aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--security/docker/Dockerfile8
-rw-r--r--security/scripts/root_pods_xfail.txt35
2 files changed, 4 insertions, 39 deletions
diff --git a/security/docker/Dockerfile b/security/docker/Dockerfile
index a31ab64..7b76a1b 100644
--- a/security/docker/Dockerfile
+++ b/security/docker/Dockerfile
@@ -30,7 +30,6 @@ ARG ONAP_TESTS_TAG=master
ADD https://storage.googleapis.com/kubernetes-release/release/${KUBERNETES_VERSION}/bin/linux/amd64/kubectl /usr/local/bin/kubectl
COPY scripts/check_security_root.sh /check_security_root.sh
-COPY scripts/root_pods_xfail.txt /root_pods_xfail.txt
COPY scripts/check_unlimitted_pods.sh /check_unlimitted_pods.sh
COPY scripts/check_cis_kubernetes.sh /check_cis_kubernetes.sh
COPY scripts/check_versions.sh /check_versions.sh
@@ -51,8 +50,9 @@ RUN set -x && \
wget https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz -O - | tar -xzO linux-amd64/helm > /usr/local/bin/helm && \
wget -O /check_for_nonssl_endpoints.sh https://git.onap.org/integration/plain/test/security/check_for_nonssl_endpoints.sh?h=$ONAP_TAG &&\
wget -O /check_for_jdwp.sh https://git.onap.org/integration/plain/test/security/check_for_jdwp.sh?h=$ONAP_TAG &&\
- wget -O /jdwp_xfail.txt https://git.onap.org/integration/plain/test/security/jdwp_xfail.txt?h=$ONAP_TAG &&\
- wget -O /nonssl_xfail.txt https://git.onap.org/integration/plain/test/security/nonssl_xfail.txt?h=$ONAP_TAG &&\
+ wget -O /jdwp_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/jdwp_ports/jdwp_xfail.txt?h=$ONAP_TAG &&\
+ wget -O /nonssl_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/nonssl_endpoints/nonssl_xfail.txt?h=$ONAP_TAG &&\
+ wget -O /root_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/root_pods/root_pods_xfail.txt?h=$ONAP_TAG &&\
wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\
wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\
wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\
@@ -62,7 +62,7 @@ RUN set -x && \
chmod +x /check_*.sh && \
pip3 install --upgrade pip && \
pip3 install --no-cache-dir \
- git+https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting.git@$ONAP_TESTS_TAG#subdirectory=security && \
+ git+https://gerrit.onap.org/r/integration/xtesting@$ONAP_TESTS_TAG#subdirectory=security && \
cd /kube-hunter && pip3 install -r /kube-hunter/requirements.txt && \
pip3 install -r /check_versions/requirements.txt && \
apk del .build-deps
diff --git a/security/scripts/root_pods_xfail.txt b/security/scripts/root_pods_xfail.txt
deleted file mode 100644
index 16ba884..0000000
--- a/security/scripts/root_pods_xfail.txt
+++ /dev/null
@@ -1,35 +0,0 @@
-# Expected failure list for rooted ports
-
-# frankfurt history
-## We consider only the pods we built
-#aaf-cass # cassandra
-#aaf-sms-vault # upstream vault and consul docker used by aaf AAF-1102
-#aai # aai pods not launched as root even root user still in dockers AAI-2822
-#awx # ansible
-#cassandra # common cassandra
-#consul # nobody remembers who is responsible for consul
-#dcae-redis # redis container
-#dcae-mongo # mongo container
-#dcae-cloudify-manager # DCAEGEN2-2121
-#dcae-tca-analytics # tmp tca will be replaced by secured tca2 in G
-#mariadb # common mariadb
-#msb-consul # another consul
-#multicloud-fcaps # rabbit-mq upstream pod MULTICLOUD-1017
-#multicloud-k8s-etcd
-#multicloud-k8s-mongo
-#music-cassandra # music has itw own cassandra
-#nbi-mongo # a mongo db
-#netbox # netbox
-#pomba-elasticsearch # elasticsearch
-#portal-cassandra # portal cassandra
-#portal-db # portal mariadb
-#portal-zookeeper # portal zookeeper
-#zookeeper # common zookeper
-
-## other waivers
-#robot # testing
-#sniro-emulator # testing
-#oof-cmso-service # testing
-#vnfsdk # testing VNFSDK-565
-#pomba # nobody taking cares of pomba for several releases
-#dcaemod # dcae experimental pods for Frankfurt