diff options
| author |   Cédric Ollivier <cedric.ollivier@orange.com> | 2020-09-13 14:53:26 +0200 |
|---|---|---|
| committer | Cédric Ollivier <cedric.ollivier@orange.com> | 2020-09-13 17:01:28 +0200 |
| commit | c5ffd6613f4ad87bd4fec618411cbb06c8278301 (patch) | |
| tree | 57c06c49cb40d4c08ba80f72712837b84a689b3e | |
| parent | f5cd7b8964ee44a34c9764f154ce024db3ac1ef2 (diff) | |
Split kube-bench master and node
The former deployment asked for all-in-one.
Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
(cherry picked from commit bced94b6fe24c7e939fb22834deb77477e4a9bb9)
| -rw-r--r-- | ansible/site.yml | 3 | ||||
| -rw-r--r-- | docker/security/testcases.yaml | 28 | ||||
| -rw-r--r-- | functest_kubernetes/security/kube-bench-master.yaml | 42 | ||||
| -rw-r--r-- | functest_kubernetes/security/kube-bench-node.yaml (renamed from functest_kubernetes/security/kube-bench.yaml) | 14 | ||||
| -rw-r--r-- | functest_kubernetes/security/security.py | 5 |
5 files changed, 69 insertions, 23 deletions
diff --git a/ansible/site.yml b/ansible/site.yml index 5b996168..daa046c4 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -53,7 +53,8 @@ - container: functest-kubernetes-security tests: - kube_hunter - - kube_bench + - kube_bench_master + - kube_bench_node - container: functest-kubernetes-benchmarking tests: - xrally_kubernetes_full diff --git a/docker/security/testcases.yaml b/docker/security/testcases.yaml index e5423a47..c4f7e69b 100644 --- a/docker/security/testcases.yaml +++ b/docker/security/testcases.yaml @@ -2,7 +2,6 @@ tiers: - name: security - ci_loop: '(daily)|(weekly)' description: >- Set of basic security tests. testcases: @@ -15,17 +14,34 @@ tiers: Check that the kubernetes cluster has no known vulnerabilities run: - name: 'kube_hunter' + name: kube_hunter args: severity: high - - case_name: kube_bench + case_name: kube_bench_master project_name: functest criteria: 100 blocking: false description: >- - Check that the kubernetes cluster has no known - vulnerabilities + Checks whether Kubernetes is deployed securely by running + the master checks documented in the CIS Kubernetes + Benchmark. run: - name: 'kube_bench' + name: kube_bench + args: + target: master + + - + case_name: kube_bench_node + project_name: functest + criteria: 100 + blocking: false + description: >- + Checks whether Kubernetes is deployed securely by running + the node checks documented in the CIS Kubernetes + Benchmark. + run: + name: kube_bench + args: + target: node diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml new file mode 100644 index 00000000..755e2923 --- /dev/null +++ b/functest_kubernetes/security/kube-bench-master.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-master +spec: + template: + spec: + hostPID: true + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: kube-bench + image: aquasec/kube-bench:0.3.1 + command: ["kube-bench", "master", "--json"] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench-node.yaml index 2f2c57d6..306ad600 100644 --- a/functest_kubernetes/security/kube-bench.yaml +++ b/functest_kubernetes/security/kube-bench-node.yaml @@ -2,23 +2,16 @@ apiVersion: batch/v1 kind: Job metadata: - name: kube-bench + name: kube-bench-node spec: template: - metadata: - labels: - app: kube-bench spec: hostPID: true containers: - name: kube-bench image: aquasec/kube-bench:0.3.1 - command: ["kube-bench"] - args: ["--json"] + command: ["kube-bench", "node", "--json"] volumeMounts: - - name: var-lib-etcd - mountPath: /var/lib/etcd - readOnly: true - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true @@ -35,9 +28,6 @@ spec: readOnly: true restartPolicy: Never volumes: - - name: var-lib-etcd - hostPath: - path: "/var/lib/etcd" - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py index e6413764..fe3d8a93 100644 --- a/functest_kubernetes/security/security.py +++ b/functest_kubernetes/security/security.py @@ -192,11 +192,8 @@ class KubeBench(SecurityTesting): __logger = logging.getLogger(__name__) - def __init__(self, **kwargs): - super(KubeBench, self).__init__(**kwargs) - self.job_name = "kube-bench" - def run(self, **kwargs): + self.job_name = "kube-bench-{}".format(kwargs.get("target", "node")) super(KubeBench, self).run(**kwargs) self.details["report"] = ast.literal_eval(self.pod_log) msg = prettytable.PrettyTable( |