Fix process_api_server test cases. (#393)

Fix process_api_server test cases.

These cases used to break the cluster, mostly due to bad
configuration values.

Author: yashtewari

tests/commonlib/io_utils.py

@@ -120,6 +120,11 @@ def exec_command(container_name: str, command: str, param_value: str, resource:
             open(param_value, "a+").close()
             return
 
+        if command == 'cat':
+            with open(resource, 'w') as f:
+                f.write(param_value)
+            return
+
         if container_name == '':
             raise Exception("Unknown container name is sent")
 

tests/product/tests/conftest.py

@@ -57,6 +57,25 @@ def config_node_pre_test(cloudbeat_start_stop):
         '/var/lib/etcd/some_file.txt',
         '/etc/kubernetes/pki/some_file.txt'
     ]
+
+    config_files = {
+        '/etc/kubernetes/pki/admission_config.yaml': '''apiVersion: apiserver.config.k8s.io/v1
+kind: AdmissionConfiguration
+plugins:
+  - name: EventRateLimit
+    path: /etc/kubernetes/pki/event_config.yaml''',
+        '/etc/kubernetes/pki/event_config.yaml': '''apiVersion: eventratelimit.admission.k8s.io/v1alpha1
+kind: Configuration
+limits:
+  - type: Namespace
+    qps: 50
+    burst: 100
+    cacheSize: 2000
+  - type: User
+    qps: 10
+    burst: 50'''
+    }
+
     # create temporary files:
     for node in nodes:
         if node.metadata.name != cloudbeat_agent.node_name:
@@ -67,7 +86,15 @@ def config_node_pre_test(cloudbeat_start_stop):
                                 param_value=temp_file,
                                 resource='')
 
+    # create config files:
+    for config_file, contents in config_files.items():
+        api_client.exec_command(container_name=node.metadata.name,
+                                command='cat',
+                                param_value=contents,
+                                resource=config_file)
+
     yield k8s_client, api_client, cloudbeat_agent
+
     # delete temporary files:
     for node in nodes:
         if node.metadata.name != cloudbeat_agent.node_name:

tests/product/tests/data/process/process_test_cases.py

@@ -6,26 +6,6 @@
 from commonlib.framework.reporting import skip_param_case, SkipReportData
 
 cis_1_2_4 = [(
-    'CIS 1.2.4',
-    {
-        "set": {
-            "--kubelet-https": "false",
-        },
-    },
-    '/etc/kubernetes/manifests/kube-apiserver.yaml',
-    'failed'
-),
-    (
-        'CIS 1.2.4',
-        {
-            "set": {
-                "--kubelet-https": "true",
-            },
-        },
-        '/etc/kubernetes/manifests/kube-apiserver.yaml',
-        'passed'
-),
-    (
         'CIS 1.2.4',
         {
             "unset": [
@@ -416,16 +396,16 @@
 )]
 
 cis_1_2_5 = [(
-    'CIS 1.2.5',
-    {
-        "set": {
-            "--kubelet-client-certificate": "/etc/kubernetes/pki/apiserver-kubelet-client.crt ",
-            "--kubelet-client-key": "/etc/kubernetes/pki/apiserver-kubelet-client.key"
-        }
-    },
-    '/etc/kubernetes/manifests/kube-apiserver.yaml',
-    'passed'
-)]
+        'CIS 1.2.5',
+        {
+            "set": {
+                "--kubelet-client-certificate": "/etc/kubernetes/pki/apiserver-kubelet-client.crt",
+                "--kubelet-client-key": "/etc/kubernetes/pki/apiserver-kubelet-client.key"
+            }
+        },
+        '/etc/kubernetes/manifests/kube-apiserver.yaml',
+        'passed'
+    )]
 
 cis_1_2_6 = [(
     'CIS 1.2.6',
@@ -535,12 +515,13 @@
         'CIS 1.2.10',
         {
             "set": {
-                "--enable-admission-plugins": "EventRateLimit"
+                "--enable-admission-plugins": "EventRateLimit",
+                "--admission-control-config-file": "/etc/kubernetes/pki/admission_config.yaml",
             }
         },
         '/etc/kubernetes/manifests/kube-apiserver.yaml',
-        'passed'
-)]
+        'passed',
+    )]
 
 cis_1_2_11 = [(
     'CIS 1.2.11',
@@ -595,15 +576,25 @@
 )]
 
 cis_1_2_13 = [(
-    'CIS 1.2.13',
-    {
-        "set": {
-            "--enable-admission-plugins": "AlwaysDeny"
-        }
-    },
-    '/etc/kubernetes/manifests/kube-apiserver.yaml',
-    'failed'
-),
+        'CIS 1.2.13',
+        {
+            "unset": [
+                "--enable-admission-plugins"
+            ]
+        },
+        '/etc/kubernetes/manifests/kube-apiserver.yaml',
+        'failed'
+    ),
+    (
+        'CIS 1.2.13',
+        {
+            "set": {
+                "--enable-admission-plugins": "AlwaysPullImages"
+            }
+        },
+        '/etc/kubernetes/manifests/kube-apiserver.yaml',
+        'failed'
+    ),
     (
         'CIS 1.2.13',
         {
@@ -697,16 +688,6 @@
     },
     '/etc/kubernetes/manifests/kube-apiserver.yaml',
     'passed'
-),
-    (
-        'CIS 1.2.17',
-        {
-            "set": {
-                "--secure-port": "260492"
-            }
-        },
-        '/etc/kubernetes/manifests/kube-apiserver.yaml',
-        'failed'
 ),
     (
         'CIS 1.2.17',
@@ -855,14 +836,14 @@
 )]
 
 cis_1_2_23 = [(
-    'CIS 1.2.23',
-    {
-        "set": {
-            "--request-timeout": "-1s"
-        }
-    },
-    '/etc/kubernetes/manifests/kube-apiserver.yaml',
-    'failed'
+        'CIS 1.2.23',
+        {
+            "set": {
+                "--request-timeout": "59s"
+            }
+        },
+        '/etc/kubernetes/manifests/kube-apiserver.yaml',
+        'failed'
 ),
     (
         'CIS 1.2.23',
@@ -974,36 +955,37 @@
 )]
 
 cis_1_2_32 = [(
-    'CIS 1_2_32',
-    {
-        "set": {
-            "--tls-cipher-suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_DUMMY"
-        }
-    },
-    '/etc/kubernetes/manifests/kube-apiserver.yaml',
-    'failed'
-),
-    (
-        'CIS 1_2_32',
+        'CIS 1.2.32',
         {
             "set": {
                 "--tls-cipher-suites": "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
             }
         },
         '/etc/kubernetes/manifests/kube-apiserver.yaml',
         'passed'
-),
+    ),
     (
-        'CIS 1_2_32',
+        'CIS 1.2.32',
         {
             "set": {
                 "--tls-cipher-suites":
-                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+                    "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
             }
         },
         '/etc/kubernetes/manifests/kube-apiserver.yaml',
         'passed'
-)]
+    ),
+    (
+        'CIS 1.2.32',
+        {
+            "set": {
+                "--tls-cipher-suites":
+                    "TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
+            }
+        },
+        '/etc/kubernetes/manifests/kube-apiserver.yaml',
+        'failed'
+    )]
 
 cis_4_2_1 = [(
     'CIS 4.2.1',
@@ -1301,51 +1283,44 @@
 
 api_server_rules = [
     *cis_1_2_2,
-    *skip_param_case(skip_list=[*cis_1_2_3,
-                                *cis_1_2_4,
-                                *cis_1_2_5
-                                ],
+    *skip_param_case(skip_list=[*cis_1_2_3],
                      data_to_report=SkipReportData(
-                         skip_reason="This case fails and breaks cluster")
-                     ),
+                        url_title="security-team: #4975",
+                        url_link="https://github.com/elastic/security-team/issues/4975",
+                        skip_reason="Known issue: rule not implemented"
+                    )),
+    *cis_1_2_4,
+    *cis_1_2_5,
     *cis_1_2_6,
     *cis_1_2_7,
     *cis_1_2_8,
-    *skip_param_case(skip_list=[*cis_1_2_9,
-                                *cis_1_2_10
-                                ],
+    *cis_1_2_9[:1],
+    *skip_param_case(skip_list=[*cis_1_2_9[1:], *cis_1_2_10],
                      data_to_report=SkipReportData(
-                         skip_reason="This case fails and breaks cluster")
-                     ),
+                        url_title="security-team: #5128",
+                        url_link="https://github.com/elastic/security-team/issues/5128",
+                        skip_reason="Known issue: connection errors"
+                    )),
     *cis_1_2_11,
     *cis_1_2_12,
     *cis_1_2_13,
     *cis_1_2_14,
     *cis_1_2_15,
     *cis_1_2_16,
-    *skip_param_case(skip_list=[*cis_1_2_17],
-                     data_to_report=SkipReportData(
-                         skip_reason="This case fails and breaks cluster")
-                     ),
+    *cis_1_2_17,
     *cis_1_2_18,
     *cis_1_2_19,
     *cis_1_2_20,
     *cis_1_2_21,
     *cis_1_2_22,
-    *skip_param_case(skip_list=[*cis_1_2_23],
-                     data_to_report=SkipReportData(
-                         skip_reason="This case fails and breaks cluster")
-                     ),
+    *cis_1_2_23,
     *cis_1_2_24,
     *cis_1_2_25,
     *cis_1_2_26,
     *cis_1_2_27,
     *cis_1_2_28,
     *cis_1_2_29,
-    *skip_param_case(skip_list=[*cis_1_2_32],
-                     data_to_report=SkipReportData(
-                         skip_reason="This case fails and breaks cluster")
-                     )
+    *cis_1_2_32,
 ]
 
 controller_manager_rules = [