From eed102690ea27a7904001fde708146753b8b3cc2 Mon Sep 17 00:00:00 2001 From: Brandon Palm Date: Wed, 3 Jul 2024 10:13:57 -0500 Subject: [PATCH] Add ignored container names --- cnf-certification-test/operator/suite.go | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/cnf-certification-test/operator/suite.go b/cnf-certification-test/operator/suite.go index eccd841fb8..40718d40c8 100644 --- a/cnf-certification-test/operator/suite.go +++ b/cnf-certification-test/operator/suite.go @@ -373,6 +373,8 @@ func testOperatorPodsRunAsNonRoot(check *checksdb.Check, env *provider.TestEnvir var compliantObjects []*testhelper.ReportObject var nonCompliantObjects []*testhelper.ReportObject + var knownContainersToSkip = []string{"kube-rbac-proxy"} + for csv, pods := range env.CSVToPodListMap { CsvResult := SplitCsv(csv) check.LogInfo("Name of csv: %q in namespaces: %q", CsvResult.NameCsv, CsvResult.Namespace) @@ -380,6 +382,21 @@ func testOperatorPodsRunAsNonRoot(check *checksdb.Check, env *provider.TestEnvir check.LogInfo("Testing Pod %q in namespace %q", pod.Name, pod.Namespace) // We are looking through both the containers and the pods separately to make compliant and non-compliant objects. for _, c := range pod.Containers { + + skipKnownContainer := false + for _, k := range knownContainersToSkip { + if c.Name == k { + check.LogInfo("Skipping container %q in Pod %q", c.Name, pod.Name) + compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(c.Namespace, c.Name, "Container is allowed to run as root", true)) + skipKnownContainer = true + break + } + } + + if skipKnownContainer { + continue + } + if c.IsContainerRunAsNonRoot() { check.LogInfo("Container %q in Pod %q is running as non-root", c.Name, pod.Name) compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(c.Namespace, c.Name, "Container is running as non-root", true))