github/k8sgpt
1
0
Fork 0
mirror of https://github.com/k8sgpt-ai/k8sgpt.git synced 2025-05-02 13:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity
main
k8sgpt/pkg/analyzer/security_test.go
Alex Jones a128906136
feat: new analyzers () 
* chore: rebased
chore: removed trivy

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: updated deps

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix: missing error

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix: missing error

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* feat: switching old sonnet to message API

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* feat: added three new analyzers

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.2 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* docs: remove extra dollar sign in README.md ()

Signed-off-by: Qian_Xiao <heyheyco@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* test: add tests for `k8sgpt/pkg/analyzer/events.go` ()

* test: add tests for events_test.go

Signed-off-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com>

* feat: fixed event tests

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

---------

Signed-off-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Co-authored-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* docs: add table of contents and cleanup ()

Signed-off-by: hadi2f244 <m.h.azaddel@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: linter ()

* chore: changing linter

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* chore: changing linter

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

* chore: changing linter

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

---------

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(deps): pin golangci/golangci-lint-action action to 1481404 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(deps): update goreleaser/goreleaser-action digest to 9c156ee ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix: prometheus UTF8Validation ()

Signed-off-by: Kay Yan <kay.yan@daocloud.io>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix(deps): update module gopkg.in/yaml.v2 to v3 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: added new AmazonBedrock model  ()

* Update AI Bedrock region - Added mumbai region

Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com>

* Update amazonbedrock.go

Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com>

* Added new AI model to work for ap-south-1 region[that does not uses inference profile]

Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com>

---------

Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com>
Co-authored-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.3 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(deps): update module github.com/docker/docker to v28 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: updating deps ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(deps): update docker/setup-buildx-action digest to b5ca514 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.4 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: fix workflows ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.5 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: fixing docker build push action ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: updated actor for login ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(deps): pin docker/build-push-action action to 471d1dc ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.6 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: fixing build ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(deps): update actions/upload-artifact digest to ea165f8 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.7 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: removed krew release ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.8 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: fixing ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(deps): pin dependencies ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.9 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix: pod analyzer catches errors when containers are in Terminated state ()

Signed-off-by: Guoxun Wei <guwe@microsoft.com>
Co-authored-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* feat: add a naive support of bedrock inference profile ()

* feat: add a naive support of bedrock inference profile

Signed-off-by: Tony Chen <tony_chen@discovery.com>

* feat: improving the tests

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>

---------

Signed-off-by: Tony Chen <tony_chen@discovery.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Co-authored-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix(deps): update module gopkg.in/yaml.v2 to v3 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix(deps): update module helm.sh/helm/v3 to v3.17.3 [security] ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.10 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* feat: call bedrock with inference profile ()

* call bedrock with inference profile

Signed-off-by: Tony Chen <tony_chen@discovery.com>

* add validation and test

Signed-off-by: Tony Chen <tony_chen@discovery.com>

* update test

Signed-off-by: Tony Chen <tony_chen@discovery.com>

---------

Signed-off-by: Tony Chen <tony_chen@discovery.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix(deps): update module gopkg.in/yaml.v2 to v3 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* docs: fix the slack invite link ()

Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
Co-authored-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* feat: add verbose flag to enable detailed output ()

* feat: add verbose flag to enable detailed output

Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com>

* test: add verbose output tests for analysis.go and root.go

Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com>

---------

Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix(deps): update module gopkg.in/yaml.v2 to v3 ()

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* feat: improved test coverage ()

Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* fix: config ai provider in query ()

Signed-off-by: Guoxun Wei <guwe@microsoft.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore(main): release 0.4.11 ()

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: fixed test

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>

* chore: fixed test

---------

Signed-off-by: AlexsJones <alexsimonjones@gmail.com>
Signed-off-by: Qian_Xiao <heyheyco@gmail.com>
Signed-off-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com>
Signed-off-by: Alex Jones <alexsimonjones@gmail.com>
Signed-off-by: hadi2f244 <m.h.azaddel@gmail.com>
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Kay Yan <kay.yan@daocloud.io>
Signed-off-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com>
Signed-off-by: Guoxun Wei <guwe@microsoft.com>
Signed-off-by: Tony Chen <tony_chen@discovery.com>
Signed-off-by: Pengfei Ni <feiskyer@gmail.com>
Signed-off-by: Yicheng <36285652+zyc140345@users.noreply.github.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Qian_Xiao <heyheyco@gmail.com>
Co-authored-by: Eshaan Aggarwal <96648934+EshaanAgg@users.noreply.github.com>
Co-authored-by: Hadi Azaddel <m.h.azaddel@gmail.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Kay Yan <kay.yan@daocloud.io>
Co-authored-by: Sakshi Singh <66963254+sakshirajput02@users.noreply.github.com>
Co-authored-by: gossion <guwe@microsoft.com>
Co-authored-by: ju187 <tony_chen@discovery.com>
Co-authored-by: Pengfei Ni <feiskyer@users.noreply.github.com>
Co-authored-by: Yicheng <36285652+zyc140345@users.noreply.github.com>
2025-04-15 13:43:38 +01:00

182 lines
4.7 KiB
Go
Raw Permalink Blame History

/*
Copyright 2024 The K8sGPT Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package analyzer
import (
"context"
"testing"
"github.com/k8sgpt-ai/k8sgpt/pkg/common"
"github.com/k8sgpt-ai/k8sgpt/pkg/kubernetes"
"github.com/stretchr/testify/assert"
v1 "k8s.io/api/core/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/client-go/kubernetes/fake"
)
func TestSecurityAnalyzer(t *testing.T) {
tests := []struct {
name string
namespace string
serviceAccounts []v1.ServiceAccount
pods []v1.Pod
roles []rbacv1.Role
roleBindings []rbacv1.RoleBinding
expectedErrors int
expectedKinds []string
}{
{
name: "default service account usage",
namespace: "default",
serviceAccounts: []v1.ServiceAccount{
{
ObjectMeta: metav1.ObjectMeta{
Name: "default",
Namespace: "default",
},
},
},
pods: []v1.Pod{
{
ObjectMeta: metav1.ObjectMeta{
Name: "test-pod",
Namespace: "default",
},
Spec: v1.PodSpec{
ServiceAccountName: "default",
},
},
},
expectedErrors: 2,
expectedKinds: []string{"Security/ServiceAccount", "Security/Pod"},
},
{
name: "privileged container",
namespace: "default",
pods: []v1.Pod{
{
ObjectMeta: metav1.ObjectMeta{
Name: "privileged-pod",
Namespace: "default",
},
Spec: v1.PodSpec{
Containers: []v1.Container{
{
Name: "privileged-container",
SecurityContext: &v1.SecurityContext{
Privileged: boolPtr(true),
},
},
},
},
},
},
expectedErrors: 1,
expectedKinds: []string{"Security/Pod"},
},
{
name: "wildcard permissions in role",
namespace: "default",
roles: []rbacv1.Role{
{
ObjectMeta: metav1.ObjectMeta{
Name: "wildcard-role",
Namespace: "default",
},
Rules: []rbacv1.PolicyRule{
{
Verbs: []string{"*"},
Resources: []string{"pods"},
},
},
},
},
roleBindings: []rbacv1.RoleBinding{
{
ObjectMeta: metav1.ObjectMeta{
Name: "test-binding",
Namespace: "default",
},
RoleRef: rbacv1.RoleRef{
Kind: "Role",
Name: "wildcard-role",
},
},
},
expectedErrors: 1,
expectedKinds: []string{"Security/RoleBinding"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
client := fake.NewSimpleClientset()
// Create test resources
for _, sa := range tt.serviceAccounts {
_, err := client.CoreV1().ServiceAccounts(tt.namespace).Create(context.TODO(), &sa, metav1.CreateOptions{})
assert.NoError(t, err)
}
for _, pod := range tt.pods {
_, err := client.CoreV1().Pods(tt.namespace).Create(context.TODO(), &pod, metav1.CreateOptions{})
assert.NoError(t, err)
}
for _, role := range tt.roles {
_, err := client.RbacV1().Roles(tt.namespace).Create(context.TODO(), &role, metav1.CreateOptions{})
assert.NoError(t, err)
}
for _, rb := range tt.roleBindings {
_, err := client.RbacV1().RoleBindings(tt.namespace).Create(context.TODO(), &rb, metav1.CreateOptions{})
assert.NoError(t, err)
}
analyzer := SecurityAnalyzer{}
results, err := analyzer.Analyze(common.Analyzer{
Client: &kubernetes.Client{Client: client},
Context: context.TODO(),
Namespace: tt.namespace,
})
assert.NoError(t, err)
// Debug: Print all results
t.Logf("Got %d results:", len(results))
for _, result := range results {
t.Logf(" Kind: %s, Name: %s", result.Kind, result.Name)
for _, failure := range result.Error {
t.Logf(" Failure: %s", failure.Text)
}
}
// Count results by kind
resultsByKind := make(map[string]int)
for _, result := range results {
resultsByKind[result.Kind]++
}
// Check that we have the expected number of results for each kind
for _, expectedKind := range tt.expectedKinds {
assert.Equal(t, 1, resultsByKind[expectedKind], "Expected 1 result of kind %s", expectedKind)
}
// Check total number of results matches expected kinds
assert.Equal(t, len(tt.expectedKinds), len(results), "Expected %d total results", len(tt.expectedKinds))
})
}
}
Reference in New Issue View Git Blame Copy Permalink