aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-03-24 07:51:29 +0100
committerCédric Ollivier <cedric.ollivier@orange.com>2021-03-25 09:30:04 +0100
commit1d94895fa66043dc85a4b8f93b15c408aea08ed3 (patch)
tree6d9c102db6079711fec017f5264f5cb4a0052e0f
parentb6f9fafe865cb6a8956b11096c3a31f5debdacac (diff)
Provide support for air gapped env for security
Sometimes, tested Kubernetes doesn't have direct access to Internet but access through repository mirrors. This patch handles this case for security test cases. Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com> Change-Id: I699d065ee691596c4a5ccf06c22ea76ef00fe497 (cherry picked from commit af623f6b45c9357b0e33210f54db64b270d162bf)
-rw-r--r--README.md2
-rw-r--r--functest_kubernetes/security/kube-bench-master.yaml2
-rw-r--r--functest_kubernetes/security/kube-bench-node.yaml2
-rw-r--r--functest_kubernetes/security/kube-hunter.yaml2
-rw-r--r--functest_kubernetes/security/security.py8
5 files changed, 11 insertions, 5 deletions
diff --git a/README.md b/README.md
index a23f1c3c..1348434b 100644
--- a/README.md
+++ b/README.md
@@ -123,7 +123,7 @@ sudo docker run --env-file env \
To test a Kubernetes without access to Internet, repository mirrors needs to be
provided.
-Currently, only rally tests supports this feature.
+Currently, only rally and security tests supports this feature.
There's two ways for providing the repository mirrors:
diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml
index 755e2923..d1a13217 100644
--- a/functest_kubernetes/security/kube-bench-master.yaml
+++ b/functest_kubernetes/security/kube-bench-master.yaml
@@ -15,7 +15,7 @@ spec:
effect: NoSchedule
containers:
- name: kube-bench
- image: aquasec/kube-bench:0.3.1
+ image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
command: ["kube-bench", "master", "--json"]
volumeMounts:
- name: var-lib-etcd
diff --git a/functest_kubernetes/security/kube-bench-node.yaml b/functest_kubernetes/security/kube-bench-node.yaml
index 306ad600..95929774 100644
--- a/functest_kubernetes/security/kube-bench-node.yaml
+++ b/functest_kubernetes/security/kube-bench-node.yaml
@@ -9,7 +9,7 @@ spec:
hostPID: true
containers:
- name: kube-bench
- image: aquasec/kube-bench:0.3.1
+ image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
command: ["kube-bench", "node", "--json"]
volumeMounts:
- name: var-lib-kubelet
diff --git a/functest_kubernetes/security/kube-hunter.yaml b/functest_kubernetes/security/kube-hunter.yaml
index f8478943..8ee9c1ab 100644
--- a/functest_kubernetes/security/kube-hunter.yaml
+++ b/functest_kubernetes/security/kube-hunter.yaml
@@ -8,7 +8,7 @@ spec:
spec:
containers:
- name: kube-hunter
- image: aquasec/kube-hunter:0.3.1
+ image: {{ dockerhub_repo }}/aquasec/kube-hunter:0.3.1
command: ["python", "kube-hunter.py"]
args: ["--pod", "--report", "json", "--statistics"]
restartPolicy: Never
diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
index 378b2c22..052c0ad4 100644
--- a/functest_kubernetes/security/security.py
+++ b/functest_kubernetes/security/security.py
@@ -16,10 +16,12 @@ from __future__ import division
import ast
import json
import logging
+import os
import time
import textwrap
import yaml
+from jinja2 import Template
from kubernetes import client
from kubernetes import config
from kubernetes import watch
@@ -32,6 +34,7 @@ class SecurityTesting(testcase.TestCase):
# pylint: disable=too-many-instance-attributes
"""Run Security job"""
watch_timeout = 1200
+ dockerhub_repo = os.getenv("MIRROR_REPO", "docker.io")
__logger = logging.getLogger(__name__)
@@ -63,7 +66,10 @@ class SecurityTesting(testcase.TestCase):
with open(pkg_resources.resource_filename(
"functest_kubernetes",
"security/{}.yaml".format(self.job_name))) as yfile:
- body = yaml.safe_load(yfile)
+ template = Template(yfile.read())
+ body = yaml.safe_load(template.render(
+ dockerhub_repo=os.getenv("DOCKERHUB_REPO",
+ self.dockerhub_repo)))
api_response = self.batchv1.create_namespaced_job(
body=body, namespace=self.namespace)
self.__logger.info("Job %s created", api_response.metadata.name)