aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorCédric Ollivier <cedric.ollivier@orange.com>2020-09-13 14:53:26 +0200
committerCédric Ollivier <cedric.ollivier@orange.com>2020-09-13 17:01:28 +0200
commitc5ffd6613f4ad87bd4fec618411cbb06c8278301 (patch)
tree57c06c49cb40d4c08ba80f72712837b84a689b3e
parentf5cd7b8964ee44a34c9764f154ce024db3ac1ef2 (diff)
Split kube-bench master and node
The former deployment asked for all-in-one. Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com> (cherry picked from commit bced94b6fe24c7e939fb22834deb77477e4a9bb9)
-rw-r--r--ansible/site.yml3
-rw-r--r--docker/security/testcases.yaml28
-rw-r--r--functest_kubernetes/security/kube-bench-master.yaml42
-rw-r--r--functest_kubernetes/security/kube-bench-node.yaml (renamed from functest_kubernetes/security/kube-bench.yaml)14
-rw-r--r--functest_kubernetes/security/security.py5
5 files changed, 69 insertions, 23 deletions
diff --git a/ansible/site.yml b/ansible/site.yml
index 5b996168..daa046c4 100644
--- a/ansible/site.yml
+++ b/ansible/site.yml
@@ -53,7 +53,8 @@
- container: functest-kubernetes-security
tests:
- kube_hunter
- - kube_bench
+ - kube_bench_master
+ - kube_bench_node
- container: functest-kubernetes-benchmarking
tests:
- xrally_kubernetes_full
diff --git a/docker/security/testcases.yaml b/docker/security/testcases.yaml
index e5423a47..c4f7e69b 100644
--- a/docker/security/testcases.yaml
+++ b/docker/security/testcases.yaml
@@ -2,7 +2,6 @@
tiers:
-
name: security
- ci_loop: '(daily)|(weekly)'
description: >-
Set of basic security tests.
testcases:
@@ -15,17 +14,34 @@ tiers:
Check that the kubernetes cluster has no known
vulnerabilities
run:
- name: 'kube_hunter'
+ name: kube_hunter
args:
severity: high
-
- case_name: kube_bench
+ case_name: kube_bench_master
project_name: functest
criteria: 100
blocking: false
description: >-
- Check that the kubernetes cluster has no known
- vulnerabilities
+ Checks whether Kubernetes is deployed securely by running
+ the master checks documented in the CIS Kubernetes
+ Benchmark.
run:
- name: 'kube_bench'
+ name: kube_bench
+ args:
+ target: master
+
+ -
+ case_name: kube_bench_node
+ project_name: functest
+ criteria: 100
+ blocking: false
+ description: >-
+ Checks whether Kubernetes is deployed securely by running
+ the node checks documented in the CIS Kubernetes
+ Benchmark.
+ run:
+ name: kube_bench
+ args:
+ target: node
diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml
new file mode 100644
index 00000000..755e2923
--- /dev/null
+++ b/functest_kubernetes/security/kube-bench-master.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kube-bench-master
+spec:
+ template:
+ spec:
+ hostPID: true
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ containers:
+ - name: kube-bench
+ image: aquasec/kube-bench:0.3.1
+ command: ["kube-bench", "master", "--json"]
+ volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ readOnly: true
+ - name: etc-kubernetes
+ mountPath: /etc/kubernetes
+ readOnly: true
+ # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+ # You can omit this mount if you specify --version as part of the command.
+ - name: usr-bin
+ mountPath: /usr/local/mount-from-host/bin
+ readOnly: true
+ restartPolicy: Never
+ volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
+ - name: etc-kubernetes
+ hostPath:
+ path: "/etc/kubernetes"
+ - name: usr-bin
+ hostPath:
+ path: "/usr/bin"
diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench-node.yaml
index 2f2c57d6..306ad600 100644
--- a/functest_kubernetes/security/kube-bench.yaml
+++ b/functest_kubernetes/security/kube-bench-node.yaml
@@ -2,23 +2,16 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: kube-bench
+ name: kube-bench-node
spec:
template:
- metadata:
- labels:
- app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:0.3.1
- command: ["kube-bench"]
- args: ["--json"]
+ command: ["kube-bench", "node", "--json"]
volumeMounts:
- - name: var-lib-etcd
- mountPath: /var/lib/etcd
- readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
@@ -35,9 +28,6 @@ spec:
readOnly: true
restartPolicy: Never
volumes:
- - name: var-lib-etcd
- hostPath:
- path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
index e6413764..fe3d8a93 100644
--- a/functest_kubernetes/security/security.py
+++ b/functest_kubernetes/security/security.py
@@ -192,11 +192,8 @@ class KubeBench(SecurityTesting):
__logger = logging.getLogger(__name__)
- def __init__(self, **kwargs):
- super(KubeBench, self).__init__(**kwargs)
- self.job_name = "kube-bench"
-
def run(self, **kwargs):
+ self.job_name = "kube-bench-{}".format(kwargs.get("target", "node"))
super(KubeBench, self).run(**kwargs)
self.details["report"] = ast.literal_eval(self.pod_log)
msg = prettytable.PrettyTable(