security requirements of the container-native operators

[shimritproj]

Issue Link
https://issues.redhat.com/browse/CNFCERT-882?filter=-1

This PR includes 4 operator test cases.

• testOperatorPodsRunAsUserID(): This test verifies that no pods managed by operators run with the root user ID (UID) of 0, which could introduce security vulnerabilities.

• testOperatorPodsRunAsNonRoot(): This test ensures that pods managed by operators adhere to security best practices by running as non-root users.

• testOperatorPodsAutomountTokens(): This test evaluates the configuration of automount service tokens in pods managed by operators.

• testOperatorContainersReadOnlyFilesystem(): This test verifies whether containers within pods managed by operators have a read-only root filesystem, enhancing security by preventing unauthorized modifications.

We get pods of all operators and then test the above conditions.

In addition, the 'rbac' folder moved into the 'common' folder because it is used by functions in many places in the code, and we want to avoid duplicating code.

build-depends: https://github.com/dci-labs/dallas-pipelines/pull/1159

[dcibot]

from change #1967:

• SUCCESS https://www.distributed-ci.io/jobs/8186936d-7b21-4ddd-8669-a3da45191ee3/jobStates

[ramperher]

@shimritproj could you add this new test to the CATALOG.md? Thanks

[dcibot]

from change #1967:

• SUCCESS https://www.distributed-ci.io/jobs/54276bb8-3f43-4c76-ae9b-108f7d651f53/jobStates

[ramperher]

from change #1967:

• SUCCESS https://www.distributed-ci.io/jobs/54276bb8-3f43-4c76-ae9b-108f7d651f53/jobStates

Don't know if it's expected, but the four new tests added in this change are all skipped in this DCI job. Are they behaving properly?

[dcibot]

from change #1967:

• SUCCESS https://www.distributed-ci.io/jobs/f74a180e-ebfe-4d0a-9e16-a449b679c176/jobStates

[shimritproj]

from change #1967:

• SUCCESS https://www.distributed-ci.io/jobs/54276bb8-3f43-4c76-ae9b-108f7d651f53/jobStates

Don't know if it's expected, but the four new tests added in this change are all skipped in this DCI job. Are they behaving properly?

I am aware of the issue and actively working on it. This is why I indicated that the PR is still a work in progress and not yet ready for review. @ramperher

[bnshr]

Make changes in all logs wherever applicable.

[dcibot]

from change #1967:

• FAILURE https://www.distributed-ci.io/jobs/6f3135c9-ef56-4bdd-81fb-1df2cab62142/jobStates

[sebrandon1]

/dci-rerun

[dcibot]

from change #1967:

• FAILURE https://www.distributed-ci.io/jobs/4f80b949-b131-42e5-84f2-ad0d4b7db1a6/jobStates

[dcibot]

from change #1967:

• ERROR https://www.distributed-ci.io/jobs/66fbe8cd-a722-47e4-970c-ce30d4f7e714/jobStates

[ramperher]

Reviewed the issue with DCI job, it's because of the workload we're deploying, tests look fine.

[sebrandon1]

@ramperher Does this mean that if we rekick the DCI job the error is handled now as an expected failure?

[dcibot]

from change https://github.com/dci-labs/dallas-pipelines/pull/1159:

• SUCCESS https://www.distributed-ci.io/jobs/8f48b3b3-1ec4-4c23-adf2-0edb7677d190/jobStates

[ramperher]

@ramperher Does this mean that if we rekick the DCI job the error is handled now as an expected failure?

Exactly, we're running an operator that is not under our control, so I assume the tests that were failing before must be considered as exceptions.

[sebrandon1]

/dci-rerun

[dcibot]

from change #1967:

• SUCCESS https://www.distributed-ci.io/jobs/961b66de-dab9-49e2-a1dc-c7b1168bb106/jobStates

[dcibot]

from change #1967:

• SUCCESS https://www.distributed-ci.io/jobs/85120644-3e5b-4df5-9bab-032bf82d3c96/jobStates