[Platform] Security: Does the cluster have RBAC enabled?

[taylor]

Acceptance Criteria

[Platform] Security test: add test rbac_is_enabled to check for RBAC-enabled clusters

Short description of platform test:

• This checks to see if RBAC is enabled and required on a K8s cluster. If so applications deployed to the cluster will need to use RBAC roles.
• This test is in alignment with the Principle of Least Privilege and the best practice for "RBAC should be enabled for K8s clusters by default"

Test Category

• Security

Proof of Concept (if available)

• [ ] N/A

---

Implementation Tasks: TBD

Environment set up tasks:

• [ ]

Upstream tool set up tasks: (test suite + upstream tools)

• [ ]

CNF setup Tasks

• [ ]

Sample CNF tasks:

• [ ]

Code implementation tasks:

• [ ]

Documentation tasks:

• [ ] Update Test Categories md
• [ ] Update USAGE md
• [ ] Update installation instructions if needed

QA tasks

Dev Review:

• [ ] walk through A/C
• [ ] do you get the expected result?
• [ ] if yes,
  • [ ] move to Needs Peer Review column
  • [ ] create Pull Request and follow check list
  • [ ] Assign 1 or more people for peer review
• [ ] if no, document what additional tasks will be needed

Peer review:

• [ ] walk through A/C
• [ ] do you get the expected result?
• [ ] if yes,
  • [ ] move to Reviewer Approved column
  • [ ] Approve pull request
• [ ] if no,
  • [ ] document what did not go as expected, including error messages and screenshots (if possible)
  • [ ] Add comment to pull request
  • [ ] request changes to pull request

[taylor]

DRAFT Acceptance Criteria for peer review

---

Documentation is updated:

• [ ] USAGE.md documentation updated
  • [ ] how to run
  • [ ] details on what the best practice is
  • [ ] why are we testing this
• [ ] CATEGORIES updated
• [ ] If needed, https://github.com/cncf/cnf-testsuite/blob/main/CNF_TESTSUITE_YML_USAGE.md

Common steps

• [ ] Find or create a K8s cluster to use
  • Talk with team for access to an existing cluster
  • Kind K8s clusters will work as well
• [ ] Set the KUBECONFIG environment variable for accessing the target K8s cluster
• [ ] As a developer, Pull down latest version of CNF conformance test code from {FEATURE} branch
  • [ ] Check that {FEATURE} Branch passes all A/C
  • [ ] Check that {FEATURE} Branch passes tests in GitHub Actions
• [ ] As a peer reviewer, check that PR passes in GitHub Actions
  • [ ] if yes, merge PR to master
  • [ ] if no, make a comment and request that developer make changes to pass tests
• x] As a peer reviewer, Pull down latest version of CNF conformance test code from main branch
• [ ] Run shards install

Update Prerequisite checker

• [ ] NA

Update yml validator, if needed

• [ ] update if needed

I would expect Falco to successfully install when the falco setup command runs:

• [ ] Falco is not installed on the K8s cluster or system
• [ ] I run the setup command to install falco. Ex. cnf-testsuite setup falco
• [ ] I should see a message saying Falco was successfully installed

I would expect to PASSED for non_root_user test when running against a CNF which does not run processes as root:

• [ ] Tell the test suite to use a CNF which does not run any processes as root. eg. ./cnf-testsuite cnf_setup cnf-path=sample-cnfs/sample_nonroot
• [ ] Run the non-root user test: ./cnf-testsuite non_root_user
• [ ] I see a PASSED message. Example: PASSED: Root user not found 🚫√

I would expect to see a FAILED result for the non_root_user test, when running against CNF which has processes running as the root :

• [ ] Tell the test suite to use a CNF runs processes as root. eg. ./cnf-testsuite cnf_setup cnf-path=sample-cnfs/sample_coredns
• [ ] Run the non-root user test: ./cnf-testsuite non_root_user
• [ ] I see a PASSED message. Example: ❌ FAILED: Root user found 🚫√

I would expect to see a SKIPPED message for the non_root_user test, if Falco is not installed/available:

• [ ] Ensure Falco is not installed or accessible to the test suite (eg. not in PATH)
• [ ] Tell the test suite which CNF to use eg. ./cnf-testsuite cnf_setup cnf-path=sample-cnfs/sample_nonroot
• [ ] Run the non-root user test: ./cnf-testsuite non_root_user
• [ ] I see a SKIPPED message. Example: >> SKIPPED: Falco not installed, skipped the non_root_user test.

Screenshots of publish tarball test:

• [ ] I can see a screenshots of SUCCESS, FAILED and SKIPPED tests.

[lixuna]

@taylor is this issue still relevant for CNTI?