diff options
Diffstat (limited to 'test/security')
12 files changed, 5 insertions, 467 deletions
diff --git a/test/security/k8s/README b/test/security/k8s/README index fdb7e4c11..b9e2dd5d2 100644 --- a/test/security/k8s/README +++ b/test/security/k8s/README @@ -19,17 +19,6 @@ Build .. _go: https://golang.org/doc/install -Run ---- - -.. note:: Below applies to Rancher-based clusters (e.g. Casablanca) - -- `Rancher CLI`_ -- Docker_ (required to perform selected Rancher CLI calls) - -.. _`Rancher CLI`: https://rancher.com/docs/rancher/v1.6/en/cli -.. _Docker: https://docs.docker.com/install - Test ---- diff --git a/test/security/k8s/src/check/check.go b/test/security/k8s/src/check/check.go index 728be18ff..91e9e5fd2 100644 --- a/test/security/k8s/src/check/check.go +++ b/test/security/k8s/src/check/check.go @@ -39,31 +39,3 @@ func (c Command) String() string { } return names[c] } - -// Service represents services run on Rancher-based cluster. -type Service int - -const ( - // APIService represents API server service ("kubernetes/kubernetes"). - APIService Service = iota - // SchedulerService represents scheduler service ("kubernetes/scheduler"). - SchedulerService - // ControllerManagerService represents controller manager service ("kubernetes/controller-manager"). - ControllerManagerService - // EtcdService represents etcd service ("kubernetes/etcd"). - EtcdService -) - -func (s Service) String() string { - names := [...]string{ - "kubernetes/kubernetes", - "kubernetes/scheduler", - "kubernetes/controller-manager", - "kubernetes/etcd", - } - - if s < APIService || s > EtcdService { - return "" - } - return names[s] -} diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index 98254aef9..42e9903e6 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -5,32 +5,23 @@ import ( "log" "check" - "check/rancher" "check/raw" "check/validators/master" ) var ( - ranchercli = flag.Bool("ranchercli", false, "use rancher utility for accessing cluster nodes") - rke = flag.Bool("rke", false, "use RKE cluster definition and ssh for accessing cluster nodes (default)") + rke = flag.Bool("rke", true, "use RKE cluster definition and ssh for accessing cluster nodes (default)") ) func main() { flag.Parse() - if *ranchercli && *rke { + if !(*rke) { log.Fatal("Not supported.") } - // Use default cluster access method if none was declared explicitly. - if !(*ranchercli || *rke) { - *rke = true - } - var info check.Informer switch { - case *ranchercli: - info = &rancher.Rancher{} case *rke: info = &raw.Raw{} default: diff --git a/test/security/k8s/src/check/rancher/rancher.go b/test/security/k8s/src/check/rancher/rancher.go deleted file mode 100644 index 2cf2fbe69..000000000 --- a/test/security/k8s/src/check/rancher/rancher.go +++ /dev/null @@ -1,124 +0,0 @@ -// Package rancher wraps Rancher commands necessary for K8s inspection. -package rancher - -import ( - "bytes" - "fmt" - "os/exec" - - "check" -) - -const ( - bin = "rancher" - paramHost = "--host" - cmdHosts = "hosts" - cmdHostsParams = "--quiet" - cmdDocker = "docker" - cmdDockerCmdPs = "ps" - cmdDockerCmdPsParams = "--no-trunc" - cmdDockerCmdPsFilter = "--filter" - cmdDockerCmdPsFilterArgs = "label=io.rancher.stack_service.name=" - cmdDockerCmdPsFormat = "--format" - cmdDockerCmdPsFormatArgs = "{{.Command}}" -) - -// Rancher implements Informer interface. -type Rancher struct { - check.Informer -} - -// GetAPIParams returns parameters of running Kubernetes API server. -// It queries default environment set in configuration file. -func (r *Rancher) GetAPIParams() ([]string, error) { - return getProcessParams(check.APIProcess, check.APIService) -} - -// GetSchedulerParams returns parameters of running Kubernetes scheduler. -// It queries default environment set in configuration file. -func (r *Rancher) GetSchedulerParams() ([]string, error) { - return getProcessParams(check.SchedulerProcess, check.SchedulerService) -} - -// GetControllerManagerParams returns parameters of running Kubernetes scheduler. -// It queries default environment set in configuration file. -func (r *Rancher) GetControllerManagerParams() ([]string, error) { - return getProcessParams(check.ControllerManagerProcess, check.ControllerManagerService) -} - -// GetEtcdParams returns parameters of running etcd. -// It queries only cluster nodes with "controlplane" role. -func (r *Rancher) GetEtcdParams() ([]string, error) { - return []string{}, check.ErrNotImplemented -} - -func getProcessParams(process check.Command, service check.Service) ([]string, error) { - hosts, err := listHosts() - if err != nil { - return []string{}, err - } - - for _, host := range hosts { - cmd, err := getPsCmdOutput(host, service) - if err != nil { - return []string{}, err - } - - cmd = trimOutput(cmd) // TODO: improve `docker ps` query format. - if len(cmd) > 0 { - i := bytes.Index(cmd, []byte(process.String())) - if i == -1 { - return []string{}, fmt.Errorf("missing %s command", process) - } - return btos(cmd[i+len(process.String()):]), nil - } - } - return []string{}, nil -} - -// listHosts lists IDs of active hosts. -// It queries default environment set in configuration file. -func listHosts() ([]string, error) { - cmd := exec.Command(bin, cmdHosts, cmdHostsParams) - out, err := cmd.Output() - if err != nil { - return nil, err - } - return btos(out), nil -} - -// getPsCmdOutput returns running Kubernetes service command with its parameters. -// It queries default environment set in configuration file. -func getPsCmdOutput(host string, service check.Service) ([]byte, error) { - // Following is equivalent to: - // $ rancher --host $HOST \ - // docker ps --no-trunc \ - // --filter "label=io.rancher.stack_service.name=$SERVICE" \ - // --format "{{.Command}}" - cmd := exec.Command(bin, paramHost, host, - cmdDocker, cmdDockerCmdPs, cmdDockerCmdPsParams, - cmdDockerCmdPsFilter, cmdDockerCmdPsFilterArgs+service.String(), - cmdDockerCmdPsFormat, cmdDockerCmdPsFormatArgs) - out, err := cmd.Output() - if err != nil { - return nil, err - } - return out, nil -} - -// trimOutput removes trailing new line and brackets from output. -func trimOutput(b []byte) []byte { - b = bytes.TrimSpace(b) - b = bytes.TrimPrefix(b, []byte("[")) - b = bytes.TrimSuffix(b, []byte("]")) - return b -} - -// btos converts slice of bytes to slice of strings split by white space characters. -func btos(in []byte) []string { - var out []string - for _, b := range bytes.Fields(in) { - out = append(out, string(b)) - } - return out -} diff --git a/test/security/k8s/src/check/validators/master/api/api_test.go b/test/security/k8s/src/check/validators/master/api/api_test.go index 4ba5070a8..01fe9b1c6 100644 --- a/test/security/k8s/src/check/validators/master/api/api_test.go +++ b/test/security/k8s/src/check/validators/master/api/api_test.go @@ -45,39 +45,7 @@ var _ = Describe("Api", func() { "TLS_RSA_WITH_AES_128_GCM_SHA256", } - // kubeApiServerCasablanca was obtained from virtual environment for testing - // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). - kubeApiServerCasablanca = []string{ - "--storage-backend=etcd2", - "--storage-media-type=application/json", - "--service-cluster-ip-range=10.43.0.0/16", - "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379", - "--insecure-bind-address=0.0.0.0", - "--insecure-port=0", - "--cloud-provider=rancher", - "--allow-privileged=true", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," + - "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota", - "--client-ca-file=/etc/kubernetes/ssl/ca.pem", - "--tls-cert-file=/etc/kubernetes/ssl/cert.pem", - "--tls-private-key-file=/etc/kubernetes/ssl/key.pem", - "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem", - "--kubelet-client-key=/etc/kubernetes/ssl/key.pem", - "--runtime-config=batch/v2alpha1", - "--anonymous-auth=false", - "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig", - "--runtime-config=authentication.k8s.io/v1beta1=true", - "--external-hostname=kubernetes.kubernetes.rancher.internal", - "--etcd-cafile=/etc/kubernetes/etcd/ca.pem", - "--etcd-certfile=/etc/kubernetes/etcd/cert.pem", - "--etcd-keyfile=/etc/kubernetes/etcd/key.pem", - "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," + - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - } - - // kubeApiServerCasablanca was obtained from virtual environment for testing + // kubeApiServerDublin was obtained from virtual environment for testing // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). kubeApiServerDublin = []string{ "--requestheader-group-headers=X-Remote-Group", @@ -130,7 +98,6 @@ var _ = Describe("Api", func() { }, Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -140,7 +107,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) @@ -150,7 +116,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), - Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) @@ -161,7 +126,6 @@ var _ = Describe("Api", func() { }, Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false), Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true), ) @@ -171,7 +135,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false), - Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) @@ -182,7 +145,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false), - Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true), ) @@ -195,7 +157,6 @@ var _ = Describe("Api", func() { }, Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -205,7 +166,6 @@ var _ = Describe("Api", func() { }, Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -215,7 +175,6 @@ var _ = Describe("Api", func() { }, Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -226,7 +185,6 @@ var _ = Describe("Api", func() { }, Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--kubelet-certificate-authority="}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -238,7 +196,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--client-ca-file="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -249,7 +206,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"-etcd-cafile="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -259,7 +215,6 @@ var _ = Describe("Api", func() { }, Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--service-account-key-file="}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -271,7 +226,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--kubelet-client-certificate= --kubelet-client-key="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -282,7 +236,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--etcd-certfile= --etcd-keyfile="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -293,7 +246,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--tls-cert-file= --tls-private-key-file="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) }) @@ -304,7 +256,6 @@ var _ = Describe("Api", func() { Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) }, Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false), - Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true), ) @@ -316,7 +267,6 @@ var _ = Describe("Api", func() { Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false), Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true), ) @@ -326,7 +276,6 @@ var _ = Describe("Api", func() { }, Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false), Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true), ) }) @@ -339,7 +288,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false), Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -351,7 +299,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false), Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -363,7 +310,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false), Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -375,7 +321,6 @@ var _ = Describe("Api", func() { Entry("Is empty on insecure cluster", []string{"--request-timeout="}, false), Entry("Is too high on insecure cluster", []string{"--request-timeout=600"}, false), Entry("Should be set only if needed on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be set only if needed on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be set only if needed on Dublin cluster", kubeApiServerDublin, true), ) }) @@ -388,7 +333,6 @@ var _ = Describe("Api", func() { Entry("Is not absent on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false), Entry("Is not absent on insecure deprecated cluster", []string{"--admission-control=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -398,7 +342,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -409,7 +352,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -420,7 +362,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -431,7 +372,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -443,7 +383,6 @@ var _ = Describe("Api", func() { Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -453,7 +392,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -464,7 +402,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -475,7 +412,6 @@ var _ = Describe("Api", func() { }, Entry("Is explicitly disabled on insecure cluster", []string{"--disable-admission-plugins=Foo,Bar,NamespaceLifecycle,Baz,Quuz"}, false), Entry("Should not be disabled on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should not be disabled on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should not be disabled on Dublin cluster", kubeApiServerDublin, true), ) @@ -485,7 +421,6 @@ var _ = Describe("Api", func() { }, Entry("Is not explicitly disabled on insecure cluster", []string{}, false), Entry("Is not absent on insecure cluster", []string{"--authorization-mode=Foo,Bar,AlwaysAllow,Baz,Quuz"}, false), - Entry("Is not explicitly disabled on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -496,7 +431,6 @@ var _ = Describe("Api", func() { }, Entry("Is not explicitly enabled on insecure cluster", []string{}, false), Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false), - Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should present on Dublin cluster", kubeApiServerDublin, true), ) @@ -510,7 +444,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false), Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false), - Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false), Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go index fcd337ac2..05e3cae7e 100644 --- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go @@ -21,19 +21,7 @@ var _ = Describe("Controllermanager", func() { "--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem", } - // kubeControllerManagerCasablanca was obtained from virtual environment for testing - // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). - kubeControllerManagerCasablanca = []string{ - "--kubeconfig=/etc/kubernetes/ssl/kubeconfig", - "--address=0.0.0.0", - "--root-ca-file=/etc/kubernetes/ssl/ca.pem", - "--service-account-private-key-file=/etc/kubernetes/ssl/key.pem", - "--allow-untagged-cloud", - "--cloud-provider=rancher", - "--horizontal-pod-autoscaler-use-rest-clients=false", - } - - // kubeControllerManagerCasablanca was obtained from virtual environment for testing + // kubeControllerManagerDublin was obtained from virtual environment for testing // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). kubeControllerManagerDublin = []string{ "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml", @@ -64,7 +52,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), - Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -75,7 +62,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly disabled on insecure cluster", []string{"--use-service-account-credentials=false"}, false), - Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Should be set to true on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), Entry("Should be set to true on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -89,7 +75,6 @@ var _ = Describe("Controllermanager", func() { Entry("Is absent on insecure cluster", []string{""}, false), Entry("Is empty on insecure cluster", []string{"--service-account-private-key-file="}, false), Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), - Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true), Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -100,7 +85,6 @@ var _ = Describe("Controllermanager", func() { Entry("Is absent on insecure cluster", []string{""}, false), Entry("Is empty on insecure cluster", []string{"--root-ca-file="}, false), Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), - Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true), Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), ) }) @@ -111,7 +95,6 @@ var _ = Describe("Controllermanager", func() { Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) }, Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false), - Entry("Is not absent nor set to loopback on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Is not absent nor set to loopback on Dublin cluster", kubeControllerManagerDublin, false), Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), ) @@ -124,7 +107,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is absent on insecure cluster", []string{""}, false), Entry("Is empty on insecure cluster", []string{"--terminated-pod-gc-threshold="}, false), - Entry("Is absent on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -137,7 +119,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is not enabled on insecure cluster", []string{"--feature-gates=Foo=Bar,Baz=Quuz"}, false), Entry("Is explicitly disabled on insecure cluster", []string{"--feature-gates=Foo=Bar,RotateKubeletServerCertificate=false,Baz=Quuz"}, false), - Entry("Is not enabled on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Is not enabled on Dublin cluster", kubeControllerManagerDublin, false), Entry("Should be enabled on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), ) diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go index 4166a58d7..7fb13b820 100644 --- a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go +++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go @@ -16,14 +16,7 @@ var _ = Describe("Scheduler", func() { "--profiling=false", } - // kubeSchedulerCasablanca was obtained from virtual environment for testing - // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). - kubeSchedulerCasablanca = []string{ - "--kubeconfig=/etc/kubernetes/ssl/kubeconfig", - "--address=0.0.0.0", - } - - // kubeSchedulerCasablanca was obtained from virtual environment for testing + // kubeSchedulerDublin was obtained from virtual environment for testing // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). kubeSchedulerDublin = []string{ "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml", @@ -41,7 +34,6 @@ var _ = Describe("Scheduler", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), - Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true), ) @@ -53,7 +45,6 @@ var _ = Describe("Scheduler", func() { Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) }, Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false), - Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false), Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false), Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true), ) diff --git a/test/security/k8s/tools/casablanca/get_customization_scripts.sh b/test/security/k8s/tools/casablanca/get_customization_scripts.sh deleted file mode 100755 index 028f002fc..000000000 --- a/test/security/k8s/tools/casablanca/get_customization_scripts.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -wget \ - 'https://docs.onap.org/en/casablanca/_downloads/0b365a2342af5abd655f1724b962f5b5/openstack-rancher.sh' \ - 'https://docs.onap.org/en/casablanca/_downloads/b20b581d56982e9f15a72527a358d56b/openstack-k8s-node.sh' diff --git a/test/security/k8s/tools/casablanca/get_ranchercli.sh b/test/security/k8s/tools/casablanca/get_ranchercli.sh deleted file mode 100755 index 8ffbc5f58..000000000 --- a/test/security/k8s/tools/casablanca/get_ranchercli.sh +++ /dev/null @@ -1,45 +0,0 @@ -#!/usr/bin/env bash - -# -# @file test/security/k8s/tools/casablanca/get_ranchercli.sh -# @author Pawel Wieczorek <p.wieczorek2@samsung.com> -# @brief Utility for obtaining Rancher CLI tool -# - -# Dependencies: -# wget -# tar -# coreutils -# -# Privileges: -# Script expects to be run with administrative privileges for accessing /usr/local/bin -# -# Usage: -# # ./get_ranchercli.sh [VERSION [ARCH [SYSTEM]]] -# - -# Constants -DEFAULT_VERSION='v0.6.12' -DEFAULT_ARCH='amd64' -DEFAULT_SYSTEM='linux' - -# Variables -VERSION="${1:-$DEFAULT_VERSION}" -ARCH="${2:-$DEFAULT_ARCH}" -SYSTEM="${3:-$DEFAULT_SYSTEM}" - -ARCHIVE="rancher-${SYSTEM}-${ARCH}-${VERSION}.tar.gz" -DIRECTORY="rancher-${VERSION}" -URL="https://releases.rancher.com/cli/${VERSION}/${ARCHIVE}" - - -# Prerequistes -wget "$URL" -tar xf "$ARCHIVE" - -# Installation -mv "${DIRECTORY}/rancher" /usr/local/bin/ - -# Cleanup -rmdir "$DIRECTORY" -rm "$ARCHIVE" diff --git a/test/security/k8s/tools/casablanca/imported/openstack-k8s-node.sh b/test/security/k8s/tools/casablanca/imported/openstack-k8s-node.sh deleted file mode 100644 index b8462aa5e..000000000 --- a/test/security/k8s/tools/casablanca/imported/openstack-k8s-node.sh +++ /dev/null @@ -1,46 +0,0 @@ -#!/bin/bash - -DOCKER_VERSION=17.03 -KUBECTL_VERSION=1.11.2 -HELM_VERSION=2.9.1 - -# setup root access - default login: oom/oom - comment out to restrict access too ssh key only -sed -i 's/PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config -sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config -service sshd restart -echo -e "oom\noom" | passwd root - -apt-get update -curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh -mkdir -p /etc/systemd/system/docker.service.d/ -cat > /etc/systemd/system/docker.service.d/docker.conf << EOF -[Service] -ExecStart= -ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=nexus3.onap.org:10001 -EOF -systemctl daemon-reload -systemctl restart docker -apt-mark hold docker-ce - -IP_ADDY=`ip address |grep ens|grep inet|awk '{print $2}'| awk -F / '{print $1}'` -HOSTNAME=`hostname` - -echo "$IP_ADDY $HOSTNAME" >> /etc/hosts - -docker login -u docker -p docker nexus3.onap.org:10001 - -sudo apt-get install make -y - -sudo curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl -sudo chmod +x ./kubectl -sudo mv ./kubectl /usr/local/bin/kubectl -sudo mkdir ~/.kube -wget http://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz -sudo tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz -sudo mv linux-amd64/helm /usr/local/bin/helm - -# install nfs -sudo apt-get install nfs-common -y - - -exit 0 diff --git a/test/security/k8s/tools/casablanca/imported/openstack-rancher.sh b/test/security/k8s/tools/casablanca/imported/openstack-rancher.sh deleted file mode 100644 index bcf542aed..000000000 --- a/test/security/k8s/tools/casablanca/imported/openstack-rancher.sh +++ /dev/null @@ -1,51 +0,0 @@ -#!/bin/bash - -DOCKER_VERSION=17.03 -RANCHER_VERSION=1.6.22 -KUBECTL_VERSION=1.11.2 -HELM_VERSION=2.9.1 - -# setup root access - default login: oom/oom - comment out to restrict access too ssh key only -sed -i 's/PermitRootLogin.*/PermitRootLogin yes/' /etc/ssh/sshd_config -sed -i 's/PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config -service sshd restart -echo -e "oom\noom" | passwd root - -apt-get update -curl https://releases.rancher.com/install-docker/$DOCKER_VERSION.sh | sh -mkdir -p /etc/systemd/system/docker.service.d/ -cat > /etc/systemd/system/docker.service.d/docker.conf << EOF -[Service] -ExecStart= -ExecStart=/usr/bin/dockerd -H fd:// --insecure-registry=nexus3.onap.org:10001 -EOF -systemctl daemon-reload -systemctl restart docker -apt-mark hold docker-ce - -IP_ADDY=`ip address |grep ens|grep inet|awk '{print $2}'| awk -F / '{print $1}'` -HOSTNAME=`hostname` - -echo "$IP_ADDY $HOSTNAME" >> /etc/hosts - -docker login -u docker -p docker nexus3.onap.org:10001 - -sudo apt-get install make -y - -sudo docker run -d --restart=unless-stopped -p 8080:8080 --name rancher_server rancher/server:v$RANCHER_VERSION -sudo curl -LO https://storage.googleapis.com/kubernetes-release/release/v$KUBECTL_VERSION/bin/linux/amd64/kubectl -sudo chmod +x ./kubectl -sudo mv ./kubectl /usr/local/bin/kubectl -sudo mkdir ~/.kube -wget http://storage.googleapis.com/kubernetes-helm/helm-v${HELM_VERSION}-linux-amd64.tar.gz -sudo tar -zxvf helm-v${HELM_VERSION}-linux-amd64.tar.gz -sudo mv linux-amd64/helm /usr/local/bin/helm - -# nfs server -sudo apt-get install nfs-kernel-server -y - -sudo mkdir -p /nfs_share -sudo chown nobody:nogroup /nfs_share/ - - -exit 0 diff --git a/test/security/k8s/vagrant/casablanca/Vagrantfile b/test/security/k8s/vagrant/casablanca/Vagrantfile deleted file mode 100644 index c7e6883ce..000000000 --- a/test/security/k8s/vagrant/casablanca/Vagrantfile +++ /dev/null @@ -1,48 +0,0 @@ -# -*- mode: ruby -*- -# -*- coding: utf-8 -*- - -host_ip = "192.168.121.1" - -rancher_port = 8080 - -vm_memory = 2 * 1024 -vm_cpus = 1 -vm_box = "generic/ubuntu1604" - -cluster = [ - { name: 'master', hostname: 'master', ip: '172.17.3.100' }, - { name: 'worker', hostname: 'worker', ip: '172.17.3.101' } -] - -Vagrant.configure('2') do |config| - cluster.each do |node| - config.vm.define node[:name] do |config| - config.vm.box = vm_box - config.vm.hostname = node[:hostname] - - config.vm.provider :virtualbox do |v| - v.name = node[:name] - v.memory = vm_memory - v.cpus = vm_cpus - end - - config.vm.provider :libvirt do |v| - v.memory = vm_memory - v.cpus = vm_cpus - end - - config.vm.network :private_network, ip: node[:ip] - config.vm.provision :shell, inline: "echo nameserver #{host_ip} | resolvconf -a eth0.inet" - - if node[:name] == 'master' - config.vm.network "forwarded_port", guest: rancher_port, host: rancher_port - config.vm.provision :shell, path: "../../tools/casablanca/imported/openstack-rancher.sh" - config.vm.provision :shell, path: "../../tools/casablanca/get_ranchercli.sh" - end - - if node[:name] == 'worker' - config.vm.provision :shell, path: "../../tools/casablanca/imported/openstack-k8s-node.sh" - end - end - end -end |