From df77dbc9ddce9c3e0d9ba0c79b789cd6ee0417dd Mon Sep 17 00:00:00 2001 From: mrichomme Date: Fri, 18 Sep 2020 16:50:03 +0200 Subject: Add xfail list for test on pod limits Note: a waiver shall be created (and merged) in SECCOM repo before we can merge this patch Issue-ID: INT-1722 Signed-off-by: mrichomme Change-Id: I1d064275e9b90574e8b90c733d0dcc9b6f2bed74 Signed-off-by: mrichomme --- security/docker/Dockerfile | 1 + security/onap_security/security_tests.py | 18 +-------- security/scripts/check_unlimitted_pods.sh | 62 ++++++++++++++++++++++++++++--- 3 files changed, 59 insertions(+), 22 deletions(-) diff --git a/security/docker/Dockerfile b/security/docker/Dockerfile index 484e83a..413290d 100644 --- a/security/docker/Dockerfile +++ b/security/docker/Dockerfile @@ -53,6 +53,7 @@ RUN set -x && \ wget -O /jdwp_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/jdwp_ports/jdwp_xfail.txt?h=$ONAP_TAG &&\ wget -O /nonssl_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/nonssl_endpoints/nonssl_xfail.txt?h=$ONAP_TAG &&\ wget -O /root_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/root_pods/root_pods_xfail.txt?h=$ONAP_TAG &&\ + wget -O /unlimitted_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/unlimitted_pods/unlimitted_pods_xfail.txt?h=$ONAP_TAG &&\ wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\ wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\ wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\ diff --git a/security/onap_security/security_tests.py b/security/onap_security/security_tests.py index cd26d7d..d0b25ac 100644 --- a/security/onap_security/security_tests.py +++ b/security/onap_security/security_tests.py @@ -95,8 +95,6 @@ class SecurityTesting(testcase.TestCase): class OnapSecurityDockerRootTest(SecurityTesting): """Test that the dockers launched as root.""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'root_pods') super(OnapSecurityDockerRootTest, self).__init__(**kwargs) self.cmd = ['/check_security_root.sh', 'onap', '-l', '/root_pods_xfail.txt'] self.error_string = "Pods launched with root users" @@ -105,18 +103,14 @@ class OnapSecurityDockerRootTest(SecurityTesting): class OnapSecurityUnlimittedPodTest(SecurityTesting): """Check that no pod is launch without limits.""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'unlimitted_pods') super(OnapSecurityUnlimittedPodTest, self).__init__(**kwargs) - self.cmd = ['/check_unlimitted_pods.sh'] + self.cmd = ['/check_unlimitted_pods.sh', 'onap', '-l', '/unlimitted_pods_xfail.txt'] self.error_string = "Pods lauched without limits" class OnapSecurityCisKubernetes(SecurityTesting): """Check that kubernetes install is CIS compliant""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'cis_kubernetes') super(OnapSecurityCisKubernetes, self).__init__(**kwargs) self.cmd = ['/check_cis_kubernetes.sh'] self.error_string = "Kubernetes Deployment is not CIS compatible" @@ -126,8 +120,6 @@ class OnapSecurityHttpPorts(SecurityTesting): """Check all ports exposed outside of kubernetes cluster looking for plain http endpoint.""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'http_public_endpoints') super(OnapSecurityHttpPorts, self).__init__(**kwargs) self.cmd = ['/check_for_nonssl_endpoints.sh', 'onap', '-l', '/nonssl_xfail.txt'] self.error_string = "Public http endpoints still found" @@ -137,8 +129,6 @@ class OnapSecurityNonSSLPorts(SecurityTesting): """Check that all ports exposed outside of kubernetes cluster use SSL tunnels.""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'nonssl_endpoints') super(OnapSecurityNonSSLPorts, self).__init__(**kwargs) self.cmd = ['/usr/local/bin/sslendpoints', '-xfail', '/nonssl_xfail.txt'] self.error_string = "Public non-SSL endpoints still found" @@ -147,8 +137,6 @@ class OnapSecurityNonSSLPorts(SecurityTesting): class OnapSecurityJdwpPorts(SecurityTesting): """Check that no jdwp ports are exposed.""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'jdpw_ports') super(OnapSecurityJdwpPorts, self).__init__(**kwargs) self.cmd = ['/check_for_jdwp.sh', 'onap', '-l', '/jdwp_xfail.txt'] self.error_string = "JDWP ports found" @@ -157,8 +145,6 @@ class OnapSecurityJdwpPorts(SecurityTesting): class OnapSecurityKubeHunter(SecurityTesting): """Check k8s vulnerabilities.""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'kube_hunter') super(OnapSecurityKubeHunter, self).__init__(**kwargs) config.load_kube_config(config_file='/root/.kube/config') client_kubernetes = client.CoreV1Api() @@ -176,8 +162,6 @@ class OnapSecurityKubeHunter(SecurityTesting): class OnapSecurityVersions(SecurityTesting): """Check that Java and Python are available only in versions recommended by SECCOM.""" def __init__(self, **kwargs): - if "case_name" not in kwargs: - kwargs.get("case_name", 'versions') super(OnapSecurityVersions, self).__init__(**kwargs) self.cmd = ['/check_versions.sh', 'onap', '-r', '/check_versions/recommended_versions.yaml'] self.error_string = "Not recommended versions found" diff --git a/security/scripts/check_unlimitted_pods.sh b/security/scripts/check_unlimitted_pods.sh index fdef6f3..1fc5e69 100644 --- a/security/scripts/check_unlimitted_pods.sh +++ b/security/scripts/check_unlimitted_pods.sh @@ -1,4 +1,40 @@ #!/bin/bash +usage() { + cat < [-l ] + -l: unlimitted pod xfail file +EOF + exit ${1:-0} +} + +if [ "$#" -lt 1 ]; then + usage + exit 1 +fi + +K8S_NAMESPACE=$1 +FILTERED_PODS_LIST=$(mktemp unlimitted_pods_XXXXXX) +WL_RAW_FILE_PATH=$(mktemp raw_filtered_unlimitted_XXXXXX) + +manage_list() { + # init filtered port list file + if [ ! -f $WL_FILE_PATH ];then + echo "File not found" + usage + fi + grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH +} + +### getopts +while : +do + case $2 in + -h|--help|help) usage;; + -l) WL_FILE_PATH=$3;manage_list;shift;; + -*) usage 1 ;; + *) break ;; + esac +done echo "------------------------------------------------------------------------" echo "-------------------- ONAP Security tests ----------------------------" @@ -8,19 +44,35 @@ echo "------------------------------------------------------------------------" code=0 # get the pod list -for pod in `kubectl get pod -n onap|grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do +for pod in `kubectl get pod -n $K8S_NAMESPACE |grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do kubectl describe pod $pod -n onap|grep "Limits"; if [ $? == 1 ] ; then echo $pod ; fi; -done | grep -v Limits > NoLimitContainer.txt +done | grep -v Limits > $FILTERED_PODS_LIST + +while IFS= read -r line; do + # for each line we test if it is in the white list with a regular expression + while IFS= read -r wl_line; do + wl_name=$(echo $wl_line | awk {'print $1'}) + if grep -e $K8S_NAMESPACE-$wl_name <<< "$line" > /dev/null ;then + # Found in white list, exclude it + sed -i "/$line/d" $FILTERED_PODS_LIST + fi + # tmp ugly workaround to exlude dep (temporary dcae dockers) + if grep -e dep-$wl_name <<< "$line" > /dev/null ;then + sed -i "/$line/d" $FILTERED_PODS_LIST + fi + done < $WL_RAW_FILE_PATH +done < $FILTERED_PODS_LIST + -if [ -s NoLimitContainer.txt ] +if [ -s $FILTERED_PODS_LIST ] then code=1 - nb_errors=`cat NoLimitContainer.txt | wc -l` + nb_errors=`cat $FILTERED_PODS_LIST | wc -l` echo "Test FAIL: $nb_errors pod(s) launched without limit" - cat NoLimitContainer.txt + cat $FILTERED_PODS_LIST else echo "Test PASS: No pod launched without limit" fi -- cgit 1.2.3-korg