Check for the recommended security requirements of the container-nati…

…ve operators
redhat-best-practices-for-k8s · Jul 3, 2024 · 4750d6e · 4750d6e
1 parent 438c545
commit 4750d6e
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 16 deletions.
diff --git a/CATALOG.md b/CATALOG.md
@@ -1127,8 +1127,8 @@ Tags|telco,observability
 Property|Description
 ---|---
 Unique ID|operator-automount-tokens
-Description|Tests that check the pods created by the operator ensure that the automount service account token is disabled.
-Suggested Remediation|Ensure that the pods created by the operator have the automount service account token disabled.
+Description|Tests that check that the pods disable the automount service account token."
+Suggested Remediation|Ensure that the pods have the automount service account token disabled.
 Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements
 Exception Process|No exceptions
 Tags|common,operator
@@ -1223,8 +1223,8 @@ Tags|common,operator
 Property|Description
 ---|---
 Unique ID|operator-read-only-file-system
-Description|Tests that check the pods created by the operator ensure that the read-only root filesystem setting is enabled.
-Suggested Remediation|Ensure that the pods created by the operator have the read-only root filesystem setting enabled.
+Description|Tests that check that the pods have the read-only root filesystem setting enabled.
+Suggested Remediation|Ensure that the pods have the read-only root filesystem setting enabled.
 Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements
 Exception Process|No exceptions
 Tags|common,operator
@@ -1239,8 +1239,8 @@ Tags|common,operator
 Property|Description
 ---|---
 Unique ID|operator-run-as-non-root
-Description|Tests that checks the pods created by the operator is run as non root.
-Suggested Remediation|Ensure that the pods created by the operator are run as non-root.
+Description|Tests that checks the pods ensure they are run as non root.
+Suggested Remediation|Ensure that the pods are running as non root.
 Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements
 Exception Process|No exceptions
 Tags|common,operator
@@ -1255,8 +1255,8 @@ Tags|common,operator
 Property|Description
 ---|---
 Unique ID|operator-run-as-user-id
-Description|Tests that checks the user id of the pods created by the operator is not 0
-Suggested Remediation|Ensure that the user ID of the pods created by the operator is not 0.
+Description|Tests that checks the user id of the pods ensure it is not 0.
+Suggested Remediation|Ensure that the user ID of the pods is not 0.
 Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements
 Exception Process|No exceptions
 Tags|common,operator

diff --git a/cnf-certification-test/identifiers/identifiers.go b/cnf-certification-test/identifiers/identifiers.go
@@ -937,7 +937,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorRunAsUserID = AddCatalogEntry(
 		"run-as-user-id",
 		common.OperatorTestKey,
-		`Tests that checks the user id of the pods created by the operator is not 0`,
+		`Tests that checks the user id of the pods ensure it is not 0.`,
 		OperatorRunAsUserID,
 		NoExceptions,
 		TestOperatorRunAsUserIDDocLink,
@@ -953,7 +953,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorRunAsNonRoot = AddCatalogEntry(
 		"run-as-non-root",
 		common.OperatorTestKey,
-		`Tests that checks the pods created by the operator is run as non root.`,
+		`Tests that checks the pods ensure they are run as non root.`,
 		OperatorRunAsNonRoot,
 		NoExceptions,
 		TestOperatorRunAsNonRootDocLink,
@@ -969,7 +969,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorAutomountTokens = AddCatalogEntry(
 		"automount-tokens",
 		common.OperatorTestKey,
-		`Tests that check the pods created by the operator ensure that the automount service account token is disabled.`,
+		`Tests that check that the pods disable the automount service account token."`,
 		OperatorAutomountTokens,
 		NoExceptions,
 		TestOperatorAutomountTokensDocLink,
@@ -985,7 +985,7 @@ that Node's kernel may not have the same hacks.'`,
 	TestOperatorReadOnlyFilesystem = AddCatalogEntry(
 		"read-only-file-system",
 		common.OperatorTestKey,
-		`Tests that check the pods created by the operator ensure that the read-only root filesystem setting is enabled.`,
+		`Tests that check that the pods have the read-only root filesystem setting enabled.`,
 		OperatorReadOnlyFilesystem,
 		NoExceptions,
 		TestOperatorReadOnlyFilesystemDocLink,

diff --git a/cnf-certification-test/identifiers/remediation.go b/cnf-certification-test/identifiers/remediation.go
@@ -83,13 +83,13 @@ const (
 
 	OperatorCrdSchemaIdentifierRemediation = `Ensure that the Operator CRD is defined with OpenAPI spec.`
 
-	OperatorRunAsUserID = `Ensure that the user ID of the pods created by the operator is not 0.`
+	OperatorRunAsUserID = `Ensure that the user ID of the pods is not 0.`
 
-	OperatorRunAsNonRoot = `Ensure that the pods created by the operator are run as non-root.`
+	OperatorRunAsNonRoot = `Ensure that the pods are running as non root.`
 
-	OperatorAutomountTokens = `Ensure that the pods created by the operator have the automount service account token disabled.`
+	OperatorAutomountTokens = `Ensure that the pods have the automount service account token disabled.`
 
-	OperatorReadOnlyFilesystem = `Ensure that the pods created by the operator have the read-only root filesystem setting enabled.`
+	OperatorReadOnlyFilesystem = `Ensure that the pods have the read-only root filesystem setting enabled.`
 
 	OperatorCrdVersioningRemediation = `Ensure that the Operator CRD has a valid version.`