blob: 8fd35dbec6a1dd7e0f8ccfbc1e2da4651a2ff7de (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
#!/usr/bin/env bash
usage() {
cat <<EOF
Usage: $(basename $0) <k8s-namespace> [-l <white list file>]
-l: rooted pod xfail file
EOF
exit ${1:-0}
}
if [ "$#" -lt 1 ]; then
usage
exit 1
fi
K8S_NAMESPACE=$1
FILTERED_PODS_LIST=$(mktemp rooted_pods_XXXXXX)
WL_RAW_FILE_PATH=$(mktemp raw_filtered_pods_XXXXXX)
manage_white_list() {
# init filtered port list file
if [ ! -f $WL_FILE_PATH ];then
echo "File not found"
usage
fi
grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH
}
### getopts
while :
do
case $2 in
-h|--help|help) usage;;
-l) WL_FILE_PATH=$3;manage_white_list;shift;;
-*) usage 1 ;;
*) break ;;
esac
done
echo "------------------------------------------------------------------------"
echo "-------------------- ONAP Security tests ----------------------------"
echo "-------------------- Test root user in pods -------------------------"
echo "------------------------------------------------------------------------"
# Display the waivers
if [ -s $XL_FILE_PATH ]; then
echo -e "--------------------\e[0;31m WARNING \e[0;m XFail List ----------------------------"
cat $WL_FILE_PATH
echo "------------------------------------------------------------------------"
fi
code=0
# get the pod list
for pod in `kubectl get pod -n $K8S_NAMESPACE| grep "Running" | grep -v functest | grep -v integration | awk '{print $1}'` ;do
list=`kubectl top pod $pod --containers -n onap |grep -v "POD"|awk '{print $1":"$2}'`;
for po in $list; do
contname=`echo $po|cut -d':' -f2`;uid=`kubectl exec $pod --container $contname -n $K8S_NAMESPACE id|sed -r "s/^uid=(.*) gid.*$/\1/"`;echo "POD: $pod container: $contname uid: $uid";
done;
done | grep root > $FILTERED_PODS_LIST
while IFS= read -r line; do
# for each line we test if it is in the white list with a regular expression
while IFS= read -r wl_line; do
wl_name=$(echo $wl_line | awk {'print $1'})
if grep -e $K8S_NAMESPACE-$wl_name <<< "$line" > /dev/null ;then
# Found in white list, exclude it
sed -i "/$line/d" $FILTERED_PODS_LIST
fi
# tmp ugly workaround to exlude dep (temporary dcae dockers)
if grep -e dep-$wl_name <<< "$line" > /dev/null ;then
sed -i "/$line/d" $FILTERED_PODS_LIST
fi
done < $WL_RAW_FILE_PATH
done < $FILTERED_PODS_LIST
if [ -s $FILTERED_PODS_LIST ]
then
code=1
nb_errors=`cat $FILTERED_PODS_LIST | wc -l`
echo "Test FAIL: $nb_errors pod(s) launched as root found"
cat $FILTERED_PODS_LIST
else
echo "Test PASS: No pod launched as root found"
fi
exit $code
|
