[1993, 1999, 2003] Upgrade Kubescape to v3.0.8 and fix affected tests

[HashNuke]

Related issues

• 1993

• 1999

• 2003

Description

(#1993) Kubescape version check

• Kubescape version is now checked and the tool+framework is redownloaded if the version does not match.
• Avoiding parsing version from the kubescape version command. Don't prefer to maintain a parser for it in the testsuite. We just write the version to a plain text file and check against that.

(#1999) resource_policies

• The Resource Policies control has been split in the Kubescape NSA framework.
• The test has been split in the testsuite accordingly as cpu_limits and memory_limits tests.
• The automated test have also been updated appropriately.
• These new tests have been updated in points.yml and rationale doc and the usage doc.

(#1999) hostpath_mounts

• This control has been removed from the Kubescape NSA framework, but is a still part of the armosec/regolibrary.
• Updated test to run the control directly using the Control ID. We can discuss retaining/removing/replacing this test as a separate discussion.

(#2003) service_account_mapping

The automated spec for service_account_mapping was failing. Turns out that KubectlClient::WORKLOAD_RESOURCES in kubectl_client dependency, did not have ServiceAccount in the list of resources to identify.

The above findings mean that when the Kubescape module's helper functions are used to get the CNF's resources that failed a particular test, the service account is not included as part of CNF's resources.

• An update has been made to kubectl_client repo (in the testsuite/2003 branch), to fix this issue.
• A shard.override.yml file has also been temporarily added to this PR, to point to the updated dependency's branch.

PR to kubectl_client merged. I've tagged a new release v1.0.6 on kubectl_client. The shard.yml of the testsuite has been updated to use this version.

(#1999) platform:control_plane_hardening

Updated test to use new control name in Kubescape NSA framework.

(#1999) platform:cluster_admin

Updated the name of the Kubescape control. This fixes the test.

(#1999) platform:exposed_dashboard removed

• This test does not exist in the Kubescape NSA framework and also not in the armosec regolibrary.
• Removed it from the testsuite too.

non_root_containers

• Fixed non_root_containers spec by updating the sample used for the check.
• Build with error. Screenshot below

(#1999) Other changes

• Upgrades Kubescape version to v3.0.8 (latest)
  • Without this upgrade, linux_hardening test was throwing errors due to invalid rego syntax in the Kubescape control definition.
• Added another option to kubescape scan command to force Kubescape to return v1 format JSON.
  • The Kubescape integration can be updated later as a part of another PR to read JSON v2 output from Kubescape.

Related PRs

• https://github.com/cnf-testsuite/kubectl_client/pull/13

Validation with sample coredns CNF

Tried running workload tests for the sample coredns CNF. No crashes/stacktraces displayed. Tests seem to be running.

How has this been tested:

• [x] Covered by existing integration testing
• [x] Added integration testing to cover
• [ ] Verified all A/C passes
  • [ ] develop
  • [ ] master
  • [ ] tag/other branch
• [x] Test environment
  • [ ] Shared Packet K8s cluster
  • [ ] New Packet K8s cluster
  • [x] Kind cluster
• [ ] Have not tested

Types of changes:

• [x] Bug fix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [x] Documentation update

Checklist:

Documentation

• [x] My change requires a change to the documentation.
• [x] I have updated the documentation accordingly.
• [ ] No updates required.

Code Review

• [ ] Does the test handle fatal exceptions, ie. rescue block

Issue

• [x] Tasks in issue are checked off

[HashNuke]

Identified an issue with service_account_mapping and reported here - https://github.com/cnti-testcatalog/testsuite/issues/2003

There is one other failure to look into (non_root_containers). Will take a look in a few hours.

[HashNuke]

Updates

The previous build passed - https://github.com/cnti-testcatalog/testsuite/actions/runs/8830493531

To move forward

• I have merged the PR forkubectl_client - https://github.com/cnf-testsuite/kubectl_client/pull/13
• Created a tagged release v1.0.6 for kubectl_client
• Removed shard.override.yml from this PR
• Updated shard.yml to use kubectl_client v1.0.6 and updated shard.lock

Next steps

• I will wait for the build again.
• I will also run the cert command for coredns on the pair machine to verify the changes.