Closed martin-mat closed 1 month ago
I quickly analyzed this issue, and it seems that the issue is caused by this change: https://github.com/cnti-testcatalog/testsuite/pull/1992
I compared the old nsa.json with the new nsa.json taken after #1992, and unfortunately, the new nsa.json does not define a test called "Resource policies." As a result, the parsing is failing because there are no results for that test in the output JSON from Kubescape.
@HashNuke @martin-mat @wavell this test was removed upstream in this PR https://github.com/kubescape/regolibrary/pull/586
PR to remove was closed without merging. Test renamed. See @HashNuke comments below regarding
Looks like the test was renamed to Resource limits
.
The file was renamed twice. The history can be tracked via the new file's link.
controls/resourcepolicies.json -> controls/resourcelimits.json
controls/resourcelimits.json -> controls/C-0009-resourcelimits.json
Documentation for resource limits at: https://hub.armosec.io/docs/c-0009
resource_policies is not the only test impacted. Additional:
hostpath_mounts (also cert/essential) removed by this commit: https://github.com/kubescape/regolibrary/commit/e909c92840bce4cf8cbde9b2ad0f8819a7023d05
and 3 platform security tests: control_plane_hardening cluster_admin exposed_dashboard
In the new version of nsaframework.json for kubescape (available at https://github.com/armosec/regolibrary/releases/download/v1.0.316/nsa ), there is not even a Resource limits test. It appears that this test has been split into two separate tests:
{ "controlID": "C-0270", "patch": { "name": "Ensure CPU limits are set" } }, { "controlID": "C-0271", "patch": { "name": "Ensure memory limits are set" } }
The split was done for that here: https://github.com/kubescape/regolibrary/pull/594
So, I suggest splitting it in the testsuite as well. This will make it more consistent and understandable for users to know which limits are missing, whether it is for CPU or memory.
Got some fixes in this branch that resolves this issue - https://github.com/cnti-testcatalog/testsuite/tree/kubescape-version-check
I'll let the build run and see if there is anything else to resolve.
Okay, @HashNuke, I have seen your changes, so I will let you fix this issue inside that branch.
The changes required to fix the kubescape-related issues are in this PR - https://github.com/cnti-testcatalog/testsuite/pull/2004
Without these combined fixes, the main branch build would just fail. So they all have to go in together.
(copying from https://github.com/cnti-testcatalog/testsuite/pull/2004)
resource_policies test is split into: cpu_limits and memory_limits tests
Because the resouce_policies was an essential test the parts (memory and CPU) that are now two tests have been tagged as essential tests.
@martin-mat @horecoli @HashNuke
Resource limits: Splitting the test seems like a reasonable decision, we were discussing this inside the team and came to the same solution (before Akash's PR).
platform:exposed_dashboard removal: I'm not sure if we should look for ways to replace it later or not. From deleted entry in Rationale.md - this test was existing to cover for a vulnerability in old versions of dashboard. If so - this test might be not needed anymore at all.
Using control id to run tests: Nice solution, didn't even knew that there's a possibility to do it like that in Kubescape. Following question: maybe we could move all tests to using control ID's instead of NSA framework? We require only single test results for each testsuite task, is there a reason to run the whole framework each time?
Describe the bug The upstream Kubescape test has been renamed causing the testsuite resource_policies test to fail
"resource_policies" test crashes with an error:
To Reproduce
Expected behavior the tests passes
Note1: The test may pass in case that old/workinging kubescape is not wiped. This may be also a reason why github actions did not detect this.
Note2: the issue was most probably introduced by this change.
1992
Note3: "resource_policies" is an essential certification test.