diff options
author | Sylvain Desbureaux <sylvain.desbureaux@orange.com> | 2021-03-24 07:51:29 +0100 |
---|---|---|
committer | Cédric Ollivier <cedric.ollivier@orange.com> | 2021-03-25 09:29:50 +0100 |
commit | 27ee28402403cfdd026e99e5351d25a2fe9fd347 (patch) | |
tree | 5eee2e2b8acdd85687900aa7fbbb3702d914713e | |
parent | adae3eca5c9dbeaf1e3566abf60b450c49c24d44 (diff) |
Provide support for air gapped env for security
Sometimes, tested Kubernetes doesn't have direct access to Internet but
access through repository mirrors.
This patch handles this case for security test cases.
Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I699d065ee691596c4a5ccf06c22ea76ef00fe497
(cherry picked from commit af623f6b45c9357b0e33210f54db64b270d162bf)
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | functest_kubernetes/security/kube-bench-master.yaml | 2 | ||||
-rw-r--r-- | functest_kubernetes/security/kube-bench-node.yaml | 2 | ||||
-rw-r--r-- | functest_kubernetes/security/kube-hunter.yaml | 2 | ||||
-rw-r--r-- | functest_kubernetes/security/security.py | 8 |
5 files changed, 11 insertions, 5 deletions
@@ -123,7 +123,7 @@ sudo docker run --env-file env \ To test a Kubernetes without access to Internet, repository mirrors needs to be provided. -Currently, only rally tests supports this feature. +Currently, only rally and security tests supports this feature. There's two ways for providing the repository mirrors: diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml index 755e2923..d1a13217 100644 --- a/functest_kubernetes/security/kube-bench-master.yaml +++ b/functest_kubernetes/security/kube-bench-master.yaml @@ -15,7 +15,7 @@ spec: effect: NoSchedule containers: - name: kube-bench - image: aquasec/kube-bench:0.3.1 + image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1 command: ["kube-bench", "master", "--json"] volumeMounts: - name: var-lib-etcd diff --git a/functest_kubernetes/security/kube-bench-node.yaml b/functest_kubernetes/security/kube-bench-node.yaml index 306ad600..95929774 100644 --- a/functest_kubernetes/security/kube-bench-node.yaml +++ b/functest_kubernetes/security/kube-bench-node.yaml @@ -9,7 +9,7 @@ spec: hostPID: true containers: - name: kube-bench - image: aquasec/kube-bench:0.3.1 + image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1 command: ["kube-bench", "node", "--json"] volumeMounts: - name: var-lib-kubelet diff --git a/functest_kubernetes/security/kube-hunter.yaml b/functest_kubernetes/security/kube-hunter.yaml index 6f895c01..b7d23547 100644 --- a/functest_kubernetes/security/kube-hunter.yaml +++ b/functest_kubernetes/security/kube-hunter.yaml @@ -7,7 +7,7 @@ spec: spec: containers: - name: kube-hunter - image: aquasec/kube-hunter:0.3.1 + image: {{ dockerhub_repo }}/aquasec/kube-hunter:0.3.1 command: ["python", "kube-hunter.py"] args: ["--pod", "--report", "json", "--statistics"] restartPolicy: Never diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py index 378b2c22..052c0ad4 100644 --- a/functest_kubernetes/security/security.py +++ b/functest_kubernetes/security/security.py @@ -16,10 +16,12 @@ from __future__ import division import ast import json import logging +import os import time import textwrap import yaml +from jinja2 import Template from kubernetes import client from kubernetes import config from kubernetes import watch @@ -32,6 +34,7 @@ class SecurityTesting(testcase.TestCase): # pylint: disable=too-many-instance-attributes """Run Security job""" watch_timeout = 1200 + dockerhub_repo = os.getenv("MIRROR_REPO", "docker.io") __logger = logging.getLogger(__name__) @@ -63,7 +66,10 @@ class SecurityTesting(testcase.TestCase): with open(pkg_resources.resource_filename( "functest_kubernetes", "security/{}.yaml".format(self.job_name))) as yfile: - body = yaml.safe_load(yfile) + template = Template(yfile.read()) + body = yaml.safe_load(template.render( + dockerhub_repo=os.getenv("DOCKERHUB_REPO", + self.dockerhub_repo))) api_response = self.batchv1.create_namespaced_job( body=body, namespace=self.namespace) self.__logger.info("Job %s created", api_response.metadata.name) |