(WIP) Test: Verify if secrets are encrypted

haskojur · haskojur · commit 583e602bd318 · 2024-04-24T08:43:16.000+02:00
diff --git a/RATIONALE.md b/RATIONALE.md
@@ -381,3 +381,6 @@ closing watches for ConfigMaps marked as immutable.*"
 
 #### *Check if Tiller is being used on the plaform*: [Tiller images](docs/LIST_OF_TESTS.md#tiller-images)
 > *Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons
+
+#### *Check if secrets are encrypted on the plaform*: [Kubescape secret/etcd](docs/LIST_OF_TESTS.md#kubescape-secret-etcd)
+> *Secret encryption is not enabled by default in kubernetes environment. As secrets contains sensitive information, it is recommended to encrypt these values. For encrypting secret in etcd, we are using encryption in rest, this will cause, that there wont be secret key value in plain text format anymore in etcd.
diff --git a/USAGE.md b/USAGE.md
@@ -1395,3 +1395,17 @@ Switch to using Helm v3+ and make sure not to pull any images with name tiller i
 </b>
 
 
+## [Kubescape secret/etcd](docs/LIST_OF_TESTS.md#kubescape-secret-etcd)
+
+##### To run the Kubescape secret/etcd test, you can use the following command:
+```
+./cnf-testsuite platform:kubescape_secret_etc
+```
+
+<b>Remediation for failing this test: </b>
+
+Check version of ETCDCTL in etcd pod, it should be v3.+
+
+</b>
+
+
diff --git a/src/tasks/platform/security.cr b/src/tasks/platform/security.cr
@@ -64,25 +64,6 @@ namespace "platform" do
     end
   end
 
-  desc "Kubescape secret/etcd"
-  task "kubescape_secret_etcd", ["kubescape_scan"] do |t, args|
-    next if args.named["offline"]?
-
-    CNFManager::Task.task_runner(args, task: t, check_cnf_installed: false) do |args, config|
-      results_json = Kubescape.parse
-      test_json = Kubescape.test_by_test_name(results_json, "Secret/etcd encryption enabled")
-      test_report = Kubescape.parse_test_report(test_json)
-
-      if test_report.failed_resources.size == 0
-        CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "Secret/etcd encryption enabled")
-      else
-        test_report.failed_resources.map {|r| stdout_failure(r.alert_message) }
-        stdout_failure("Remediation: #{test_report.remediation}")
-        CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Secret/etcd encryption disabled")
-      end
-    end
-  end
-
   desc "Check if the CNF is running containers with name tiller in their image name?"
   task "helm_tiller" do |t, args|
     Kyverno.install
@@ -102,4 +83,23 @@ namespace "platform" do
       end
     end
   end
+
+  desc "Kubescape secret/etcd"
+  task "kubescape_secret_etcd", ["kubescape_scan"] do |t, args|
+    next if args.named["offline"]?
+
+    CNFManager::Task.task_runner(args, task: t, check_cnf_installed: false) do |args, config|
+      results_json = Kubescape.parse
+      test_json = Kubescape.test_by_test_name(results_json, "Secret/etcd encryption enabled")
+      test_report = Kubescape.parse_test_report(test_json)
+
+      if test_report.failed_resources.size == 0
+        CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "Secret/etcd encryption enabled")
+      else
+        test_report.failed_resources.map {|r| stdout_failure(r.alert_message) }
+        stdout_failure("Remediation: #{test_report.remediation}")
+        CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Secret/etcd encryption disabled")
+      end
+    end
+  end
 end
