blob: b3500780e5b4c4a643a749e9fb492c8d84d85779 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
# Security
## Goal
This security docker includes the test suites dealing with security aspects
of an ONAP deployment.
It includes 6 tests:
* root_pods: check that pods are nor using root user or started as root
* unlimitted_pods: check that limits are set for pods
* cis_kubernetes: perform the k8s cis test suite (upstream src aquasecurity)
* http_public_endpoints: check that there is no public http endpoints exposed in
ONAP cluster
* nonssl_endpoints: check that all public HTTP endpoints exposed in ONAP
cluster use SSL tunnels
* jdpw_ports: check that there are no internal java ports
* kube_hunter: security suite to search k8s vulnerabilities (upstream src
aquasecurity)
## Usage
### Configuration
Mandatory:
* The kubernetes configuration: usually hosted on the.kube/config of your
jumphost. It corresponds the kubernetes credentials and are needed to perform
the different operations. This file shall be copied in /root/.kube/config in
the docker.
Optional:
* The local result directory path: to store the results in your local
environement. It shall corresponds to the internal result docker path
/var/lib/xtesting/results
### Command
You can run this docker by typing:
```
docker run -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results
registry.gitlab.com/orange-opensource/lfn/onap/integration/xtesting/security:latest
```
Options:
* -r: by default the reporting to the Database is not enabled. You need to
specify the -r option in the command line. Please note that in this case, you
must precise some env variables.
environment variables:
* Mandatory (if you want to report the results in the database):
* TEST_DB_URL: the url of the target Database with the env variable .
* NODE_NAME: the name of your test environement. It must be declared in the
test database (e.g. windriver-SB00)
* Optionnal
* INSTALLER_TYPE: precise how your ONAP has been installed (e.g. kubespray-oom,
rke-oom)
* BUILD_TAG: a unique tag of your CI system. It can be usefull to get all the
tests of one CI run. It uses the regex (dai|week)ly-(.+?)-[0-9]* to find the
version (e.g. daily-elalto-123456789).
The command becomes:
```
docker run -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results registry.gitlab.com/orange-opensour
ce/lfn/onap/integration/xtesting/security:latest /bin/bash -c "run_tests -r -t all
```
### Output
```
+-----------------------+------------+------------+------------+-----------+
| TEST CASE | PROJECT | TIER | DURATION | RESULT |
+-----------------------+------------+------------+------------+-----------+
| root_pods | security | security | 03:48 | FAIL |
| unlimitted_pods | security | security | 00:37 | FAIL |
| cis_kubernetes | security | security | 00:01 | FAIL |
| http_public_endpoints | security | security | 00:01 | FAIL |
| jdpw_ports | security | security | 05:39 | FAIL |
+-----------------------+------------+------------+------------+-----------+
```
|