aboutsummaryrefslogtreecommitdiffstats
path: root/test/security
AgeCommit message (Collapse)AuthorFilesLines
2020-01-29k8s: Mock etcd information collectionPawel Wieczorek5-2/+42
Rancher does not provide information on etcd as container arguments. Its collection requires implementation of a new information extraction method. RKE does not include etcd process name in container arguments. Issue-ID: SECCOM-235 Change-Id: I7576474fb2848962360771d2850aeb3f3869790a Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-01-29k8s: Validate controller manager flags requiring appropriate valuesPawel Wieczorek3-0/+58
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.3.1 and 1.3.4 - 1.3.5). Issue-ID: SECCOM-235 Change-Id: I418034ea98423142f4875b97a8e6a22e8b4cd112 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2020-01-28Extend label matching for cluster node's External IPPawel Wieczorek1-2/+2
This patch also fixes minor typo. Issue-ID: SECCOM-261 Change-Id: I4326106f14381ec652eb493bf0a87fb1d82ea3fb Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-12-18Ingress controller and node port scannerLucjan Bryndza1-0/+266
This tool reads K8S NodePort and Ingress service configurations and scans for service availability Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com> Change-Id: Ie9681ffe957317ed1f1c77ac9d6c90d677df294b Issue-ID: OOM-2240 Signed-off-by: Lucjan Bryndza <l.bryndza@samsung.com>
2019-10-01k8s: Validate controller manager flags requiring specific valuesPawel Wieczorek3-1/+60
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.3.2 - 1.3.3 and 1.3.6). Issue-ID: SECCOM-235 Change-Id: I9c2921faf40ad9445e983f2b9bd0610e556cfe15 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-30k8s: Resolve Docker response formatting issuePawel Wieczorek2-0/+18
Checker collects information on cluster by Docker queries: $ docker ps ARGS... # Casablanca $ docker inspect ARGS... # Dublin Arrays of values are then filtered from those. They include: * opening bracket ('['), * closing bracket (']'), * new line. Additional characters affect check results if last flag (including "]\n") requires specific value. Issue-ID: SECCOM-235 Change-Id: I6838342b7e2ecdc44a47ffe02286266003e0b4d3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-30k8s: Resolve address conflicts in virtual environmentsPawel Wieczorek3-7/+7
Running Casablanca and Dublin virtual environments at the same time led to networking issues - the same IP had been assigned to cluster nodes. Issue-ID: SECCOM-235 Change-Id: I2a59d023115326f5b132782a32190fd8f7dc1f48 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Validate controller manager address flagPawel Wieczorek5-1/+98
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.3.7). Issue-ID: SECCOM-235 Change-Id: Id3f4bcb9a506dae3c7c0a884ad6c704dfae2a6d8 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Add controller manager information collectionPawel Wieczorek4-2/+27
Issue-ID: SECCOM-235 Change-Id: Ieceb6337f935e6a5a6b94248ccf072229116510a Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Validate scheduler flagsPawel Wieczorek5-1/+101
Issue-ID: SECCOM-235 Change-Id: I61df142e99a7f1da335471acab88e5a47d72df15 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Add scheduler information collectionPawel Wieczorek4-2/+27
Issue-ID: SECCOM-235 Change-Id: I7da645737440172d3cf11f33069daa2697f83056 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Extract common validators for DRY codePawel Wieczorek3-205/+232
Issue-ID: SECCOM-235 Change-Id: Ic5997b67d0512bea51c3b4a4c71805987fa6f011 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Extract common interface to simplify developmentPawel Wieczorek5-81/+142
Common command and service name extraction is intended to limit execution to small set of allowed processes. This patch also drops unnecessary use of "Kubernetes" name because this whole subproject concerns its clusters. Issue-ID: SECCOM-235 Change-Id: I8babfeb4f24cf3baa4d236ca622c21170ab6205e Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Change default cluster access method choice logicPawel Wieczorek1-1/+6
Previous way of choosing it led to impractical calls, e.g. $ ./check -rke # (works fine) $ ./check -ranchercli # "Not supported." $ ./check -ranchercli -rke=false # (works fine) Disabling default cluster access method is no longer necessary. Issue-ID: SECCOM-235 Change-Id: I2b4d5bff10c5470e567351abeac0431bed3b7938 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Declutter checker by dividing it into smaller packagesPawel Wieczorek5-52/+64
Issue-ID: SECCOM-235 Change-Id: I7d4efd08b8c0258f2f9c33772bf1b1b02cedebfa Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Call correct methods for API server auditing flags validationPawel Wieczorek1-3/+3
Issue-ID: SECCOM-235 Change-Id: Ia5d75628b1c5211f378c239f84e9689d45697a04 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Validate API server request timeoutPawel Wieczorek3-0/+39
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.38). Issue-ID: SECCOM-235 Change-Id: Ic1f175d577c79013ddb49e02b8de69137535c964 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Validate API server included authorization modePawel Wieczorek3-2/+19
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.32). It also fixes wrong documentation comment for similar validator (1.1.19). Issue-ID: SECCOM-235 Change-Id: I00cb8a458871b091b16fe60fc0087b7972aa3b6b Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Validate API server crypto ciphers in usePawel Wieczorek3-0/+31
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.30). It also covers its duplicate (1.1.39). Issue-ID: SECCOM-235 Change-Id: I0f3031c080cf225e7c2c03e65dd0bfc780326307 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server certificates and keysPawel Wieczorek3-0/+79
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.22, 1.1.25 - 1.1.26 and 1.1.28). Issue-ID: SECCOM-235 Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server Certificate AuthoritiesPawel Wieczorek3-0/+55
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.21, 1.1.29 and 1.1.31). Issue-ID: SECCOM-235 Change-Id: Ia2f55f6962885a7aa878c970a406189902cfab10 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server auditing flagsPawel Wieczorek3-0/+82
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.16 - 1.1.18). Issue-ID: SECCOM-235 Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server auditing is enabledPawel Wieczorek3-0/+33
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.15). Issue-ID: SECCOM-235 Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Group tests by flag typePawel Wieczorek1-53/+59
Issue-ID: SECCOM-235 Change-Id: I25ebd2930afec6eb259f0a678fffbf7727eb315b Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server not excluded authorization modePawel Wieczorek3-0/+20
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.19). Issue-ID: SECCOM-235 Change-Id: I00c9600fd0d351afb7141a5fa16f348eab67b12d Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server not excluded admission pluginsPawel Wieczorek3-0/+20
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.14). Issue-ID: SECCOM-235 Change-Id: I63c2f8a5b94bfd6c9963805aae85595e6b6ad6d7 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-17k8s: Validate API server included admission pluginsPawel Wieczorek3-1/+164
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.11 - 1.1.13, 1.1.24, 1.1.27, 1.1.33 and 1.1.36). Issue-ID: SECCOM-235 Change-Id: I920bfd42014b8458126be251648f5bf3dcd84c16 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-17k8s: Validate API server excluded admission pluginsPawel Wieczorek3-0/+53
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.10). However, CIS Kubernetes Benchmark v1.3.0 mismatches official documentation: Kubernetes 1.10+ already provides safe defaults from security standpoint [1] (ONAP Casablanca uses 1.11). Deprecated admission control plugin flag has also been validated since it was still available in Kubernetes provided by Rancher [2]. [1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use [2] https://github.com/rancher/rancher/issues/15064 Issue-ID: SECCOM-235 Change-Id: I0e8fe9f885861f155cb8265df085fa93dbdff6d2 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-17k8s: Add note on release-specific dependenciesPawel Wieczorek1-0/+2
Issue-ID: SECCOM-235 Change-Id: I35d3e3f413542c69718d17ae25f227275270c8cf Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Add Makefile targets for testingPawel Wieczorek2-3/+19
Issue-ID: SECCOM-235 Change-Id: I6ac5f3c160f1cd1d8faac90576ab943d4ed213a5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Add Makefile targets for external dependenciesPawel Wieczorek2-4/+20
Building "check" binary now requires several external dependencies. To minimize setup effort, convenience make targets were provided. Issue-ID: SECCOM-235 Change-Id: Iec74c0652a5ed3a90d4504216b00ef20bdb7e81f Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Add support for RKE-deployed clustersPawel Wieczorek3-1/+232
RKE is used as a Kubernetes cluster deployment method from ONAP Dublin release. RKE cluster definition is used to get access to necessary information. Issue-ID: SECCOM-235 Change-Id: I588598011ea746b5f7ba327a48f1cea605e56d31 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Add test cases for Dublin API serverPawel Wieczorek1-0/+56
Issue-ID: SECCOM-235 Change-Id: Ie6d43b9db767f191f883a2912916bc8abf9d3ad6 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Unify order of API server test casesPawel Wieczorek1-1/+1
So far CIS-compliant configuration has been validated first unless configuration used in ONAP release did not pass given benchmark. Issue-ID: SECCOM-235 Change-Id: Ibdb523ab7ab6b8285757719721f75aca57beeb82 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-31k8s: Make ONAP context default for kubectlPawel Wieczorek1-1/+12
This patch uses previously added alias for kubectl context switching in case it is needed as a template for other contexts as well. Issue-ID: SECCOM-235 Change-Id: Ie92641ee3763a027cd74dd21bf4364a2d796eb1d Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-31k8s: Silence package manager and make it noninteractivePawel Wieczorek2-6/+20
This patch sets debconf frontend to noninteractive by including additional field in the first stanza of configuration file. Its placement has been chosen arbitrarily - both 'Config' and 'Templates' fields "are required in this first stanza" [1]. It also makes symlinking script more generic. [1] man 5 debconf.conf (provided by "debconf-doc" in Ubuntu) Issue-ID: SECCOM-235 Change-Id: If9dcc712d1ff7f527d3bc59f4c1709cffe4cbda5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-31k8s: Add kubectl provisioners (downloading and setting up)Pawel Wieczorek4-3/+91
Setting up kubectl depends on presence of K8s cluster post-deployment artifacts, hence it's disabled by default. Relevant information added to post-up message. This patch also removes unneeded curly braces from "tools/dublin/get_rke.sh" script. Issue-ID: SECCOM-235 Change-Id: I917ebbda588639f0941e16c65759430a7a1e64ff Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-31k8s: Make operator machine destruction gracefulPawel Wieczorek1-0/+5
Issue-ID: SECCOM-235 Change-Id: I9913d9a8f525b4b9582bf821008dd567258a719c Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-31k8s: Add post-up message for actual cluster creationPawel Wieczorek1-0/+4
Issue-ID: SECCOM-235 Change-Id: I8f9d4362da50a8b3f2aa1baf3633d818da2ed3a5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-29k8s: Allow Dublin cluster creation using RKEPawel Wieczorek2-6/+75
This patch adds sample cluster.yml which is based on Dublin cluster configuration file [1]. Main difference is in avoiding repetition by using anchors and alias nodes. Actual cluster creation provisioner is disabled by default because 'control' and 'worker' nodes might not be ready yet. [1] https://docs.onap.org/en/dublin/_downloads/27934fe702048777f312d77dc30cd05a/cluster.yml Issue-ID: SECCOM-235 Change-Id: Ibba0e754ba87e334cdaa61de83e48107f91083d9 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-26k8s: Extract hardcoded synced folder for dotfilesPawel Wieczorek1-4/+13
Issue-ID: SECCOM-235 Change-Id: I85efb88476cb1d6bfaee44b6bcd6275477e77ba5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-26k8s: Use named provisionersPawel Wieczorek1-11/+11
This not only makes testing easier, but also allows better control over VM provisioning after its creation. Issue-ID: SECCOM-235 Change-Id: I29ab3ed46976267e1043c2f61f56578f2c5d7a57 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-26k8s: Add simple logging to provisioning scriptsPawel Wieczorek1-1/+9
Issue-ID: SECCOM-235 Change-Id: Iaeb4b3e621f09ea14b9576126223e4df4b8682f3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-26k8s: Unify provisioning scriptsPawel Wieczorek1-11/+19
This patch: * removes remaining string interpolation (for future script reuse), * makes DNS replacement provisioner always run. This way VM definition is more concise and resilient. Issue-ID: SECCOM-235 Change-Id: I382dae5e256b46577c4c8af3aa45ab4d64d1b2b9 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-26k8s: Remove repetition from provisioning scriptsPawel Wieczorek1-2/+7
Issue-ID: SECCOM-235 Change-Id: If286ba074ee74c43705197a30c50322d5162e6fc Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-26k8s: Remove hardcoded password for 'vagrant' userPawel Wieczorek1-6/+19
Password for 'vagrant' user is now passed through exported environmental variable. This patch also: * removes the assumption of having 'vagrant' user on cluster nodes (for future scripts reuse), * removes mixed string interpolation and passing shell variables, * replaces '~' with '$HOME' for proper substitiution. Issue-ID: SECCOM-235 Change-Id: Id9e7b6acccd902de4c414cd8a0f095ac135fee5a Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-26k8s: Silence download utilitiesPawel Wieczorek3-0/+21
This patch intends to make virtual environment creation logs more readable. Parameters were chosen in a way errors will still be shown the operator. This patch might also prove itself useful in other virtual environment creation tools such as 'devtool' [1] (unless maintainers insist on having full logs). [1] https://git.onap.org/integration/devtool Issue-ID: SECCOM-235 Change-Id: I5e07b1b1ed37d36470c18ba0cfe653e40eff300b Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-24k8s: Change virtual environment utility scripts privilege requirementsPawel Wieczorek2-4/+37
This patch also extends in-file comment on scripts' requirements and suggested usage. Issue-ID: SECCOM-235 Change-Id: I0dddbad79fb3392ffe35c3e06d4006cd499d9923 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-24k8s: Add "vagrant" user to "docker" group in virtual environmentPawel Wieczorek1-0/+2
Node customization scripts do that for "ubuntu" user only (added by default on OpenStack images). Vagrant boxes use "vagrant" user [1] instead. [1] https://www.vagrantup.com/docs/boxes/base.html#quot-vagrant-quot-user Issue-ID: SECCOM-235 Change-Id: Ic4f832aa9a37230503e3c5bd29f8ae5fcd3883db Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-21k8s: Add virtual environment for DublinPawel Wieczorek5-0/+164
Default cluster nodes customization scripts were extracted in the same manner as those for Casablanca release [1]. Constraints still apply. [1] SHA-1: ea8bc1a719a36c89e7eae42080b1835e5ef0c28d (Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882) Issue-ID: SECCOM-235 Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>