diff options
author | Parth Inamdar <parth.inamdar1@gmail.com> | 2021-11-29 22:01:38 -0500 |
---|---|---|
committer | Parth Inamdar <parth.inamdar1@gmail.com> | 2021-11-30 05:25:24 +0000 |
commit | 52ba79c07aa517160698ee7e04797447448ebf3c (patch) | |
tree | 5a27ed50d5f75d21eaf789ae027ac7e899cb254d /sdv/docker/sdvstate/internal/validator/kuberef/plugin_check.py | |
parent | bfd37762bdf91a7f89d4ebc259454ddb2f5e7b3d (diff) |
Added Security, Policy, Observability & Plugin Checks
Security Checks:
Checking for security config on the cluster, consisting of capability, privilege, host network, host path and
connectivity checks
Policy Checks:
Validating CPU Manager and Topology Manager policies against the settings from PDF
Observability Checks
Checking existence and health of prometheus, node-exporter and collectd pods
Plugin checks
Checking for the existence of multi-interface pod (multus) and validating the list of CNI against the PDF
Also added usage information and pdf field information to userguide.rst file in the docs section. For reference, I have added a PDF.json in sdv/docker/sdvstate/settings section file to look at necessary configuration required for the kuberef validation.
Signed-off-by: Parth V Inamdar <parth.inamdar1@gmail.com>
Change-Id: I28dc8e687c14cba099230f2226b4add79a55a7ad
Diffstat (limited to 'sdv/docker/sdvstate/internal/validator/kuberef/plugin_check.py')
-rw-r--r-- | sdv/docker/sdvstate/internal/validator/kuberef/plugin_check.py | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/sdv/docker/sdvstate/internal/validator/kuberef/plugin_check.py b/sdv/docker/sdvstate/internal/validator/kuberef/plugin_check.py new file mode 100644 index 0000000..e964707 --- /dev/null +++ b/sdv/docker/sdvstate/internal/validator/kuberef/plugin_check.py @@ -0,0 +1,152 @@ +""" +CNI Plugin Check +Multi-interface CNI Check +""" + +import time +import logging +from kubernetes import client +from tools.kube_utils import kube_api, kube_exec +from tools.conf import settings +from internal.store_result import store_result + +def create_daemonset(apps_instance): + """ + Creates daemonset for the checks + """ + manifest = { + 'apiVersion': 'apps/v1', + 'kind': 'DaemonSet', + 'metadata': { + 'name': 'plugin-check-test-set', + 'namespace': 'default' + }, + 'spec': { + 'selector': { + 'matchLabels': { + 'name': 'alpine' + } + }, + 'template': { + 'metadata': { + 'labels': { + 'name': 'alpine' + } + } + }, + 'spec': { + 'containers': [{ + 'name': 'alpine', + 'image': 'alpine:3.2', + 'command': ["sh", "-c", "echo \"Hello K8s\" && sleep 3600"], + 'volumeMounts': [{ + 'name': 'etccni', + 'mountPath': '/etc/cni' + }, { + 'name': 'optcnibin', + 'mountPath': '/opt/cni/bin', + 'readOnly': True + }] + }], + 'volumes': [{ + 'name': 'etccni', + 'hostPath': { + 'path': '/etc/cni' + } + }, { + 'name': 'optcnibin', + 'hostPath': { + 'path': '/opt/cni/bin' + } + }], + 'tolerations': [{ + 'effect': 'NoSchedule', + 'key': 'node-role.kubernetes.io/master', + 'operator': 'Exists' + }] + } + } + } + apps_instance.create_namespaced_daemon_set('default', manifest) + time.sleep(6) + + +def multi_interface_cni_check(): + """ + Checks if multi interface cni is enabled + """ + apps_instance = client.AppsV1Api() + api_instance = kube_api() + logger = logging.getLogger(__name__) + + result = {'category': 'network', + 'case_name': 'multi_interface_cni_check', + 'criteria': 'pass', + 'details': [] + } + + create_daemonset(apps_instance) + pod_details = api_instance.list_namespaced_pod('default', watch=False) + pods = pod_details.items + status = [] + cmd = ['ls', '/etc/cni/net.d'] + + for pod in pods: + if 'plugin-check-test-set' in pod.metadata.name: + list_of_plugin_conf = kube_exec(pod, cmd) + list_of_plugin_conf = list_of_plugin_conf.split("\n") + + cmd3 = ['cat', list_of_plugin_conf[0]] + multi_interface_conf = kube_exec(pod, cmd3) + + if 'multus' not in multi_interface_conf: + result['criteria'] = 'fail' + + status.append(list_of_plugin_conf) + status.append(multi_interface_conf) + + apps_instance.delete_namespaced_daemon_set('plugin-check-test-set', 'default') + result['details'].append(status) + store_result(logger, result) + return result + +def cni_plugin_check(): + """ + Checks for CNI plugins and validate against PDF + """ + apps_instance = client.AppsV1Api() + api_instance = kube_api() + + result = {'category': 'network', + 'case_name': 'cni_plugin_check', + 'criteria': 'pass', + 'details': [] + } + + logger = logging.getLogger(__name__) + create_daemonset(apps_instance) + pod_details = api_instance.list_namespaced_pod('default', watch=False) + pods = pod_details.items + daemon_pods = [] + status = [] + cmd = ['ls', '/opt/cni/bin'] + cni_plugins = settings.getValue('pdf_file')['vim_functional']['cnis_supported'] + + + for pod in pods: + if 'plugin-check-test-set' in pod.metadata.name: + list_of_cni_from_dir = kube_exec(pod, cmd) + + for plugin in cni_plugins: + if plugin not in list_of_cni_from_dir: + result['criteria'] = 'fail' + + status.append(list_of_cni_from_dir) + daemon_pods.append(pod.metadata.name) + + apps_instance.delete_namespaced_daemon_set('plugin-check-test-set', 'default') + + result['details'].append(daemon_pods) + result['details'].append(status) + store_result(logger, result) + return result |