Test: Verify if configmaps are encrypted

RATIONALE.md

@@ -381,3 +381,6 @@ closing watches for ConfigMaps marked as immutable.*"
 
 #### *Check if Tiller is being used on the plaform*: [Tiller images](docs/LIST_OF_TESTS.md#tiller-images)
 > *Tiller, found in Helm v2, has known security challenges. It requires administrative privileges and acts as a shared resource accessible to any authenticated user. Tiller can lead to privilege escalation as restricted users can impact other users. It is recommend to use Helm v3+ which does not contain Tiller for these reasons
+
+#### *Check if configmaps are encrypted on the plaform*: [Verify if configmaps are encrypted](docs/LIST_OF_TESTS.md#verify-configmaps-encrypted)
+> *Configmaps encryption is not enabled by default in kubernetes environment. As configmaps can  contain sensitive information, it is recommended to encrypt these values. For encrypting configmaps in etcd, we are using encryption in rest, this will cause, that there will not be configmaps key value in plain text format anymore in etcd.

USAGE.md

@@ -1394,4 +1394,14 @@ Update dashboard version to v2.0.1 or above.
 Switch to using Helm v3+ and make sure not to pull any images with name tiller in them
 </b>
 
+## [Verify if configmaps are encrypted](docs/LIST_OF_TESTS.md#verify-configmaps-encrypted)
+
+##### To run the Verify if configmaps are encrypted test, you can use the following command:
+```
+./cnf-testsuite platform:verify_configmaps_encryption
+```
+
+<b>Remediation for failing this test:</b> 
+Check version of ETCDCTL in etcd pod, it should be v3.+
+</b>
 

embedded_files/points.yml

@@ -252,6 +252,9 @@
 - name: exposed_dashboard
   emoji: "🔓🔑"
   tags: ["platform", "platform:security", "dynamic"]
+- name: verify_configmaps_encryption
+  emoji: "🔓🔑"
+  tags: ["platform", "platform:security", "dynamic"]
 - name: kube_state_metrics
   emoji: "📶☠"
   tags: [platform, "platform:observability", dynamic]

spec/platform/security_spec.cr

@@ -83,4 +83,16 @@ describe "Platform" do
     $?.success?.should be_true
     (/PASSED: No Helm Tiller containers are running/ =~ response_s).should_not be_nil
   end
+
+  it "'verify_configmaps_encryption' should pass if encryption is enabled in etcd", tags: ["platform:security"] do
+    etcd_output_string = "k8s:enc:"
+    result = etcd_cm_encrypted?("/path/to/certs", "etcd-pod", "test-cm", "testconfigmapvalue", "default", etcd_output_string)
+    result.should be_true
+ end
+
+ it "'verify_configmaps_encryption' should fail if encryption is disabled in etcd", tags: ["platform:security"] do
+  etcd_output_string = "testconfigmapvalue"
+  result = etcd_cm_encrypted?("/path/to/certs", "etcd-pod", "test-cm", "testconfigmapvalue", "default", etcd_output_string)
+  result.should_not be_true
+  end
 end

src/tasks/platform/security.cr

@@ -83,4 +83,32 @@ namespace "platform" do
       end
     end
   end
+
+  desc "Verify if configmaps are encrypted"
+  task "verify_configmaps_encryption" do |t, args|
+    kube_system_ns = "kube-system"
+    cm_name = generate_cm_name
+    CNFManager::Task.task_runner(args, task: t, check_cnf_installed: false) do |args, config|
+      test_cm_key = "key"
+      test_cm_value = "testconfigmapvalue"
+      KubectlClient::Create.command("cm #{cm_name} --from-literal=#{test_cm_key}=#{test_cm_value}")
+      etcd_pod_name = get_full_pod_name("etcd", kube_system_ns)
+
+      if etcd_pod_name
+        etcd_certs_path = get_etcd_certs_path(etcd_pod_name, kube_system_ns)
+        if etcd_certs_path
+          if etcd_cm_encrypted?(etcd_certs_path, etcd_pod_name, cm_name, test_cm_value, kube_system_ns)
+            CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Passed, "Configmaps are encrypted in etcd")
+          else
+            CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Configmaps are not encrypted in etcd")
+          end
+        else
+          CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "Error: etcd certs path not found.")
+        end
+      else
+        CNFManager::TestcaseResult.new(CNFManager::ResultStatus::Failed, "No etcd pod found.")
+      end
+    end
+    KubectlClient::Delete.command("cm #{cm_name}")
+  end
 end

src/tasks/utils/utils.cr

@@ -443,3 +443,49 @@ def version_less_than(v1str, v2str)
   LOGGING.debug "version_less_than: #{v1} < #{v2}: #{less_than}"
   less_than
 end
+
+def generate_cm_name(prefix : String = "test-cm-") : String
+  "#{prefix}-#{Random::Secure.rand(9999).to_s}"
+ end
+
+ def get_full_pod_name(part_of_pod_name : String, namespace : String = "default") : String?
+  return nil if part_of_pod_name.empty?
+  command_output = KubectlClient::ShellCmd.run("kubectl get po -A", "", false)
+  return nil unless command_output[:status].success?
+  output = command_output["output"]
+  match = output.match(%r{(\S*#{part_of_pod_name}\S*)})
+  match ? match[1].to_s : nil
+ end
+
+ def get_etcd_certs_path(etcd_pod_name : String, namespace : String) : String?
+  command_output = KubectlClient.describe("po", etcd_pod_name, namespace)
+  return nil unless command_output[:status].success?
+  output = command_output["output"]
+  match = output.match(%r{etcd-certs:\s+Type:.*\n\s+Path: (.*)(?:\n|$)})
+  match ? match[1].to_s : nil
+ end
+
+ def etcd_cm_encrypted?(
+  etcd_certs_path : String, 
+  etcd_pod_name : String, 
+  cm_name : String, 
+  test_cm_value : String, 
+  namespace : String,
+  override_output : String? = nil
+  ) : Bool
+  etcd_output = override_output || execute_etcd_command(etcd_certs_path, etcd_pod_name, cm_name, namespace)
+  puts "Etcd Output: #{etcd_output}"
+  etcd_output.includes?("k8s:enc:") && !etcd_output.includes?(test_cm_value)
+ end
+
+ private def execute_etcd_command(etcd_certs_path : String, etcd_pod_name : String, cm_name : String, namespace : String) : String
+  command = "ETCDCTL_API=3 etcdctl \
+     --cacert #{etcd_certs_path}/ca.crt \
+     --cert #{etcd_certs_path}/server.crt \
+     --key #{etcd_certs_path}/server.key \
+     get /registry/configmaps/default/#{cm_name}"
+  io = IO::Memory.new
+  Process.run("kubectl", ["exec", "-it", etcd_pod_name, "-n", namespace, "--", "sh", "-c", "#{command}"], output: io)
+  io.to_s
+ end
+