Restrict Fence Agent Command

[razo7]

Verify and restrict far CRs to specific (and available) agents that exist in the container/pod.

1. Print on start-up the amount and list of available agents.
2. Validate CR agent name with the available agents.
3. Add new unit-test for creating CR with unknown agent name

ECOPROJECT-1753

[openshift-ci[bot]]

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: razo7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/medik8s/fence-agents-remediation/blob/main/OWNERS)~~ [razo7] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[razo7]

/test 4.14-openshift-e2e /test 4.15-openshift-e2e

[mshitrit]

Following our discussion this PR should be the implementation of the Second option (also pasting here the relevant part).

- At the moment there is no validation for fence agent name so this allow a security breach for the user to execute unwanted commands.
- There are several options on how  to address this:
  - First (simple) option: is a hard coded list of fence agents that will be used for validation
  - Second (advanced) option: retrieving the fence agents name during runtime and use that data for validation.
- The main pro for using the Second option that it'll support  different setups of fence agents (mainly keeping in mind upstream / downstream differences ) where the con is that it is more complicated.

• I couldn't find the logic part that populate the valid fence agents :thinking:
• I don't see a value of using a file, I think it is less secure and more complicated than the alternative. is there a particular reason to use it that I am missing ?

[Edit] Following our conversation I see that the fence_agent file is being populated from /usr/sbin folder during containter build phase here. I would still prefer an in memory list of the fence agents over a file, but I understand that the file implementation is simpler so it's not important enough to be a blocker IMO.

[razo7]

/test 4.14-openshift-e2e /test 4.15-openshift-e2e

[razo7]

/test 4.14-openshift-e2e

[razo7]

/test 4.14-openshift-e2e /test 4.15-openshift-e2e

[mshitrit]

/lgtm

[razo7]

/retest

[razo7]

/retest

[razo7]

/hold We might want to ~to~ do this check in Webhook

[openshift-ci[bot]]

@razo7: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/4.12-openshift-e2e	4b815edeec4d4ab9596d163c03431bcd3bb41e42	link	true	/test 4.12-openshift-e2e

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).

[openshift-merge-robot]

PR needs rebase.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.

[razo7]

close in favor of #119