aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--security/docker/Dockerfile1
-rw-r--r--security/onap_security/security_tests.py18
-rw-r--r--security/scripts/check_unlimitted_pods.sh62
3 files changed, 59 insertions, 22 deletions
diff --git a/security/docker/Dockerfile b/security/docker/Dockerfile
index 484e83a..413290d 100644
--- a/security/docker/Dockerfile
+++ b/security/docker/Dockerfile
@@ -53,6 +53,7 @@ RUN set -x && \
wget -O /jdwp_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/jdwp_ports/jdwp_xfail.txt?h=$ONAP_TAG &&\
wget -O /nonssl_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/nonssl_endpoints/nonssl_xfail.txt?h=$ONAP_TAG &&\
wget -O /root_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/root_pods/root_pods_xfail.txt?h=$ONAP_TAG &&\
+ wget -O /unlimitted_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/unlimitted_pods/unlimitted_pods_xfail.txt?h=$ONAP_TAG &&\
wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\
wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\
wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\
diff --git a/security/onap_security/security_tests.py b/security/onap_security/security_tests.py
index cd26d7d..d0b25ac 100644
--- a/security/onap_security/security_tests.py
+++ b/security/onap_security/security_tests.py
@@ -95,8 +95,6 @@ class SecurityTesting(testcase.TestCase):
class OnapSecurityDockerRootTest(SecurityTesting):
"""Test that the dockers launched as root."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'root_pods')
super(OnapSecurityDockerRootTest, self).__init__(**kwargs)
self.cmd = ['/check_security_root.sh', 'onap', '-l', '/root_pods_xfail.txt']
self.error_string = "Pods launched with root users"
@@ -105,18 +103,14 @@ class OnapSecurityDockerRootTest(SecurityTesting):
class OnapSecurityUnlimittedPodTest(SecurityTesting):
"""Check that no pod is launch without limits."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'unlimitted_pods')
super(OnapSecurityUnlimittedPodTest, self).__init__(**kwargs)
- self.cmd = ['/check_unlimitted_pods.sh']
+ self.cmd = ['/check_unlimitted_pods.sh', 'onap', '-l', '/unlimitted_pods_xfail.txt']
self.error_string = "Pods lauched without limits"
class OnapSecurityCisKubernetes(SecurityTesting):
"""Check that kubernetes install is CIS compliant"""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'cis_kubernetes')
super(OnapSecurityCisKubernetes, self).__init__(**kwargs)
self.cmd = ['/check_cis_kubernetes.sh']
self.error_string = "Kubernetes Deployment is not CIS compatible"
@@ -126,8 +120,6 @@ class OnapSecurityHttpPorts(SecurityTesting):
"""Check all ports exposed outside of kubernetes cluster looking for plain
http endpoint."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'http_public_endpoints')
super(OnapSecurityHttpPorts, self).__init__(**kwargs)
self.cmd = ['/check_for_nonssl_endpoints.sh', 'onap', '-l', '/nonssl_xfail.txt']
self.error_string = "Public http endpoints still found"
@@ -137,8 +129,6 @@ class OnapSecurityNonSSLPorts(SecurityTesting):
"""Check that all ports exposed outside of kubernetes cluster use SSL
tunnels."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'nonssl_endpoints')
super(OnapSecurityNonSSLPorts, self).__init__(**kwargs)
self.cmd = ['/usr/local/bin/sslendpoints', '-xfail', '/nonssl_xfail.txt']
self.error_string = "Public non-SSL endpoints still found"
@@ -147,8 +137,6 @@ class OnapSecurityNonSSLPorts(SecurityTesting):
class OnapSecurityJdwpPorts(SecurityTesting):
"""Check that no jdwp ports are exposed."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'jdpw_ports')
super(OnapSecurityJdwpPorts, self).__init__(**kwargs)
self.cmd = ['/check_for_jdwp.sh', 'onap', '-l', '/jdwp_xfail.txt']
self.error_string = "JDWP ports found"
@@ -157,8 +145,6 @@ class OnapSecurityJdwpPorts(SecurityTesting):
class OnapSecurityKubeHunter(SecurityTesting):
"""Check k8s vulnerabilities."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'kube_hunter')
super(OnapSecurityKubeHunter, self).__init__(**kwargs)
config.load_kube_config(config_file='/root/.kube/config')
client_kubernetes = client.CoreV1Api()
@@ -176,8 +162,6 @@ class OnapSecurityKubeHunter(SecurityTesting):
class OnapSecurityVersions(SecurityTesting):
"""Check that Java and Python are available only in versions recommended by SECCOM."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'versions')
super(OnapSecurityVersions, self).__init__(**kwargs)
self.cmd = ['/check_versions.sh', 'onap', '-r', '/check_versions/recommended_versions.yaml']
self.error_string = "Not recommended versions found"
diff --git a/security/scripts/check_unlimitted_pods.sh b/security/scripts/check_unlimitted_pods.sh
index fdef6f3..1fc5e69 100644
--- a/security/scripts/check_unlimitted_pods.sh
+++ b/security/scripts/check_unlimitted_pods.sh
@@ -1,4 +1,40 @@
#!/bin/bash
+usage() {
+ cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <white list file>]
+ -l: unlimitted pod xfail file
+EOF
+ exit ${1:-0}
+}
+
+if [ "$#" -lt 1 ]; then
+ usage
+ exit 1
+fi
+
+K8S_NAMESPACE=$1
+FILTERED_PODS_LIST=$(mktemp unlimitted_pods_XXXXXX)
+WL_RAW_FILE_PATH=$(mktemp raw_filtered_unlimitted_XXXXXX)
+
+manage_list() {
+ # init filtered port list file
+ if [ ! -f $WL_FILE_PATH ];then
+ echo "File not found"
+ usage
+ fi
+ grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+ case $2 in
+ -h|--help|help) usage;;
+ -l) WL_FILE_PATH=$3;manage_list;shift;;
+ -*) usage 1 ;;
+ *) break ;;
+ esac
+done
echo "------------------------------------------------------------------------"
echo "-------------------- ONAP Security tests ----------------------------"
@@ -8,19 +44,35 @@ echo "------------------------------------------------------------------------"
code=0
# get the pod list
-for pod in `kubectl get pod -n onap|grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do
+for pod in `kubectl get pod -n $K8S_NAMESPACE |grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do
kubectl describe pod $pod -n onap|grep "Limits";
if [ $? == 1 ] ; then
echo $pod ;
fi;
-done | grep -v Limits > NoLimitContainer.txt
+done | grep -v Limits > $FILTERED_PODS_LIST
+
+while IFS= read -r line; do
+ # for each line we test if it is in the white list with a regular expression
+ while IFS= read -r wl_line; do
+ wl_name=$(echo $wl_line | awk {'print $1'})
+ if grep -e $K8S_NAMESPACE-$wl_name <<< "$line" > /dev/null ;then
+ # Found in white list, exclude it
+ sed -i "/$line/d" $FILTERED_PODS_LIST
+ fi
+ # tmp ugly workaround to exlude dep (temporary dcae dockers)
+ if grep -e dep-$wl_name <<< "$line" > /dev/null ;then
+ sed -i "/$line/d" $FILTERED_PODS_LIST
+ fi
+ done < $WL_RAW_FILE_PATH
+done < $FILTERED_PODS_LIST
+
-if [ -s NoLimitContainer.txt ]
+if [ -s $FILTERED_PODS_LIST ]
then
code=1
- nb_errors=`cat NoLimitContainer.txt | wc -l`
+ nb_errors=`cat $FILTERED_PODS_LIST | wc -l`
echo "Test FAIL: $nb_errors pod(s) launched without limit"
- cat NoLimitContainer.txt
+ cat $FILTERED_PODS_LIST
else
echo "Test PASS: No pod launched without limit"
fi