [5.2.10](bundle/compliance/cis_k8s/rules/cis_5_2_10) | Pod Security Standards | Minimize the admission of containers with capabilities assigned | :white_check_mark: | Passed :x: / Failed :x: | Manual | | 5.2.11 | Pod Security Standards | Minimize the admission of Windows HostProcess Containers | :x: | Passed :x: / Failed :x: | Manual | | 5.2.12 | Pod Security Standards | Minimize the admission of HostPath volumes | :x: | Passed :x: / Failed :x: | Manual | | 5.2.13 | Pod Security Standards | Minimize the admission of containers which use HostPorts | :x: | Passed :x: / Failed :x: | Manual | -| [5.2.2](bundle/compliance/cis_k8s/rules/cis_5_2_2) | Pod Security Standards | Minimize the admission of privileged containers | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Manual | -| [5.2.3](bundle/compliance/cis_k8s/rules/cis_5_2_3) | Pod Security Standards | Minimize the admission of containers wishing to share the host process ID namespace | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [5.2.4](bundle/compliance/cis_k8s/rules/cis_5_2_4) | Pod Security Standards | Minimize the admission of containers wishing to share the host IPC namespace | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [5.2.5](bundle/compliance/cis_k8s/rules/cis_5_2_5) | Pod Security Standards | Minimize the admission of containers wishing to share the host network namespace | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [5.2.6](bundle/compliance/cis_k8s/rules/cis_5_2_6) | Pod Security Standards | Minimize the admission of containers with allowPrivilegeEscalation | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [5.2.7](bundle/compliance/cis_k8s/rules/cis_5_2_7) | Pod Security Standards | Minimize the admission of root containers | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | -| [5.2.8](bundle/compliance/cis_k8s/rules/cis_5_2_8) | Pod Security Standards | Minimize the admission of containers with the NET_RAW capability | :white_check_mark: | Passed :white_check_mark: / Failed :white_check_mark: | Automated | +| [5.2.2](bundle/compliance/cis_k8s/rules/cis_5_2_2) | Pod Security Standards | Minimize the admission of privileged containers | :white_check_mark: | Passed :x: / Failed :x: | Manual | +| [5.2.3](bundle/compliance/cis_k8s/rules/cis_5_2_3) | Pod Security Standards | Minimize the admission of containers wishing to share the host process ID namespace | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.4](bundle/compliance/cis_k8s/rules/cis_5_2_4) | Pod Security Standards | Minimize the admission of containers wishing to share the host IPC namespace | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.5](bundle/compliance/cis_k8s/rules/cis_5_2_5) | Pod Security Standards | Minimize the admission of containers wishing to share the host network namespace | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.6](bundle/compliance/cis_k8s/rules/cis_5_2_6) | Pod Security Standards | Minimize the admission of containers with allowPrivilegeEscalation | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.7](bundle/compliance/cis_k8s/rules/cis_5_2_7) | Pod Security Standards | Minimize the admission of root containers | :white_check_mark: | Passed :x: / Failed :x: | Automated | +| [5.2.8](bundle/compliance/cis_k8s/rules/cis_5_2_8) | Pod Security Standards | Minimize the admission of containers with the NET_RAW capability | :white_check_mark: | Passed :x: / Failed :x: | Automated | | [5.2.9](bundle/compliance/cis_k8s/rules/cis_5_2_9) | Pod Security Standards | Minimize the admission of containers with added capabilities | :white_check_mark: | Passed :x: / Failed :x: | Automated | | 5.3.1 | Network Policies and CNI | Ensure that the CNI in use supports Network Policies | :x: | Passed :x: / Failed :x: | Manual | | 5.3.2 | Network Policies and CNI | Ensure that all Namespaces have Network Policies defined | :x: | Passed :x: / Failed :x: | Manual | diff --git a/tests/commonlib/kubernetes.py b/tests/commonlib/kubernetes.py index 39a7619934..8696367a65 100644 --- a/tests/commonlib/kubernetes.py +++ b/tests/commonlib/kubernetes.py @@ -29,7 +29,7 @@ def __init__(self, is_in_cluster_config: bool = False): else: self.config = config.load_kube_config() - self.policy_c1_api = client.PolicyV1beta1Api() + # self.policy_c1_api = client.PolicyV1beta1Api() self.core_v1_client = client.CoreV1Api() self.app_api = client.AppsV1Api() self.rbac_api = client.RbacAuthorizationV1Api() @@ -45,7 +45,7 @@ def __init__(self, is_in_cluster_config: bool = False): "RoleBinding": self.rbac_api.list_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.list_cluster_role_binding, "ClusterRole": self.rbac_api.list_cluster_role, - "PodSecurityPolicy": self.policy_c1_api.list_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.list_pod_security_policy, "Lease": self.coordination_v1_api.list_namespaced_lease, } @@ -57,7 +57,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.delete_namespaced_role, "RoleBinding": self.rbac_api.delete_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.delete_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.delete_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.delete_pod_security_policy, "ClusterRole": self.rbac_api.delete_cluster_role, "Lease": self.coordination_v1_api.delete_namespaced_lease, } @@ -70,7 +70,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.patch_namespaced_role, "RoleBinding": self.rbac_api.patch_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.patch_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.patch_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.patch_pod_security_policy, "ClusterRole": self.rbac_api.patch_cluster_role, "Lease": self.coordination_v1_api.patch_namespaced_lease, } @@ -83,7 +83,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.create_namespaced_role, "RoleBinding": self.rbac_api.create_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.create_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.create_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.create_pod_security_policy, "ClusterRole": self.rbac_api.create_cluster_role, "Lease": self.coordination_v1_api.create_namespaced_lease, } @@ -96,7 +96,7 @@ def __init__(self, is_in_cluster_config: bool = False): "Role": self.rbac_api.read_namespaced_role, "RoleBinding": self.rbac_api.read_namespaced_role_binding, "ClusterRoleBinding": self.rbac_api.read_cluster_role_binding, - "PodSecurityPolicy": self.policy_c1_api.read_pod_security_policy, + # "PodSecurityPolicy": self.policy_c1_api.read_pod_security_policy, "ClusterRole": self.rbac_api.read_cluster_role, "Lease": self.coordination_v1_api.read_namespaced_lease, } diff --git a/tests/product/tests/data/eks/eks_k8s_object_test_cases.py b/tests/product/tests/data/eks/eks_k8s_object_test_cases.py index be7a7ea44c..91c35fdbf8 100644 --- a/tests/product/tests/data/eks/eks_k8s_object_test_cases.py +++ b/tests/product/tests/data/eks/eks_k8s_object_test_cases.py @@ -4,7 +4,7 @@ Each rule has one or more test cases. """ -from commonlib.framework.reporting import SkipReportData, skip_param_case +# from commonlib.framework.reporting import SkipReportData, skip_param_case from configuration import eks from ..constants import RULE_FAIL_STATUS, RULE_PASS_STATUS @@ -164,25 +164,25 @@ } k8s_object_config_1 = { - **cis_eks_4_2_7, - **skip_param_case( - cis_eks_4_2_8, - data_to_report=SkipReportData( - skip_reason="Retest after testing configuration will be fixed.", - url_title="cloudbeat: #500", - url_link="https://github.com/elastic/cloudbeat/issues/500", - ), - ), - **cis_eks_4_2_9, + # **cis_eks_4_2_7, + # **skip_param_case( + # cis_eks_4_2_8, + # data_to_report=SkipReportData( + # skip_reason="Retest after testing configuration will be fixed.", + # url_title="cloudbeat: #500", + # url_link="https://github.com/elastic/cloudbeat/issues/500", + # ), + # ), + # **cis_eks_4_2_9, } k8s_object_config_2 = { - **cis_eks_4_2_1, - **cis_eks_4_2_2, - **cis_eks_4_2_3, - **cis_eks_4_2_4, - **cis_eks_4_2_5, - **cis_eks_4_2_6, + # **cis_eks_4_2_1, + # **cis_eks_4_2_2, + # **cis_eks_4_2_3, + # **cis_eks_4_2_4, + # **cis_eks_4_2_5, + # **cis_eks_4_2_6, } cis_eks_all = { diff --git a/tests/product/tests/data/k8s/k8s_object_cases.py b/tests/product/tests/data/k8s/k8s_object_cases.py index c67fd2a384..19396c76d4 100644 --- a/tests/product/tests/data/k8s/k8s_object_cases.py +++ b/tests/product/tests/data/k8s/k8s_object_cases.py @@ -253,12 +253,12 @@ **cis_5_1_3, **cis_5_1_5, **cis_5_1_6, - **cis_psp_5_2_2, - **cis_psp_5_2_3, - **cis_psp_5_2_4, - **cis_psp_5_2_5, - **cis_psp_5_2_6, - **cis_psp_5_2_7, - **cis_psp_5_2_8, - **cis_psp_5_2_10, + # **cis_psp_5_2_2, + # **cis_psp_5_2_3, + # **cis_psp_5_2_4, + # **cis_psp_5_2_5, + # **cis_psp_5_2_6, + # **cis_psp_5_2_7, + # **cis_psp_5_2_8, + # **cis_psp_5_2_10, } diff --git a/tests/test_environments/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml b/tests/test_environments/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml index a4fb2dbfc0..84a58d66a8 100644 --- a/tests/test_environments/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml +++ b/tests/test_environments/k8s-cloudbeat-tests/templates/cloudbeat-eks-pytest.yaml @@ -119,14 +119,14 @@ rules: - get - list - watch - - apiGroups: - - policy - resources: - - podsecuritypolicies - verbs: - - get - - list - - watch + # - apiGroups: + # - policy + # resources: + # - podsecuritypolicies + # verbs: + # - get + # - list + # - watch --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding diff --git a/tests/test_environments/k8s-cloudbeat-tests/templates/standalone-agent.yml b/tests/test_environments/k8s-cloudbeat-tests/templates/standalone-agent.yml index d887679f0a..a093e42cd0 100644 --- a/tests/test_environments/k8s-cloudbeat-tests/templates/standalone-agent.yml +++ b/tests/test_environments/k8s-cloudbeat-tests/templates/standalone-agent.yml @@ -689,10 +689,10 @@ rules: - roles verbs: ["get", "list", "watch"] # Needed for cloudbeat - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/tests/test_environments/k8s-objects-all-cases.yml b/tests/test_environments/k8s-objects-all-cases.yml index 6757b46007..9893b38ff3 100644 --- a/tests/test_environments/k8s-objects-all-cases.yml +++ b/tests/test_environments/k8s-objects-all-cases.yml @@ -27,47 +27,47 @@ metadata: namespace: kube-system automountServiceAccountToken: false --- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: test-psp - annotations: - # docker/default identifies a profile for seccomp, but it is not particularly tied to the Docker runtime - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - # Allow core volume types. - volumes: - - 'csi' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false ---- +# apiVersion: policy/v1beta1 +# kind: PodSecurityPolicy +# metadata: +# name: test-psp +# annotations: +# # docker/default identifies a profile for seccomp, but it is not particularly tied to the Docker runtime +# seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' +# apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' +# apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +# spec: +# privileged: false +# # Required to prevent escalations to root. +# allowPrivilegeEscalation: false +# requiredDropCapabilities: +# - ALL +# # Allow core volume types. +# volumes: +# - 'csi' +# hostNetwork: false +# hostIPC: false +# hostPID: false +# runAsUser: +# # Require the container to run without root privileges. +# rule: 'MustRunAsNonRoot' +# seLinux: +# # This policy assumes the nodes are using AppArmor rather than SELinux. +# rule: 'RunAsAny' +# supplementalGroups: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# fsGroup: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# readOnlyRootFilesystem: false +# --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -86,10 +86,10 @@ rules: - apiGroups: [ "" ] # "" indicates the core API group resources: [ "pods" ] verbs: [ "get", "watch", "list" ] - - apiGroups: [ 'policy' ] - resources: [ 'podsecuritypolicies' ] - verbs: [ 'use' ] - resourceNames: [ 'test-psp' ] + # - apiGroups: [ 'policy' ] + # resources: [ 'podsecuritypolicies' ] + # verbs: [ 'use' ] + # resourceNames: [ 'test-psp' ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding @@ -112,10 +112,10 @@ rules: - apiGroups: [ "*" ] # "" indicates the core API group resources: [ "*" ] verbs: [ "*" ] - - apiGroups: [ 'policy' ] - resources: [ 'podsecuritypolicies' ] - verbs: [ 'use' ] - resourceNames: [ 'test-psp-fail' ] + # - apiGroups: [ 'policy' ] + # resources: [ 'podsecuritypolicies' ] + # verbs: [ 'use' ] + # resourceNames: [ 'test-psp-fail' ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/tests/test_environments/mock-pod.yml b/tests/test_environments/mock-pod.yml index abad719de7..813a837d05 100644 --- a/tests/test_environments/mock-pod.yml +++ b/tests/test_environments/mock-pod.yml @@ -27,47 +27,47 @@ metadata: namespace: kube-system automountServiceAccountToken: false --- -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: test-psp - annotations: - # docker/default identifies a profile for seccomp, but it is not particularly tied to the Docker runtime - seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' - apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' - apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - requiredDropCapabilities: - - ALL - # Allow core volume types. - volumes: - - 'csi' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'MustRunAsNonRoot' - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' - supplementalGroups: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - fsGroup: - rule: 'MustRunAs' - ranges: - # Forbid adding the root group. - - min: 1 - max: 65535 - readOnlyRootFilesystem: false ---- +# apiVersion: policy/v1beta1 +# kind: PodSecurityPolicy +# metadata: +# name: test-psp +# annotations: +# # docker/default identifies a profile for seccomp, but it is not particularly tied to the Docker runtime +# seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default,runtime/default' +# apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default' +# apparmor.security.beta.kubernetes.io/defaultProfileName: 'runtime/default' +# spec: +# privileged: false +# # Required to prevent escalations to root. +# allowPrivilegeEscalation: false +# requiredDropCapabilities: +# - ALL +# # Allow core volume types. +# volumes: +# - 'csi' +# hostNetwork: false +# hostIPC: false +# hostPID: false +# runAsUser: +# # Require the container to run without root privileges. +# rule: 'MustRunAsNonRoot' +# seLinux: +# # This policy assumes the nodes are using AppArmor rather than SELinux. +# rule: 'RunAsAny' +# supplementalGroups: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# fsGroup: +# rule: 'MustRunAs' +# ranges: +# # Forbid adding the root group. +# - min: 1 +# max: 65535 +# readOnlyRootFilesystem: false +# --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -86,10 +86,10 @@ rules: - apiGroups: [ "" ] # "" indicates the core API group resources: [ "pods" ] verbs: [ "get", "watch", "list" ] - - apiGroups: [ 'policy' ] - resources: [ 'podsecuritypolicies' ] - verbs: [ 'use' ] - resourceNames: [ 'test-psp' ] + # - apiGroups: [ 'policy' ] + # resources: [ 'podsecuritypolicies' ] + # verbs: [ 'use' ] + # resourceNames: [ 'test-psp' ] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding diff --git a/tests/test_environments/sa-agent-pytest.yml b/tests/test_environments/sa-agent-pytest.yml index f5f26393e0..4d99537e90 100644 --- a/tests/test_environments/sa-agent-pytest.yml +++ b/tests/test_environments/sa-agent-pytest.yml @@ -583,10 +583,10 @@ rules: - roles verbs: ["get", "list", "watch"] # Needed for cloudbeat - - apiGroups: ["policy"] - resources: - - podsecuritypolicies - verbs: ["get", "list", "watch"] + # - apiGroups: ["policy"] + # resources: + # - podsecuritypolicies + # verbs: ["get", "list", "watch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role