Use access-control-security-context-non-root-user-id-check.

.github/workflows/qe-ocp-arm-416.yaml

@@ -94,7 +94,7 @@ jobs:
         with:
           repository: ${{ env.QE_REPO }}
           path: certsuite-qe
-          ref: rename_access_control_test
+          ref: main
 
       - name: Preemptively potential QE namespaces
         run: ./scripts/delete-namespaces.sh

.github/workflows/qe-ocp-pre-main.yaml

@@ -90,7 +90,7 @@ jobs:
         with:
           repository: ${{ env.QE_REPO }}
           path: certsuite-qe
-          ref: rename_access_control_test
+          ref: main
 
       - name: Preemptively potential QE namespaces
         run: ./scripts/delete-namespaces.sh

CATALOG.md

@@ -374,6 +374,22 @@ Tags|extended,access-control
 |Non-Telco|Optional|
 |Telco|Optional|
 
+#### access-control-security-context-non-root-user-id-check
+
+Property|Description
+---|---
+Unique ID|access-control-security-context-non-root-user-id-check
+Description|Checks securityContext's runAsNonRoot and runAsUser fields at pod and container level to make sure containers are not run as root.
+Suggested Remediation|Set the securityContext.runAsNonRoot field to true either at pod or container level. Alternatively, set a non-zero value to securityContext.runAsUser field either at pod or container level.
+Best Practice Reference|https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security
+Exception Process|No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details.
+Tags|common,access-control
+|**Scenario**|**Optional/Mandatory**|
+|Extended|Mandatory|
+|Far-Edge|Mandatory|
+|Non-Telco|Mandatory|
+|Telco|Mandatory|
+
 #### access-control-security-context-privilege-escalation
 
 Property|Description
@@ -406,22 +422,6 @@ Tags|common,access-control
 |Non-Telco|Optional|
 |Telco|Optional|
 
-#### access-control-security-context-run-as-non-root-user-check
-
-Property|Description
----|---
-Unique ID|access-control-security-context-run-as-non-root-user-check
-Description|Checks securityContext's runAsNonRoot and runAsUser fields at pod and container level to make sure containers are not run as root.
-Suggested Remediation|Set the securityContext.runAsNonRoot field to true either at pod or container level. Alternatively, set a non-zero value to securityContext.runAsUser field either at pod or container level.
-Best Practice Reference|https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security
-Exception Process|No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details.
-Tags|common,access-control
-|**Scenario**|**Optional/Mandatory**|
-|Extended|Mandatory|
-|Far-Edge|Mandatory|
-|Non-Telco|Mandatory|
-|Telco|Mandatory|
-
 #### access-control-service-type
 
 Property|Description

pkg/provider/pods.go

@@ -520,12 +520,11 @@ func (p *Pod) IsRunAsUserID(uid int64) bool {
 	return *p.Pod.Spec.SecurityContext.RunAsUser == uid
 }
 
-// Returns the list of containers that have the RunAsNonRoot SCC parameter set to false
-// The RunAsNonRoot parameter is checked first at the pod level and acts as a default value
+// Returns the list of containers that have the securityContext.runAsNonRoot set to false and securityContext.runAsUser set to zero.
+// Both parameteters are checked first at the pod level and acts as a default value
 // for the container configuration, if it is not present.
-// The RunAsNonRoot parameter is checked next at the container level.
 // See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-func (p *Pod) GetRunAsNonRootFalseContainers(knownContainersToSkip map[string]bool) (nonCompliantContainers []*Container, nonComplianceReason []string) {
+func (p *Pod) GetRunAsNonRootFalseContainers(knownContainersToSkip map[string]bool) (nonCompliantContainers []*Container, nonComplianceReasons []string) {
 	// Check pod-level security context this will be set by default for containers
 	// If not already configured at the container level
 	var podRunAsNonRoot *bool
@@ -552,48 +551,11 @@ func (p *Pod) GetRunAsNonRootFalseContainers(knownContainersToSkip map[string]bo
 			continue
 		}
 
-		nonCompliantReason := ""
-		switch {
-		case !isRunAsNonRoot && !isRunAsNonRootUserID:
-			nonCompliantReason = isRunAsNonRootReason + ", " + isRunAsNonRootUserIDReason
-		case !isRunAsNonRoot:
-			nonCompliantReason = isRunAsNonRootReason
-		case !isRunAsNonRootUserID:
-			nonCompliantReason = isRunAsNonRootUserIDReason
-		}
-
 		nonCompliantContainers = append(nonCompliantContainers, cut)
-		nonComplianceReason = append(nonComplianceReason, nonCompliantReason)
+		nonComplianceReasons = append(nonComplianceReasons, isRunAsNonRootReason+", "+isRunAsNonRootUserIDReason)
 	}
 
-	return nonCompliantContainers, nonComplianceReason
-}
-
-// Returns the list of containers that have the RunAsUser SCC parameter set to 0 (root)
-// The RunAsUser parameter is checked first at the pod level and acts as a default value
-// for the container configuration, if it is not present.
-// The RunAsUser parameter is checked next at the container level.
-// See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
-func (p *Pod) GetRunAsNonRootUserIDContainers(knownContainersToSkip map[string]bool) (nonCompliantContainers []*Container, nonComplianceReason []string) {
-	// Check pod-level security context this will be set by default for containers
-	// If not already configured at the container level
-	var podRunAsUserID *int64
-	if p.Pod.Spec.SecurityContext != nil && p.Pod.Spec.SecurityContext.RunAsUser != nil {
-		podRunAsUserID = p.Pod.Spec.SecurityContext.RunAsUser
-	}
-	// Check each container for the RunAsUser parameter.
-	// If it is not present, the pod value applies
-	for _, cut := range p.Containers {
-		if knownContainersToSkip[cut.Name] {
-			continue
-		}
-		if isRunAsNonRootUserID, reason := cut.IsContainerRunAsNonRootUserID(podRunAsUserID); !isRunAsNonRootUserID {
-			// found a container with RunAsNonRoot set to false
-			nonCompliantContainers = append(nonCompliantContainers, cut)
-			nonComplianceReason = append(nonComplianceReason, reason)
-		}
-	}
-	return nonCompliantContainers, nonComplianceReason
+	return nonCompliantContainers, nonComplianceReasons
 }
 
 // Get the list of top owners of pods

tests/accesscontrol/suite.go

@@ -118,7 +118,7 @@ func LoadChecks() {
 			return nil
 		}))
 
-	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestSecConRunAsNonRootIdentifier)).
+	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestSecConNonRootUserIDIdentifier)).
 		WithSkipCheckFn(testhelper.GetNoContainersUnderTestSkipFn(&env)).
 		WithCheckFn(func(c *checksdb.Check) error {
 			testSecConRunAsNonRoot(c, &env)
@@ -350,20 +350,21 @@ func testSecConRunAsNonRoot(check *checksdb.Check, env *provider.TestEnvironment
 	var nonCompliantObjects []*testhelper.ReportObject
 
 	for _, put := range env.Pods {
-		check.LogInfo("Testing Pod %q in namespace %q", put.Name, put.Namespace)
+		check.LogInfo("Testing pod %s/%s", put.Namespace, put.Name)
 		nonCompliantContainers, nonComplianceReason := put.GetRunAsNonRootFalseContainers(knownContainersToSkip)
 		if len(nonCompliantContainers) == 0 {
-			check.LogInfo("Pod %q is configured with RunAsNonRoot=true or RunAsUser!=0 at pod or container level.", put.Name)
-			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is configured with RunAsNonRoot SCC parameter set to true for all of its containers", true))
+			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is configured with RunAsNonRoot=true or RunAsUser!=0 at pod or container level.", true))
 		} else {
-			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is configured with RunAsNonRoot SCC parameter set to false for some of its containers", false))
+			nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "One or more containers of the pod are running with root user", false))
 			for index := range nonCompliantContainers {
-				check.LogError("Container %q of Pod %q is not compliant: %s", nonCompliantContainers[index].Name, put.Name, nonComplianceReason[index])
-				nonCompliantObjects = append(nonCompliantObjects, testhelper.NewContainerReportObject(put.Namespace, put.Name,
-					nonCompliantContainers[index].Name, fmt.Sprintf("In Container %q of Pod %q, %s", nonCompliantContainers[index].Name, put.Name, nonComplianceReason[index]), false))
+				check.LogError("Pod %s/%s, container %q is not compliant: %s", put.Namespace, put.Name, nonCompliantContainers[index].Name, nonComplianceReason[index])
+
+				nonCompliantObjects = append(nonCompliantObjects, testhelper.NewContainerReportObject(put.Namespace, put.Name, nonCompliantContainers[index].Name,
+					nonComplianceReason[index], false))
 			}
 		}
 	}
+
 	check.SetResult(compliantObjects, nonCompliantObjects)
 }
 

tests/identifiers/identifiers.go

@@ -102,7 +102,6 @@ var (
 	TestRtAppNoExecProbes                             claim.Identifier
 	TestRestartOnRebootLabelOnPodsUsingSRIOV          claim.Identifier
 	TestSecConNonRootUserIDIdentifier                 claim.Identifier
-	TestSecConRunAsNonRootIdentifier                  claim.Identifier
 	TestNetworkAttachmentDefinitionSRIOVUsingMTU      claim.Identifier
 	TestSecContextIdentifier                          claim.Identifier
 	TestSecConPrivilegeEscalation                     claim.Identifier
@@ -600,8 +599,8 @@ func InitCatalog() map[claim.Identifier]claim.TestCaseDescription {
 		},
 		TagFarEdge)
 
-	TestSecConRunAsNonRootIdentifier = AddCatalogEntry(
-		"security-context-run-as-non-root-user-check",
+	TestSecConNonRootUserIDIdentifier = AddCatalogEntry(
+		"security-context-non-root-user-id-check",
 		common.AccessControlTestKey,
 		`Checks securityContext's runAsNonRoot and runAsUser fields at pod and container level to make sure containers are not run as root.`,
 		SecConRunAsNonRootUserRemediation,