(WIP) Test: Verify if secrets are encrypted

cnti-testcatalog · Apr 24, 2024 · bb85848 · bb85848
1 parent 675c9de
commit bb85848
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 0 deletions.
diff --git a/RATIONALE.md b/RATIONALE.md
@@ -381,3 +381,6 @@ closing watches for ConfigMaps marked as immutable.*"
 
 #### *Check if Tiller is being used on the plaform*: [Tiller images](docs/LIST_OF_TESTS.md#tiller-images)
 > *Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons
+
+#### *Check if secrets are encrypted on the plaform*: [Kubescape secret/etcd](docs/LIST_OF_TESTS.md#kubescape-secret-etcd)
+> *Secret encryption is not enabled by default in kubernetes environment. As secrets contains sensitive information, it is recommended to encrypt these values. For encrypting secret in etcd, we are using encryption in rest, this will cause, that there will not be secret key value in plain text format anymore in etcd.
diff --git a/USAGE.md b/USAGE.md
@@ -1395,3 +1395,15 @@ Switch to using Helm v3+ and make sure not to pull any images with name tiller i
 </b>
 
 
+## [Kubescape secret/etcd](docs/LIST_OF_TESTS.md#kubescape-secret-etcd)
+
+##### To run the Kubescape secret/etcd test, you can use the following command:
+```
+./cnf-testsuite platform:kubescape_secret_etc
+```
+
+<b>Remediation for failing this test: </b>
+
+Check version of ETCDCTL in etcd pod, it should be v3.+
+
+</b>
diff --git a/embedded_files/points.yml b/embedded_files/points.yml
@@ -360,6 +360,10 @@
   emoji: "🔓🔑"
   tags: ["platform", "platform:security", "dynamic"]
 
+- name: kubescape_secret_etcd
+  emoji: "🔓🔑"
+  tags: ["platform", "platform:security", "dynamic"]
+
 - name: external_ips
   emoji: "🔓🔑"
   tags: [security, dynamic, workload, cert, normal]

diff --git a/src/tasks/platform/security.cr b/src/tasks/platform/security.cr
@@ -83,4 +83,23 @@ namespace "platform" do
       end
     end
   end
+
+  desc "Kubescape secret/etcd"
+  task "kubescape_secret_etcd", ["kubescape_scan"] do |t, args|
+    next if args.named["offline"]?
+
+    CNFManager::Task.task_runner(args, task: t, check_cnf_installed: false) do |args, config|
+      results_json = Kubescape.parse
+      test_json = Kubescape.test_by_test_name(results_json, "Secret/ETCD encryption enabled")
+      test_report = Kubescape.parse_test_report(test_json)
+
+      if test_report.failed_resources.size == 0
+        CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "Secret/etcd encryption enabled")
+      else
+        test_report.failed_resources.map {|r| stdout_failure(r.alert_message) }
+        stdout_failure("Remediation: #{test_report.remediation}")
+        CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Secret/etcd encryption disabled")
+      end
+    end
+  end
 end