blob: 6a5e38ee84906500862f310a4c20fd1de9c9a7ec (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
# Security
## Goal
This security docker includes the test suites dealing with security aspects
of an ONAP deployment.
It includes 6 tests:
- root_pods: check that pods are nor using root user or started as root
- unlimitted_pods: check that limits are set for pods
- cis_kubernetes: perform the k8s cis test suite (upstream src aquasecurity)
- http_public_endpoints: check that there is no public http endpoints exposed in
ONAP cluster
- nonssl_endpoints: check that all public HTTP endpoints exposed in ONAP
cluster use SSL tunnels
- jdpw_ports: check that there are no internal java ports
- kube_hunter: security suite to search k8s vulnerabilities (upstream src
aquasecurity)
## Usage
### Configuration
Mandatory:
- The kubernetes configuration: usually hosted on the.kube/config of your
jumphost. It corresponds the kubernetes credentials and are needed to perform
the different operations. This file shall be copied in /root/.kube/config in
the docker.
Optional:
- The local result directory path: to store the results in your local
environement. It shall corresponds to the internal result docker path
/var/lib/xtesting/results
### Command
You can run this docker by typing:
```
docker run -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results
nexus3.onap.org:10001/onap/xtesting-security:latest
```
Options:
- \-r: by default the reporting to the Database is not enabled. You need to
specify the -r option in the command line. Please note that in this case, you
must precise some env variables.
environment variables:
- Mandatory (if you want to report the results in the database):
- TEST_DB_URL: the url of the target Database with the env variable .
- NODE_NAME: the name of your test environement. It must be declared in the
test database (e.g. windriver-SB00)
- Optionnal
- INSTALLER_TYPE: precise how your ONAP has been installed (e.g. kubespray-oom,
rke-oom)
- BUILD_TAG: a unique tag of your CI system. It can be usefull to get all the
tests of one CI run. It uses the regex (dai|week)ly-(.+?)-[0-9]\* to find the
version (e.g. daily-elalto-123456789).
The command becomes:
```
docker run -v <the kube config>:/root/.kube/config -v
<result directory>:/var/lib/xtesting/results
nexus3.onap.org:10001/onap/xtesting-security:latest
/bin/bash -c "run_tests -r -t all
```
### Output
```
+-----------------------+------------+------------+------------+-----------+
| TEST CASE | PROJECT | TIER | DURATION | RESULT |
+-----------------------+------------+------------+------------+-----------+
| root_pods | security | security | 03:48 | PASS |
| unlimitted_pods | security | security | 00:37 | FAIL |
| cis_kubernetes | security | security | 00:01 | PASS |
| http_public_endpoints | security | security | 00:01 | PASS |
| jdpw_ports | security | security | 05:39 | PASS |
+-----------------------+------------+------------+------------+-----------+
```
|
