aboutsummaryrefslogtreecommitdiffstats
path: root/functest_kubernetes/security
diff options
context:
space:
mode:
authorCédric Ollivier <cedric.ollivier@orange.com>2020-09-13 14:53:26 +0200
committerCédric Ollivier <cedric.ollivier@orange.com>2020-09-13 17:00:33 +0200
commite73fb855bdf559882bb7fc46811a92eb9f3c5d0b (patch)
tree8ce9a18d5e78f005cd395ca5d1a65eae0584fb6b /functest_kubernetes/security
parent58eeabaf065676e9ae6a55bc6aa8a17182034164 (diff)
Split kube-bench master and node
The former deployment asked for all-in-one. Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com> (cherry picked from commit bced94b6fe24c7e939fb22834deb77477e4a9bb9)
Diffstat (limited to 'functest_kubernetes/security')
-rw-r--r--functest_kubernetes/security/kube-bench-master.yaml42
-rw-r--r--functest_kubernetes/security/kube-bench-node.yaml (renamed from functest_kubernetes/security/kube-bench.yaml)14
-rw-r--r--functest_kubernetes/security/security.py5
3 files changed, 45 insertions, 16 deletions
diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml
new file mode 100644
index 00000000..755e2923
--- /dev/null
+++ b/functest_kubernetes/security/kube-bench-master.yaml
@@ -0,0 +1,42 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kube-bench-master
+spec:
+ template:
+ spec:
+ hostPID: true
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ containers:
+ - name: kube-bench
+ image: aquasec/kube-bench:0.3.1
+ command: ["kube-bench", "master", "--json"]
+ volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ readOnly: true
+ - name: etc-kubernetes
+ mountPath: /etc/kubernetes
+ readOnly: true
+ # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+ # You can omit this mount if you specify --version as part of the command.
+ - name: usr-bin
+ mountPath: /usr/local/mount-from-host/bin
+ readOnly: true
+ restartPolicy: Never
+ volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
+ - name: etc-kubernetes
+ hostPath:
+ path: "/etc/kubernetes"
+ - name: usr-bin
+ hostPath:
+ path: "/usr/bin"
diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench-node.yaml
index 2f2c57d6..306ad600 100644
--- a/functest_kubernetes/security/kube-bench.yaml
+++ b/functest_kubernetes/security/kube-bench-node.yaml
@@ -2,23 +2,16 @@
apiVersion: batch/v1
kind: Job
metadata:
- name: kube-bench
+ name: kube-bench-node
spec:
template:
- metadata:
- labels:
- app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:0.3.1
- command: ["kube-bench"]
- args: ["--json"]
+ command: ["kube-bench", "node", "--json"]
volumeMounts:
- - name: var-lib-etcd
- mountPath: /var/lib/etcd
- readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
@@ -35,9 +28,6 @@ spec:
readOnly: true
restartPolicy: Never
volumes:
- - name: var-lib-etcd
- hostPath:
- path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
index 64aa4150..e590d059 100644
--- a/functest_kubernetes/security/security.py
+++ b/functest_kubernetes/security/security.py
@@ -191,11 +191,8 @@ class KubeBench(SecurityTesting):
__logger = logging.getLogger(__name__)
- def __init__(self, **kwargs):
- super(KubeBench, self).__init__(**kwargs)
- self.job_name = "kube-bench"
-
def run(self, **kwargs):
+ self.job_name = "kube-bench-{}".format(kwargs.get("target", "node"))
super(KubeBench, self).run(**kwargs)
self.details["report"] = ast.literal_eval(self.pod_log)
msg = prettytable.PrettyTable(