Removal and exchange duplicate test for privileged containers

This change removes the Kubescape implementation of test
for privileged containers. The reason behind this decision
is the absence of functionality to exclude containers
from the test. Instead, it has been replaced with an in-house
implementation of this test, which has been renamed
from "privileged" to "privileged_containers".

Implements: cnti-testcatalog#2115
Signed-off-by: horecoli <[email protected]>

spec/workload/security_spec.cr

@@ -4,35 +4,35 @@ require "../../src/tasks/utils/utils.cr"
 
 describe "Security" do
 
-  it "'privileged' should pass with a non-privileged cnf", tags: ["privileged"]  do
+  it "'privileged_containers' should pass with a non-privileged cnf", tags: ["privileged"]  do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
       Log.debug { result[:output] }
-      result = ShellCmd.run_testsuite("privileged verbose")
+      result = ShellCmd.run_testsuite("privileged_containers verbose")
       result[:status].success?.should be_true
       (/Found.*privileged containers.*coredns/ =~ result[:output]).should be_nil
     ensure
       result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=sample-cnfs/sample-statefulset-cnf/cnf-testsuite.yml")
       Log.debug { result[:output] }
     end
   end
-  it "'privileged' should fail on a non-whitelisted, privileged cnf", tags: ["privileged"] do
+  it "'privileged_containers' should fail on a non-whitelisted, privileged cnf", tags: ["privileged"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
       result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged verbose")
+      result = ShellCmd.run_testsuite("privileged_containers verbose")
       result[:status].success?.should be_true
       (/Found.*privileged containers.*/ =~ result[:output]).should_not be_nil
       (/Privileged container (privileged-coredns) in.*/ =~ result[:output]).should_not be_nil
     ensure
       result = ShellCmd.run_testsuite("sample_privileged_cnf_non_whitelisted_cleanup")
     end
   end
-  it "'privileged' should pass on a whitelisted, privileged cnf", tags: ["privileged"] do
+  it "'privileged_containers' should pass on a whitelisted, privileged cnf", tags: ["privileged"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample_whitelisted_privileged_cnf/cnf-testsuite.yml verbose wait_count=0")
       result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
+      result = ShellCmd.run_testsuite("privileged_containers cnf-config=sample-cnfs/sample_whitelisted_privileged_cnf verbose")
       result[:status].success?.should be_true
       (/Found.*privileged containers.*/ =~ result[:output]).should be_nil
     ensure
@@ -219,18 +219,6 @@ describe "Security" do
     end
   end
 
-  it "'privileged_containers' should pass when the cnf has no privileged containers", tags: ["privileged"] do
-    begin
-      result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")
-      result[:status].success?.should be_true
-      result = ShellCmd.run_testsuite("privileged_containers")
-      result[:status].success?.should be_true
-      (/(FAILED).*(Found privileged containers)/ =~ result[:output]).should be_nil
-    ensure
-      result = ShellCmd.run_testsuite("cnf_cleanup cnf-config=./sample-cnfs/sample-coredns-cnf")
-    end
-  end
-
   it "'immutable_file_systems' should fail when the cnf containers with mutable file systems", tags: ["security"] do
     begin
       result = ShellCmd.run_testsuite("cnf_setup cnf-config=./sample-cnfs/sample-coredns-cnf")

src/tasks/workload/security.cr

@@ -7,7 +7,6 @@ require "../utils/utils.cr"
 
 desc "CNF containers should be isolated from one another and the host.  The CNF Test suite uses tools like Sysdig Inspect and gVisor"
 task "security", [
-    "privileged",
     "symlink_file_system",
     "privilege_escalation",
     "insecure_capabilities",
@@ -137,7 +136,7 @@ task "container_sock_mounts" do |t, args|
 end
 
 desc "Check if any containers are running in privileged mode"
-task "privileged" do |t, args|
+task "privileged_containers" do |t, args|
   CNFManager::Task.task_runner(args, task: t) do |args, config|
     white_list_container_names = config.cnf_config[:white_list_container_names]
     VERBOSE_LOGGING.info "white_list_container_names #{white_list_container_names.inspect}" if check_verbose(args)
@@ -397,26 +396,6 @@ task "non_root_containers", ["kubescape_scan"] do |t, args|
   end
 end
 
-desc "Check that privileged containers are not used"
-task "privileged_containers", ["kubescape_scan" ] do |t, args|
-  CNFManager::Task.task_runner(args, task: t) do |args, config|
-    results_json = Kubescape.parse
-    test_json = Kubescape.test_by_test_name(results_json, "Privileged container")
-    test_report = Kubescape.parse_test_report(test_json)
-    resource_keys = CNFManager.workload_resource_keys(args, config)
-    test_report = Kubescape.filter_cnf_resources(test_report, resource_keys)
-
-    #todo whitelist
-    if test_report.failed_resources.size == 0
-      CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "No privileged containers were found")
-    else
-      test_report.failed_resources.map {|r| stdout_failure(r.alert_message) }
-      stdout_failure("Remediation: #{test_report.remediation}")
-      CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Found privileged containers")
-    end
-  end
-end
-
 desc "Check if containers have immutable file systems"
 task "immutable_file_systems", ["kubescape_scan"] do |t, args|
   CNFManager::Task.task_runner(args, task: t) do |args, config|