skip more checkov checks based on

- openshift pod security mutations (added separate test for this)
- sandbox use of limit ranges for cpu/mem requests/limits
- deferral for now on requiring liveness / readiness probes
- pedantic host network checks (added separate test for this)
- argocd has to manipluate cluster scoped validatingwebhookconfigurations
- deferral on network policies for blocking ingress/egress
- chains/pac need to access secrets in arbitrary namespaces
add openshift scc / pod security check to tests
add openshift pod host network checks to tests

Author: gabemontero

ci/images/static-checks/content/config/checkov.yaml

@@ -13,7 +13,47 @@ quiet: true
 skip-check:
   # skip Healthcheck instruction error for Docker Images
   - CKV_DOCKER_2
+  # not enforcing liveness/readiness probes at this time; minimally, chains, results, metric exporter do not have
+  # we have opened https://github.com/tektoncd/results/issues/280 upstream
+  - CKV_K8S_8
+  - CKV_K8S_9
+  # RHTAP utilizes LimitRanges for cpu/mem requests and limits settings (handles 10-13)
+  - CKV_K8S_10
+  - CKV_K8S_11
+  - CKV_K8S_12
+  - CKV_K8S_13
+  # image ref related
+  - CKV_K8S_43 # deployments referenced by checkov are either items like chains which will be replace by openshift-pipelines 1.10 or a fooled by our use of kustomize for image setting
+  - CKV_K8S_14 # deployments referenced by checkov are either items like chains which will be replace by openshift-pipelines 1.10 or a fooled by our use of kustomize for image setting
+  - CKV_K8S_15 # with sha specific image refs setting pull policy to always is redundant and negates us of openshift node cache
+  # need to reivew chains/pac needs to read secrets in a couple of namespaces, not a clusterrolebinding, create webhooks
+  - CKV2_K8S_5
+  # there is no use of hostPID, hostIPC, hostNetwork in repo, but scan complains about not setting explicitly to false
+  # will check in live tests
+  - CKV_K8S_17
+  - CKV_K8S_18
+  - CKV_K8S_19
+  # openshift scc / security addresses these check by mutating pod under the covers
+  # with pods getting assigned the restricted scc unless explicitly allowed otherwise
+  - CKV_K8S_20 # no allowPrivilegeEscalation
+  - CKV_K8S_22 # read only FS
+  - CKV_K8S_23 # admission of root containers
+  - CKV_K8S_25 # we are not adding capabilities, running under restricted-scc
+  - CKV_K8S_28 # admission of NET RAW capability
+  - CKV_K8S_29 # apply security context to pod and containers
+  - CKV_K8S_30 # apply security context to containers
+  - CKV_K8S_31 # runtime/default seccomp profile
+  - CKV_K8S_33 # also, no kubernetes-dashboard on openshift
+  - CKV_K8S_37 # any capabilities
+  - CKV_K8S_38 # our pods almost always a) need to access api svr, b) do not have privileged SA
+  - CKV_K8S_40 # high UID number
+  - CKV_K8S_35 # opened https://github.com/tektoncd/results/issues/432 for secrets via env var
+  # need to allow argocd to create/delete the validatingadmissionwebhooks for tekton (core part of knative)
+  - CKV_K8S_155
+  - CKV_K8S_157
+  - CKV2_K8S_6 # use NetworkPolicy like what registration-service and integration-service employ are untenable for tekton controllers
 skip-fixes: true
-soft-fail: true
+soft-fail: false
 skip-path:
   - developer
+  - ci

operator/test/test.sh

@@ -19,7 +19,7 @@ Optional arguments:
         Default value: \$KUBECONFIG
     -t, --test TEST
         Name of the test to be executed. Can be repeated to run multiple tests.
-        Must be one of: chains, pipelines, results.
+        Must be one of: chains, pipelines, results, security.
         Default: Run all tests.
     -d, --debug
         Activate tracing/debug mode.
@@ -62,7 +62,7 @@ parse_args() {
   done
   DEBUG="${DEBUG:-}"
   if [ "${#TEST_LIST[@]}" = "0" ]; then
-    TEST_LIST=("chains" "pipelines" "results")
+    TEST_LIST=("chains" "pipelines" "results" "security")
   fi
 }
 
@@ -96,6 +96,60 @@ wait_for_pipeline() {
   kubectl wait --for=condition=succeeded "$1" -n "$2" --timeout 60s >/dev/null
 }
 
+check_pod_security() {
+  sccs="$(kubectl get pod -o name -n "$1" | xargs -l -r kubectl get -o jsonpath='{.metadata.annotations.openshift\.io/scc}' -n "$1")"
+  if [[ "$sccs" =~ "restricted-v2" ]]; then
+     prune="$(echo "$sccs" | sed 's/restricted-v2//g')"
+     # if anything besides restricted-v2 is in there, we want to investigate
+     if [ -z "$prune" ]; then
+       echo "   - OK pod security for $1"
+     else
+       echo "Failed, scc's are "
+       echo "$sccs"
+       echo "[ERROR] Unexpected $1 pod security context constraints" >&2
+       exit 1
+     fi
+  else
+     # if none of the pods are restricted-v2, we want to investigate
+     echo "Failed, scc's are "
+     echo "$sccs"
+     echo "[ERROR] Unexpected $1 pod security context constraints" >&2
+     exit 1
+  fi
+
+}
+
+check_host_network() {
+  # got to '|| true' or the script exits with the rc 1 that grep returns if nothing found
+  hostipc="$(kubectl get pods -o yaml -n "$1" | grep "hostIPC" || true )"
+  if [ -z "$hostipc" ]; then
+    echo "   - OK hostIPC settings for $1"
+  else
+       echo "Failed, hostIPC's are "
+       echo "$hostipc"
+       echo "[ERROR] Unexpected $1 hostIPC settings" >&2
+       exit 1
+  fi
+  hostpid="$(kubectl get pods -o yaml -n "$1" | grep "hostPID" || true )"
+  if [ -z "$hostpid" ]; then
+    echo "   - OK hostPID settings for $1"
+  else
+       echo "Failed, hostPID's are "
+       echo "$hostipc"
+       echo "[ERROR] Unexpected $1 hostPID settings" >&2
+       exit 1
+  fi
+  hostnetwork="$(kubectl get pods -o yaml -n "$1" | grep "hostNetwork" || true )"
+  if [ -z "$hostnetwork" ]; then
+    echo "   - OK hostNetwork settings for $1"
+  else
+       echo "Failed, hostNetwork's are "
+       echo "$hostnetwork"
+       echo "[ERROR] Unexpected $1 hostNetwork settings" >&2
+       exit 1
+  fi
+}
+
 test_chains() {
   kubectl apply -k "$SCRIPT_DIR/manifests/test/tekton-chains" -n "$NAMESPACE" >/dev/null
 
@@ -160,6 +214,7 @@ test_chains() {
     echo "[ERROR] Public key is not accessible" >&2
     exit 1
   fi
+
   echo
 }
 
@@ -178,9 +233,32 @@ test_pipelines() {
       kubectl create -n "$NAMESPACE" -f - | cut -d" " -f1
   )
   wait_for_pipeline "$pipeline_name" "$NAMESPACE"
+
   echo "OK"
 }
 
+test_security() {
+  echo " - Check security: "
+  echo "  - Check Pod Security openshift-pipelines: "
+  check_pod_security "openshift-pipelines"
+  echo "  - Check Pod Host Network openshift-pipelines: "
+  check_host_network "openshift-pipelines"
+
+  echo "  - Check Pod Security pipelines-as-code: "
+  check_pod_security "pipelines-as-code"
+  echo "  - Check Pod Host Network pipelines-as-code: "
+  check_host_network "pipelines-as-code"
+
+  echo "  - Check Pod Security tekton-results: "
+  check_pod_security "tekton-results"
+  echo "  - Check Pod Host Network tekton-results: "
+  check_host_network "tekton-results"
+  echo "  - Check Pod Security tekton-chains: "
+  check_pod_security "tekton-chains"
+  echo "  - Check Pod Host Network tekton-chains: "
+  check_host_network "tekton-chains"
+}
+
 test_results() {
   test_pipelines
   echo -n "  - Results in database:"
@@ -250,6 +328,7 @@ test_results() {
   sleep 10
   fetch_results_using_rest "records"
   fetch_results_using_rest "logs"
+
   echo
 }
 
@@ -259,7 +338,7 @@ main() {
   setup_test
   for case in "${TEST_LIST[@]}"; do
     case $case in
-    chains | pipelines | results)
+    chains | pipelines | results | security)
       echo "[$case]"
       test_"$case"
       echo