From 68416bd367072c7861ca2fbcbdf70599464335ae Mon Sep 17 00:00:00 2001 From: Adam Wolfe Gordon Date: Mon, 28 Oct 2019 15:25:26 -0600 Subject: [PATCH] Add check names to diagnostics from the check runner Rather than relying on each check to fill in its name correctly when producing diagnostics, fill in the name in the check runner after running the check. This reduces the likelihood that a check gets its name wrong or forgets to fill it in. This also fixes a bug where the admission control webhook check was not filling in its name at all. --- checks/basic/bare_pods.go | 1 - checks/basic/bare_pods_test.go | 3 - checks/basic/fully_qualified_image.go | 2 - checks/basic/helper_test.go | 1 - checks/basic/hostpath.go | 1 - checks/basic/hostpath_test.go | 1 - checks/basic/latest_tag.go | 1 - checks/basic/namespace.go | 1 - checks/basic/namespace_test.go | 7 -- checks/basic/pod_status.go | 1 - checks/basic/pod_status_test.go | 2 - checks/basic/resource_requests.go | 1 - checks/basic/resource_requests_test.go | 2 - checks/basic/unused_config_map.go | 1 - checks/basic/unused_config_map_test.go | 1 - checks/basic/unused_pv.go | 1 - checks/basic/unused_pv_test.go | 1 - checks/basic/unused_pvc.go | 1 - checks/basic/unused_pvc_test.go | 1 - checks/basic/unused_secrets.go | 1 - checks/basic/unused_secrets_test.go | 1 - checks/doks/node_labels_taints.go | 2 - checks/doks/node_labels_taints_test.go | 2 - checks/doks/node_name_pod_selector.go | 1 - checks/doks/node_name_pod_selector_test.go | 1 - checks/run_checks.go | 6 ++ checks/run_checks_test.go | 82 +++++++++++++++++++ checks/security/privileged_containers.go | 1 - checks/security/privileged_containers_test.go | 1 - checks/security/run_as_non_root.go | 1 - checks/security/run_as_non_root_test.go | 1 - 31 files changed, 88 insertions(+), 42 deletions(-) create mode 100644 checks/run_checks_test.go diff --git a/checks/basic/bare_pods.go b/checks/basic/bare_pods.go index e34f851c..891af30f 100644 --- a/checks/basic/bare_pods.go +++ b/checks/basic/bare_pods.go @@ -50,7 +50,6 @@ func (b *barePodCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, error) { pod := pod if len(pod.ObjectMeta.OwnerReferences) == 0 { d := checks.Diagnostic{ - Check: b.Name(), Severity: checks.Warning, Message: "Avoid using bare pods in clusters", Kind: checks.Pod, diff --git a/checks/basic/bare_pods_test.go b/checks/basic/bare_pods_test.go index 01a7d323..a8d47177 100644 --- a/checks/basic/bare_pods_test.go +++ b/checks/basic/bare_pods_test.go @@ -67,7 +67,6 @@ func TestBarePodError(t *testing.T) { expected: []checks.Diagnostic{ { Severity: "warning", - Check: "bare-pods", Kind: checks.Pod, Message: "Avoid using bare pods in clusters", Object: GetObjectMeta(), @@ -81,7 +80,6 @@ func TestBarePodError(t *testing.T) { expected: []checks.Diagnostic{ { Severity: "warning", - Check: "bare-pods", Kind: checks.Pod, Message: "Avoid using bare pods in clusters", Object: &metav1.ObjectMeta{Name: "pod_1", Namespace: "k8s"}, @@ -89,7 +87,6 @@ func TestBarePodError(t *testing.T) { }, { Severity: "warning", - Check: "bare-pods", Kind: checks.Pod, Message: "Avoid using bare pods in clusters", Object: &metav1.ObjectMeta{Name: "pod_2", Namespace: "k8s"}, diff --git a/checks/basic/fully_qualified_image.go b/checks/basic/fully_qualified_image.go index 96f53c3f..0557aa35 100644 --- a/checks/basic/fully_qualified_image.go +++ b/checks/basic/fully_qualified_image.go @@ -71,7 +71,6 @@ func (fq *fullyQualifiedImageCheck) checkImage(containers []corev1.Container, po value, err := reference.ParseAnyReference(container.Image) if err != nil { d := checks.Diagnostic{ - Check: fq.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Malformed image name for container '%s'", container.Name), Kind: checks.Pod, @@ -82,7 +81,6 @@ func (fq *fullyQualifiedImageCheck) checkImage(containers []corev1.Container, po } else { if value.String() != container.Image { d := checks.Diagnostic{ - Check: fq.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Use fully qualified image for container '%s'", container.Name), Kind: checks.Pod, diff --git a/checks/basic/helper_test.go b/checks/basic/helper_test.go index 13c891d9..bf47e983 100644 --- a/checks/basic/helper_test.go +++ b/checks/basic/helper_test.go @@ -92,7 +92,6 @@ func initContainer(image string) *kube.Objects { func issues(severity checks.Severity, message string, kind checks.Kind, check string) []checks.Diagnostic { d := []checks.Diagnostic{ { - Check: check, Severity: severity, Message: message, Kind: kind, diff --git a/checks/basic/hostpath.go b/checks/basic/hostpath.go index 787bf97e..1763b1a7 100644 --- a/checks/basic/hostpath.go +++ b/checks/basic/hostpath.go @@ -55,7 +55,6 @@ func (h *hostPathCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, error) pod := pod if volume.VolumeSource.HostPath != nil { d := checks.Diagnostic{ - Check: h.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Avoid using hostpath for volume '%s'.", volume.Name), Kind: checks.Pod, diff --git a/checks/basic/hostpath_test.go b/checks/basic/hostpath_test.go index fd9c51f4..cbb118e1 100644 --- a/checks/basic/hostpath_test.go +++ b/checks/basic/hostpath_test.go @@ -69,7 +69,6 @@ func TestHostpathVolumeError(t *testing.T) { }), expected: []checks.Diagnostic{ { - Check: "hostpath-volume", Severity: checks.Warning, Message: "Avoid using hostpath for volume 'bar'.", Kind: checks.Pod, diff --git a/checks/basic/latest_tag.go b/checks/basic/latest_tag.go index 705f5021..ce6a5363 100644 --- a/checks/basic/latest_tag.go +++ b/checks/basic/latest_tag.go @@ -70,7 +70,6 @@ func (l *latestTagCheck) checkTags(containers []corev1.Container, pod corev1.Pod tagNameOnly := reference.TagNameOnly(namedRef) if strings.HasSuffix(tagNameOnly.String(), ":latest") { d := checks.Diagnostic{ - Check: l.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Avoid using latest tag for container '%s'", container.Name), Kind: checks.Pod, diff --git a/checks/basic/namespace.go b/checks/basic/namespace.go index fdb2e6bd..ff1663a0 100644 --- a/checks/basic/namespace.go +++ b/checks/basic/namespace.go @@ -50,7 +50,6 @@ func (alert *alert) SetDiagnostics(d []checks.Diagnostic) { // warn adds warnings for k8s objects that should not be in the default namespace func (alert *alert) warn(k8stype checks.Kind, itemMeta metav1.ObjectMeta) { d := checks.Diagnostic{ - Check: "default-namespace", Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: k8stype, diff --git a/checks/basic/namespace_test.go b/checks/basic/namespace_test.go index c513fa38..dccfc850 100644 --- a/checks/basic/namespace_test.go +++ b/checks/basic/namespace_test.go @@ -100,7 +100,6 @@ func errors(n defaultNamespaceCheck) []checks.Diagnostic { d := []checks.Diagnostic{ { - Check: n.Name(), Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: checks.Pod, @@ -108,7 +107,6 @@ func errors(n defaultNamespaceCheck) []checks.Diagnostic { Owners: pod.ObjectMeta.GetOwnerReferences(), }, { - Check: n.Name(), Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: checks.PodTemplate, @@ -116,7 +114,6 @@ func errors(n defaultNamespaceCheck) []checks.Diagnostic { Owners: template.ObjectMeta.GetOwnerReferences(), }, { - Check: n.Name(), Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: checks.PersistentVolumeClaim, @@ -124,7 +121,6 @@ func errors(n defaultNamespaceCheck) []checks.Diagnostic { Owners: pvc.ObjectMeta.GetOwnerReferences(), }, { - Check: n.Name(), Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: checks.ConfigMap, @@ -132,7 +128,6 @@ func errors(n defaultNamespaceCheck) []checks.Diagnostic { Owners: cm.ObjectMeta.GetOwnerReferences(), }, { - Check: n.Name(), Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: checks.Service, @@ -140,7 +135,6 @@ func errors(n defaultNamespaceCheck) []checks.Diagnostic { Owners: service.ObjectMeta.GetOwnerReferences(), }, { - Check: n.Name(), Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: checks.Secret, @@ -148,7 +142,6 @@ func errors(n defaultNamespaceCheck) []checks.Diagnostic { Owners: secret.ObjectMeta.GetOwnerReferences(), }, { - Check: n.Name(), Severity: checks.Warning, Message: "Avoid using the default namespace", Kind: checks.ServiceAccount, diff --git a/checks/basic/pod_status.go b/checks/basic/pod_status.go index 02a5e508..ce480600 100644 --- a/checks/basic/pod_status.go +++ b/checks/basic/pod_status.go @@ -55,7 +55,6 @@ func (p *podStatusCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, error) for _, pod := range objects.Pods.Items { if corev1.PodFailed == pod.Status.Phase || corev1.PodUnknown == pod.Status.Phase { d := checks.Diagnostic{ - Check: p.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Unhealthy pod. State: `%s`. Pod state should be `Running`, `Pending` or `Succeeded`.", pod.Status.Phase), Kind: checks.Pod, diff --git a/checks/basic/pod_status_test.go b/checks/basic/pod_status_test.go index 3ee52a6c..f08b8ce1 100644 --- a/checks/basic/pod_status_test.go +++ b/checks/basic/pod_status_test.go @@ -71,7 +71,6 @@ func TestPodStateError(t *testing.T) { objs: status(corev1.PodFailed), expected: []checks.Diagnostic{ { - Check: podStatusCheck.Name(), Severity: checks.Warning, Message: "Unhealthy pod. State: `Failed`. Pod state should be `Running`, `Pending` or `Succeeded`.", Kind: checks.Pod, @@ -85,7 +84,6 @@ func TestPodStateError(t *testing.T) { objs: status(corev1.PodUnknown), expected: []checks.Diagnostic{ { - Check: podStatusCheck.Name(), Severity: checks.Warning, Message: "Unhealthy pod. State: `Unknown`. Pod state should be `Running`, `Pending` or `Succeeded`.", Kind: checks.Pod, diff --git a/checks/basic/resource_requests.go b/checks/basic/resource_requests.go index 2ff4c023..b8a5f153 100644 --- a/checks/basic/resource_requests.go +++ b/checks/basic/resource_requests.go @@ -69,7 +69,6 @@ func (r *resourceRequirementsCheck) checkResourceRequirements(containers []corev for _, container := range containers { if container.Resources.Size() == 0 { d := checks.Diagnostic{ - Check: r.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Set resource requests and limits for container `%s` to prevent resource contention", container.Name), Kind: checks.Pod, diff --git a/checks/basic/resource_requests_test.go b/checks/basic/resource_requests_test.go index f2ceb659..f985d33f 100644 --- a/checks/basic/resource_requests_test.go +++ b/checks/basic/resource_requests_test.go @@ -60,7 +60,6 @@ func TestResourceRequestsWarning(t *testing.T) { objs: container("alpine"), expected: []checks.Diagnostic{ { - Check: resourceRequirementsCheck.Name(), Severity: checks.Warning, Message: message, Kind: checks.Pod, @@ -74,7 +73,6 @@ func TestResourceRequestsWarning(t *testing.T) { objs: initContainer("alpine"), expected: []checks.Diagnostic{ { - Check: resourceRequirementsCheck.Name(), Severity: checks.Warning, Message: message, Kind: checks.Pod, diff --git a/checks/basic/unused_config_map.go b/checks/basic/unused_config_map.go index c25d6119..aec06f53 100644 --- a/checks/basic/unused_config_map.go +++ b/checks/basic/unused_config_map.go @@ -71,7 +71,6 @@ func (c *unusedCMCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, error) if _, ok := used[kube.Identifier{Name: cm.GetName(), Namespace: cm.GetNamespace()}]; !ok { cm := cm d := checks.Diagnostic{ - Check: c.Name(), Severity: checks.Warning, Message: "Unused config map", Kind: checks.ConfigMap, diff --git a/checks/basic/unused_config_map_test.go b/checks/basic/unused_config_map_test.go index 6c22c724..7e72434e 100644 --- a/checks/basic/unused_config_map_test.go +++ b/checks/basic/unused_config_map_test.go @@ -80,7 +80,6 @@ func TestUnusedConfigMapWarning(t *testing.T) { objs: initConfigMap(), expected: []checks.Diagnostic{ { - Check: unusedCMCheck.Name(), Severity: checks.Warning, Message: "Unused config map", Kind: checks.ConfigMap, diff --git a/checks/basic/unused_pv.go b/checks/basic/unused_pv.go index e759e2f4..444bf583 100644 --- a/checks/basic/unused_pv.go +++ b/checks/basic/unused_pv.go @@ -53,7 +53,6 @@ func (p *unusedPVCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, error) for _, pv := range objects.PersistentVolumes.Items { if pv.Spec.ClaimRef == nil { d := checks.Diagnostic{ - Check: p.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Unused Persistent Volume '%s'.", pv.GetName()), Kind: checks.PersistentVolume, diff --git a/checks/basic/unused_pv_test.go b/checks/basic/unused_pv_test.go index 7bf8fd63..ccde09dd 100644 --- a/checks/basic/unused_pv_test.go +++ b/checks/basic/unused_pv_test.go @@ -63,7 +63,6 @@ func TestUnusedPVWarning(t *testing.T) { objs: unused(), expected: []checks.Diagnostic{ { - Check: unusedPVCheck.Name(), Severity: checks.Warning, Message: "Unused Persistent Volume 'pv_foo'.", Kind: checks.PersistentVolume, diff --git a/checks/basic/unused_pvc.go b/checks/basic/unused_pvc.go index aa6b9aed..c1a4aef0 100644 --- a/checks/basic/unused_pvc.go +++ b/checks/basic/unused_pvc.go @@ -62,7 +62,6 @@ func (c *unusedClaimCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, erro for _, claim := range objects.PersistentVolumeClaims.Items { if _, ok := used[kube.Identifier{Name: claim.GetName(), Namespace: claim.GetNamespace()}]; !ok { d := checks.Diagnostic{ - Check: c.Name(), Severity: checks.Warning, Message: "Unused persistent volume claim", Kind: checks.PersistentVolumeClaim, diff --git a/checks/basic/unused_pvc_test.go b/checks/basic/unused_pvc_test.go index c4522df7..593e31cb 100644 --- a/checks/basic/unused_pvc_test.go +++ b/checks/basic/unused_pvc_test.go @@ -67,7 +67,6 @@ func TestUnusedPVCWarning(t *testing.T) { objs: initPVC(), expected: []checks.Diagnostic{ { - Check: unusedClaimCheck.Name(), Severity: checks.Warning, Message: "Unused persistent volume claim", Kind: checks.PersistentVolumeClaim, diff --git a/checks/basic/unused_secrets.go b/checks/basic/unused_secrets.go index a5d05c7a..a4416115 100644 --- a/checks/basic/unused_secrets.go +++ b/checks/basic/unused_secrets.go @@ -66,7 +66,6 @@ func (s *unusedSecretCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, err if _, ok := used[kube.Identifier{Name: secret.GetName(), Namespace: secret.GetNamespace()}]; !ok { secret := secret d := checks.Diagnostic{ - Check: s.Name(), Severity: checks.Warning, Message: "Unused secret", Kind: checks.Secret, diff --git a/checks/basic/unused_secrets_test.go b/checks/basic/unused_secrets_test.go index b5b88829..9db8e39f 100644 --- a/checks/basic/unused_secrets_test.go +++ b/checks/basic/unused_secrets_test.go @@ -78,7 +78,6 @@ func TestUnusedSecretWarning(t *testing.T) { objs: initSecret(), expected: []checks.Diagnostic{ { - Check: unusedSecretCheck.Name(), Severity: checks.Warning, Message: "Unused secret", Kind: checks.Secret, diff --git a/checks/doks/node_labels_taints.go b/checks/doks/node_labels_taints.go index 81483b4b..64321ffa 100644 --- a/checks/doks/node_labels_taints.go +++ b/checks/doks/node_labels_taints.go @@ -53,7 +53,6 @@ func (c *nodeLabelsTaintsCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, for labelKey := range node.Labels { if !isKubernetesLabel(labelKey) && !isDOKSLabel(labelKey) { d := checks.Diagnostic{ - Check: c.Name(), Severity: checks.Warning, Message: "Custom node labels will be lost if node is replaced or upgraded.", Kind: checks.Node, @@ -67,7 +66,6 @@ func (c *nodeLabelsTaintsCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, for _, taint := range node.Spec.Taints { if !isDOKSTaint(taint) { d := checks.Diagnostic{ - Check: c.Name(), Severity: checks.Warning, Message: "Custom node taints will be lost if node is replaced or upgraded.", Kind: checks.Node, diff --git a/checks/doks/node_labels_taints_test.go b/checks/doks/node_labels_taints_test.go index 5518995a..fd87efd1 100644 --- a/checks/doks/node_labels_taints_test.go +++ b/checks/doks/node_labels_taints_test.go @@ -74,7 +74,6 @@ func TestNodeLabels(t *testing.T) { "region": "tor1", }, expectedDiagnostics: []checks.Diagnostic{{ - Check: "node-labels-and-taints", Severity: checks.Warning, Message: "Custom node labels will be lost if node is replaced or upgraded.", Kind: checks.Node, @@ -134,7 +133,6 @@ func TestNodeTaints(t *testing.T) { Effect: corev1.TaintEffectNoSchedule, }}, expectedDiagnostics: []checks.Diagnostic{{ - Check: "node-labels-and-taints", Severity: checks.Warning, Message: "Custom node taints will be lost if node is replaced or upgraded.", Kind: checks.Node, diff --git a/checks/doks/node_name_pod_selector.go b/checks/doks/node_name_pod_selector.go index f2fea46b..acac2a42 100644 --- a/checks/doks/node_name_pod_selector.go +++ b/checks/doks/node_name_pod_selector.go @@ -53,7 +53,6 @@ func (p *podSelectorCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, erro nodeSelectorMap := pod.Spec.NodeSelector if _, ok := nodeSelectorMap[corev1.LabelHostname]; ok { d := checks.Diagnostic{ - Check: p.Name(), Severity: checks.Warning, Message: "Avoid node name label for node selector.", Kind: checks.Pod, diff --git a/checks/doks/node_name_pod_selector_test.go b/checks/doks/node_name_pod_selector_test.go index 2bdfd20a..03f430e9 100644 --- a/checks/doks/node_name_pod_selector_test.go +++ b/checks/doks/node_name_pod_selector_test.go @@ -93,7 +93,6 @@ func expectedWarnings(objs *kube.Objects, name string) []checks.Diagnostic { pod := objs.Pods.Items[0] diagnostics := []checks.Diagnostic{ { - Check: name, Severity: checks.Warning, Message: "Avoid node name label for node selector.", Kind: checks.Pod, diff --git a/checks/run_checks.go b/checks/run_checks.go index 61201701..d928db18 100644 --- a/checks/run_checks.go +++ b/checks/run_checks.go @@ -54,6 +54,12 @@ func Run(ctx context.Context, client *kube.Client, checkFilter CheckFilter, diag return err } mu.Lock() + // Fill in the check names for the diagnostics. Doing this here + // absolves checks of needing to do it and also ensures they're + // consistent. + for i := 0; i < len(d); i++ { + d[i].Check = check.Name() + } diagnostics = append(diagnostics, d...) checkDuration[check.Name()] = elapsed mu.Unlock() diff --git a/checks/run_checks_test.go b/checks/run_checks_test.go new file mode 100644 index 00000000..baff5a6c --- /dev/null +++ b/checks/run_checks_test.go @@ -0,0 +1,82 @@ +/* +Copyright 2019 DigitalOcean + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package checks + +import ( + "context" + "testing" + + "github.com/digitalocean/clusterlint/kube" + "github.com/stretchr/testify/assert" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/client-go/kubernetes/fake" +) + +func TestRun(t *testing.T) { + Register(&alwaysFail{}) + + filter := CheckFilter{ + IncludeChecks: []string{"always-fail"}, + } + client := &kube.Client{ + KubeClient: fake.NewSimpleClientset(), + } + client.KubeClient.CoreV1().Namespaces().Create(&corev1.Namespace{ + ObjectMeta: metav1.ObjectMeta{ + Name: "kube-system", + }, + }) + + alwaysFailCheck, err := Get("always-fail") + assert.NoError(t, err) + + result, err := Run(context.Background(), client, filter, DiagnosticFilter{}) + assert.NoError(t, err) + assert.Len(t, result.Diagnostics, 1) + assert.Equal(t, alwaysFailCheck.Name(), result.Diagnostics[0].Check) +} + +type alwaysFail struct{} + +// Name returns a unique name for this check. +func (nc *alwaysFail) Name() string { + return "always-fail" +} + +// Groups returns a list of group names this check should be part of. +func (nc *alwaysFail) Groups() []string { + return nil +} + +// Description returns a detailed human-readable description of what this check +// does. +func (nc *alwaysFail) Description() string { + return "Does not check anything. Always returns an error.." +} + +// Run runs this check on a set of Kubernetes objects. It can return warnings +// (low-priority problems) and errors (high-priority problems) as well as an +// error value indicating that the check failed to run. +func (nc *alwaysFail) Run(*kube.Objects) ([]Diagnostic, error) { + return []Diagnostic{{ + Message: "This check always produces an error.", + Severity: Error, + Kind: Pod, + Object: &metav1.ObjectMeta{}, + }}, nil +} diff --git a/checks/security/privileged_containers.go b/checks/security/privileged_containers.go index 70633aeb..d6e91660 100644 --- a/checks/security/privileged_containers.go +++ b/checks/security/privileged_containers.go @@ -67,7 +67,6 @@ func (pc *privilegedContainerCheck) checkPrivileged(containers []corev1.Containe for _, container := range containers { if container.SecurityContext != nil && container.SecurityContext.Privileged != nil && *container.SecurityContext.Privileged { d := checks.Diagnostic{ - Check: pc.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Privileged container '%s' found. Please ensure that the image is from a trusted source.", container.Name), Kind: checks.Pod, diff --git a/checks/security/privileged_containers_test.go b/checks/security/privileged_containers_test.go index 5136021d..efacdd64 100644 --- a/checks/security/privileged_containers_test.go +++ b/checks/security/privileged_containers_test.go @@ -106,7 +106,6 @@ func warnings(objs *kube.Objects, name string) []checks.Diagnostic { pod := objs.Pods.Items[0] d := []checks.Diagnostic{ { - Check: name, Severity: checks.Warning, Message: "Privileged container 'bar' found. Please ensure that the image is from a trusted source.", Kind: checks.Pod, diff --git a/checks/security/run_as_non_root.go b/checks/security/run_as_non_root.go index 81943ef8..ede473d4 100644 --- a/checks/security/run_as_non_root.go +++ b/checks/security/run_as_non_root.go @@ -63,7 +63,6 @@ func (nr *nonRootUserCheck) Run(objects *kube.Objects) ([]checks.Diagnostic, err if containerRunAsRoot && podRunAsRoot { d := checks.Diagnostic{ - Check: nr.Name(), Severity: checks.Warning, Message: fmt.Sprintf("Container `%s` can run as root user. Please ensure that the image is from a trusted source.", container.Name), Kind: checks.Pod, diff --git a/checks/security/run_as_non_root_test.go b/checks/security/run_as_non_root_test.go index b606a3b2..dff7c58c 100644 --- a/checks/security/run_as_non_root_test.go +++ b/checks/security/run_as_non_root_test.go @@ -161,7 +161,6 @@ func diagnostic() []checks.Diagnostic { pod := initPod().Pods.Items[0] d := []checks.Diagnostic{ { - Check: "non-root-user", Severity: checks.Warning, Message: "Container `bar` can run as root user. Please ensure that the image is from a trusted source.", Kind: checks.Pod,