Resync integration/xtesting repo

Issue-ID: INT-1366

Signed-off-by: mrichomme <morgan.richomme@orange.com>
Change-Id: I3af9c4697f0e67d3ce5b6d2fceeb978aeb20a0ff

4 files changed, 162 insertions, 0 deletions

diff --git a/security/scripts/check_cis_kubernetes.sh b/security/scripts/check_cis_kubernetes.sh
new file mode 100644
index 0000000..33ffdf5
--- /dev/null
+++ b/security/scripts/check_cis_kubernetes.sh
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+echo "------------------------------------------------------------------------"
+echo "--------------------  ONAP Security tests   ----------------------------"
+echo "-----------------  Test if K8S is CIS compliant   ----------------------"
+echo "------------------------------------------------------------------------"
+
+code=0
+
+CIS_VERSION=${CIS_VERSION:-1.4}
+echo "Running CIS test case version ${CIS_VERSION}"
+kube-bench master --benchmark cis-${CIS_VERSION} > cis_full_test.txt
+cat cis_full_test.txt | grep "\[FAIL]" > cisK8s.txt
+
+if [ -s cisK8s.txt ]
+then
+   code=1
+   nb_errors=`cat cisK8s.txt | wc -l`
+   echo "Test FAIL: $nb_errors assertions not passed"
+   cat cis_full_test.txt
+else
+  echo "Test PASS: Kubernetes Deployment is CIS compatible"
+fi
+
+exit $code
diff --git a/security/scripts/check_security_root.sh b/security/scripts/check_security_root.sh
new file mode 100644
index 0000000..ca388fd
--- /dev/null
+++ b/security/scripts/check_security_root.sh
@@ -0,0 +1,76 @@
+#!/usr/bin/env bash
+
+usage() {
+  cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <white list file>]
+    -l: rooted pod xfail file
+EOF
+  exit ${1:-0}
+}
+
+if [ "$#" -lt 1 ]; then
+    usage
+    exit 1
+fi
+
+K8S_NAMESPACE=$1
+FILTERED_PODS_LIST=$(mktemp rooted_pods_XXXXXX)
+WL_RAW_FILE_PATH=$(mktemp raw_filtered_pods_XXXXXX)
+
+manage_white_list() {
+  # init filtered port list file
+  if [ ! -f $WL_FILE_PATH ];then
+   echo "File not found"
+   usage
+  fi
+  grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+  case $2 in
+      -h|--help|help) usage;;
+       -l) WL_FILE_PATH=$3;manage_white_list;shift;;
+        -*) usage 1 ;;
+         *) break ;;
+    esac
+done
+
+echo "------------------------------------------------------------------------"
+echo "--------------------  ONAP Security tests   ----------------------------"
+echo "--------------------  Test root user in pods   -------------------------"
+echo "------------------------------------------------------------------------"
+
+code=0
+
+# get the pod list
+for pod in `kubectl get pod -n $K8S_NAMESPACE| grep "Running" | grep -v functest | grep -v integration | awk '{print $1}'` ;do
+  list=`kubectl top pod $pod --containers -n onap |grep -v "POD"|awk '{print $1":"$2}'`;
+  for po in $list; do
+    contname=`echo $po|cut -d':' -f2`;uid=`kubectl exec $pod --container $contname -n $K8S_NAMESPACE id|sed -r "s/^uid=(.*) gid.*$/\1/"`;echo "POD: $pod container: $contname uid: $uid";
+  done;
+done  | grep root > $FILTERED_PODS_LIST
+
+while IFS= read -r line; do
+  # for each line we test if it is in the white list with a regular expression
+  while IFS= read -r wl_line; do
+   wl_name=$(echo $wl_line | awk {'print $1'})
+   if grep -e $K8S_NAMESPACE-$wl_name <<< "$line" > /dev/null ;then
+       # Found in white list, exclude it
+       sed -i "/$line/d" $FILTERED_PODS_LIST
+   fi
+  done < $WL_RAW_FILE_PATH
+done < $FILTERED_PODS_LIST
+
+if [ -s $FILTERED_PODS_LIST ]
+then
+   code=1
+   nb_errors=`cat $FILTERED_PODS_LIST | wc -l`
+   echo "Test FAIL: $nb_errors pod(s) launched as root found"
+   cat $FILTERED_PODS_LIST
+else
+  echo "Test PASS: No pod launched as root found"
+fi
+
+exit $code
diff --git a/security/scripts/check_unlimitted_pods.sh b/security/scripts/check_unlimitted_pods.sh
new file mode 100644
index 0000000..fdef6f3
--- /dev/null
+++ b/security/scripts/check_unlimitted_pods.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+echo "------------------------------------------------------------------------"
+echo "--------------------  ONAP Security tests   ----------------------------"
+echo "--------------------  Test pods without limit   ------------------------"
+echo "------------------------------------------------------------------------"
+
+code=0
+
+# get the pod list
+for pod in `kubectl get pod -n onap|grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do
+  kubectl describe pod $pod -n onap|grep "Limits";
+  if [ $? == 1 ] ; then
+    echo $pod ;
+  fi;
+done | grep -v Limits  > NoLimitContainer.txt
+
+if [ -s NoLimitContainer.txt ]
+then
+   code=1
+   nb_errors=`cat NoLimitContainer.txt | wc -l`
+   echo "Test FAIL: $nb_errors pod(s) launched without limit"
+   cat NoLimitContainer.txt
+else
+  echo "Test PASS: No pod launched without limit"
+fi
+
+exit $code
diff --git a/security/scripts/root_pods_xfail.txt b/security/scripts/root_pods_xfail.txt
new file mode 100644
index 0000000..c282cf8
--- /dev/null
+++ b/security/scripts/root_pods_xfail.txt
@@ -0,0 +1,33 @@
+# Expected failure list for rooted ports
+# Upstream pods are excluded in Frankfurt
+# We consider only the pods we built
+aaf-cass # cassandra
+aaf-sms-vault # upstream vault and consul docker used by aaf AAF-1102
+aai # aai pods not launched as root even root user still in dockers AAI-2822
+awx # ansible
+cassandra # common cassandra
+consul # nobody remembers who is responsible for consul
+dcae-redis # redis container
+dcae-mongo # mongo container
+dcae-cloudify-manager # DCAEGEN2-2121
+mariadb # common mariadb
+msb-consul # another consul
+multicloud-fcaps # rabbit-mq upstream pod MULTICLOUD-1017
+multicloud-k8s-etcd
+multicloud-k8s-mongo
+music-cassandra # music has itw own cassandra
+nbi-mongo # a mongo db
+netbox # netbox
+pomba-elasticsearch # elasticsearch
+portal-cassandra # portal cassandra
+portal-db # portal mariadb
+portal-zookeeper # portal zookeeper
+zookeeper # common zookeper
+
+# other waivers
+robot # testing
+sniro-emulator # testing
+oof-cmso-service # testing
+vnfsdk # testing VNFSDK-565
+pomba # nobody taking cares of pomba for several releases
+dcaemod # dcae experimental pods for Frankfurt