aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSylvain Desbureaux <sylvain.desbureaux@orange.com>2021-03-24 07:51:29 +0100
committerCédric Ollivier <cedric.ollivier@orange.com>2021-03-25 09:29:50 +0100
commit27ee28402403cfdd026e99e5351d25a2fe9fd347 (patch)
tree5eee2e2b8acdd85687900aa7fbbb3702d914713e
parentadae3eca5c9dbeaf1e3566abf60b450c49c24d44 (diff)
Provide support for air gapped env for security
Sometimes, tested Kubernetes doesn't have direct access to Internet but access through repository mirrors. This patch handles this case for security test cases. Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com> Change-Id: I699d065ee691596c4a5ccf06c22ea76ef00fe497 (cherry picked from commit af623f6b45c9357b0e33210f54db64b270d162bf)
-rw-r--r--README.md2
-rw-r--r--functest_kubernetes/security/kube-bench-master.yaml2
-rw-r--r--functest_kubernetes/security/kube-bench-node.yaml2
-rw-r--r--functest_kubernetes/security/kube-hunter.yaml2
-rw-r--r--functest_kubernetes/security/security.py8
5 files changed, 11 insertions, 5 deletions
diff --git a/README.md b/README.md
index 372caf92..b0176576 100644
--- a/README.md
+++ b/README.md
@@ -123,7 +123,7 @@ sudo docker run --env-file env \
To test a Kubernetes without access to Internet, repository mirrors needs to be
provided.
-Currently, only rally tests supports this feature.
+Currently, only rally and security tests supports this feature.
There's two ways for providing the repository mirrors:
diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml
index 755e2923..d1a13217 100644
--- a/functest_kubernetes/security/kube-bench-master.yaml
+++ b/functest_kubernetes/security/kube-bench-master.yaml
@@ -15,7 +15,7 @@ spec:
effect: NoSchedule
containers:
- name: kube-bench
- image: aquasec/kube-bench:0.3.1
+ image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
command: ["kube-bench", "master", "--json"]
volumeMounts:
- name: var-lib-etcd
diff --git a/functest_kubernetes/security/kube-bench-node.yaml b/functest_kubernetes/security/kube-bench-node.yaml
index 306ad600..95929774 100644
--- a/functest_kubernetes/security/kube-bench-node.yaml
+++ b/functest_kubernetes/security/kube-bench-node.yaml
@@ -9,7 +9,7 @@ spec:
hostPID: true
containers:
- name: kube-bench
- image: aquasec/kube-bench:0.3.1
+ image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
command: ["kube-bench", "node", "--json"]
volumeMounts:
- name: var-lib-kubelet
diff --git a/functest_kubernetes/security/kube-hunter.yaml b/functest_kubernetes/security/kube-hunter.yaml
index 6f895c01..b7d23547 100644
--- a/functest_kubernetes/security/kube-hunter.yaml
+++ b/functest_kubernetes/security/kube-hunter.yaml
@@ -7,7 +7,7 @@ spec:
spec:
containers:
- name: kube-hunter
- image: aquasec/kube-hunter:0.3.1
+ image: {{ dockerhub_repo }}/aquasec/kube-hunter:0.3.1
command: ["python", "kube-hunter.py"]
args: ["--pod", "--report", "json", "--statistics"]
restartPolicy: Never
diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
index 378b2c22..052c0ad4 100644
--- a/functest_kubernetes/security/security.py
+++ b/functest_kubernetes/security/security.py
@@ -16,10 +16,12 @@ from __future__ import division
import ast
import json
import logging
+import os
import time
import textwrap
import yaml
+from jinja2 import Template
from kubernetes import client
from kubernetes import config
from kubernetes import watch
@@ -32,6 +34,7 @@ class SecurityTesting(testcase.TestCase):
# pylint: disable=too-many-instance-attributes
"""Run Security job"""
watch_timeout = 1200
+ dockerhub_repo = os.getenv("MIRROR_REPO", "docker.io")
__logger = logging.getLogger(__name__)
@@ -63,7 +66,10 @@ class SecurityTesting(testcase.TestCase):
with open(pkg_resources.resource_filename(
"functest_kubernetes",
"security/{}.yaml".format(self.job_name))) as yfile:
- body = yaml.safe_load(yfile)
+ template = Template(yfile.read())
+ body = yaml.safe_load(template.render(
+ dockerhub_repo=os.getenv("DOCKERHUB_REPO",
+ self.dockerhub_repo)))
api_response = self.batchv1.create_namespaced_job(
body=body, namespace=self.namespace)
self.__logger.info("Job %s created", api_response.metadata.name)