taylor
commented
1 month ago @martin-mat after reviewing this, I thought I recalled an issue to remove the duplicate but I am not finding it. I did notice that we addressed the duplication for Kyverno which has https://kyverno.io/policies/pod-security/baseline/disallow-host-path/disallow-host-path/.
@wavell @denverwilliams do you know of a reason to have both implementations active?
I do not see a reason to have both versions. I will say I do not see a reason to allow Kubescape's read-only version feature for mounted paths, but that can be addressed when we remove the duplication.
I suggest we address this first in the test suite directly and then update the certification accordingly. If it is removed in the test suite then we will update the cert itself to match. This ticket can remain open until that is done and referenced from a test suite ticket.
Both tests test the same functionality - presence of volumes with hostpath storage class. volume_hostpath_not_found test it using in-house check, hostpath_mounts uses kubescape. Correct me if I'm missing something.
Also each test is in different category, hostpath_mounts -> security, volume_hostpath_not_found -> state.
Proposal - remove one of the tests from certification set. It does not make sense to have 2 tests testing the same functionality.
From the testsuite point of view, the 2 tests are perhaps not needed to keep at all. It makes better sense to keep kubescape implementation and not to keep/maintain internal implementation.
https://github.com/cnti-testcatalog/testsuite/blob/main/docs/LIST_OF_TESTS.md#volume-hostpath-not-found https://github.com/cnti-testcatalog/testsuite/blob/main/docs/LIST_OF_TESTS.md#hostpath-mounts
@taylor @Smitholi67 @wavell @horecoli @kosstennbl