aboutsummaryrefslogtreecommitdiffstats
path: root/security/docker/Dockerfile
blob: 89a04c5f2d75895b681ebb2c90bd047544211aee (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
FROM golang:1.17 AS build_yq
WORKDIR /go/src/github.com/mikefarah/
RUN git clone https://github.com/mikefarah/yq.git --depth 1
WORKDIR /go/src/github.com/mikefarah/yq
RUN go mod tidy
RUN CGO_ENABLED=0 go install -a -ldflags '-w -s -extldflags "-static"'

FROM golang:1.17 AS build_onap
WORKDIR /opt/onap
RUN git clone https://git.onap.org/integration --depth 1
WORKDIR /opt/onap/integration/test/security/sslendpoints
RUN go mod tidy
RUN CGO_ENABLED=0 go install -a -ldflags '-w -s -extldflags "-static"'

FROM opnfv/xtesting:wallaby AS run

ARG KUBERNETES_VERSION="v1.19.11"
ARG ONAP_TAG=master
ARG ONAP_TESTS_TAG=master

# Install kubectl
# Note: Latest version may be found on:
# https://aur.archlinux.org/packages/kubectl-bin/

ADD https://storage.googleapis.com/kubernetes-release/release/${KUBERNETES_VERSION}/bin/linux/amd64/kubectl /usr/local/bin/kubectl

COPY scripts/check_security_root.sh /check_security_root.sh
COPY scripts/check_unlimitted_pods.sh /check_unlimitted_pods.sh
COPY scripts/check_cis_kubernetes.sh /check_cis_kubernetes.sh
COPY scripts/check_versions.sh /check_versions.sh
COPY --from=build_yq /go/bin/yq /usr/local/bin/yq
COPY --from=build_onap /go/bin/sslendpoints /usr/local/bin/sslendpoints

RUN set -x && \
    apk --no-cache add --update curl ca-certificates openssl procps util-linux \
        nmap nmap-scripts jq && \
    apk --no-cache add --virtual .build-deps --update \
        python3-dev linux-headers gcc  musl-dev && \
    chmod +x /usr/local/bin/kubectl && \
    git clone --depth 1 https://github.com/aquasecurity/kube-hunter.git /kube-hunter && \
    mkdir /check_versions && \
    adduser kubectl -Du 2342 -h /config && \
    wget -O /check_for_nonssl_endpoints.sh https://git.onap.org/integration/plain/test/security/check_for_nonssl_endpoints.sh?h=$ONAP_TAG &&\
    wget -O /check_for_jdwp.sh https://git.onap.org/integration/plain/test/security/check_for_jdwp.sh?h=$ONAP_TAG &&\
    wget -O /jdwp_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/jdwp_ports/jdwp_xfail.txt?h=$ONAP_TAG &&\
    wget -O /nonssl_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/nonssl_endpoints/nonssl_xfail.txt?h=$ONAP_TAG &&\
    wget -O /root_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/root_pods/root_pods_xfail.txt?h=$ONAP_TAG &&\
    wget -O /unlimitted_pods_xfail.txt https://git.onap.org/integration/seccom/plain/waivers/unlimitted_pods/unlimitted_pods_xfail.txt?h=$ONAP_TAG &&\
    wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\
    wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\
    wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\
    chmod +x /usr/local/bin/sslendpoints && \
    chmod +x /check_*.sh && \
    rm -rf /usr/lib/python3.8/site-packages/PyYAML* && \
    pip3 install --no-cache-dir \
        git+https://git.onap.org/integration/xtesting.git@$ONAP_TESTS_TAG#subdirectory=security && \
    cd /kube-hunter && pip3 install -r /kube-hunter/requirements.txt && \
    pip3 install --no-cache-dir \
        git+https://gitlab.com/Orange-OpenSource/lfn/onap/integration/onap-version-status.git && \
    apk del .build-deps

COPY docker/testcases.yaml /usr/lib/python3.8/site-packages/xtesting/ci/testcases.yaml
CMD ["run_tests", "-t", "all"]