diff options
Diffstat (limited to 'functest_kubernetes')
-rw-r--r-- | functest_kubernetes/security/kube-bench-master.yaml | 79 | ||||
-rw-r--r-- | functest_kubernetes/security/kube-bench-node.yaml | 46 | ||||
-rw-r--r-- | functest_kubernetes/security/kube-hunter.yaml | 2 | ||||
-rw-r--r-- | functest_kubernetes/security/security.py | 2 |
4 files changed, 121 insertions, 8 deletions
diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml index d1a13217..ccfc842b 100644 --- a/functest_kubernetes/security/kube-bench-master.yaml +++ b/functest_kubernetes/security/kube-bench-master.yaml @@ -7,20 +7,49 @@ spec: template: spec: hostPID: true - nodeSelector: - node-role.kubernetes.io/master: "" + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + - matchExpressions: + - key: node-role.kubernetes.io/master + operator: Exists tolerations: - key: node-role.kubernetes.io/master operator: Exists effect: NoSchedule + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule containers: - name: kube-bench - image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1 - command: ["kube-bench", "master", "--json"] + image: {{ dockerhub_repo }}/aquasec/kube-bench:latest + command: ["kube-bench", "run", "--targets", "master", "--json"] volumeMounts: - name: var-lib-etcd mountPath: /var/lib/etcd readOnly: true + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: var-lib-kube-scheduler + mountPath: /var/lib/kube-scheduler + readOnly: true + - name: var-lib-kube-controller-manager + mountPath: /var/lib/kube-controller-manager + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: lib-systemd + mountPath: /lib/systemd/ + readOnly: true + - name: srv-kubernetes + mountPath: /srv/kubernetes/ + readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true @@ -29,14 +58,56 @@ spec: - name: usr-bin mountPath: /usr/local/mount-from-host/bin readOnly: true + - name: etc-cni-netd + mountPath: /etc/cni/net.d/ + readOnly: true + - name: opt-cni-bin + mountPath: /opt/cni/bin/ + readOnly: true + - name: etc-passwd + mountPath: /etc/passwd + readOnly: true + - name: etc-group + mountPath: /etc/group + readOnly: true restartPolicy: Never volumes: - name: var-lib-etcd hostPath: path: "/var/lib/etcd" + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: var-lib-kube-scheduler + hostPath: + path: "/var/lib/kube-scheduler" + - name: var-lib-kube-controller-manager + hostPath: + path: "/var/lib/kube-controller-manager" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: lib-systemd + hostPath: + path: "/lib/systemd" + - name: srv-kubernetes + hostPath: + path: "/srv/kubernetes" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: usr-bin hostPath: path: "/usr/bin" + - name: etc-cni-netd + hostPath: + path: "/etc/cni/net.d/" + - name: opt-cni-bin + hostPath: + path: "/opt/cni/bin/" + - name: etc-passwd + hostPath: + path: "/etc/passwd" + - name: etc-group + hostPath: + path: "/etc/group" diff --git a/functest_kubernetes/security/kube-bench-node.yaml b/functest_kubernetes/security/kube-bench-node.yaml index 95929774..03d428ad 100644 --- a/functest_kubernetes/security/kube-bench-node.yaml +++ b/functest_kubernetes/security/kube-bench-node.yaml @@ -9,15 +9,30 @@ spec: hostPID: true containers: - name: kube-bench - image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1 - command: ["kube-bench", "node", "--json"] + image: {{ dockerhub_repo }}/aquasec/kube-bench:latest + command: ["kube-bench", "run", "--targets", "node", "--json"] volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + readOnly: true - name: var-lib-kubelet mountPath: /var/lib/kubelet readOnly: true + - name: var-lib-kube-scheduler + mountPath: /var/lib/kube-scheduler + readOnly: true + - name: var-lib-kube-controller-manager + mountPath: /var/lib/kube-controller-manager + readOnly: true - name: etc-systemd mountPath: /etc/systemd readOnly: true + - name: lib-systemd + mountPath: /lib/systemd/ + readOnly: true + - name: srv-kubernetes + mountPath: /srv/kubernetes/ + readOnly: true - name: etc-kubernetes mountPath: /etc/kubernetes readOnly: true @@ -26,17 +41,44 @@ spec: - name: usr-bin mountPath: /usr/local/mount-from-host/bin readOnly: true + - name: etc-cni-netd + mountPath: /etc/cni/net.d/ + readOnly: true + - name: opt-cni-bin + mountPath: /opt/cni/bin/ + readOnly: true restartPolicy: Never volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" - name: var-lib-kubelet hostPath: path: "/var/lib/kubelet" + - name: var-lib-kube-scheduler + hostPath: + path: "/var/lib/kube-scheduler" + - name: var-lib-kube-controller-manager + hostPath: + path: "/var/lib/kube-controller-manager" - name: etc-systemd hostPath: path: "/etc/systemd" + - name: lib-systemd + hostPath: + path: "/lib/systemd" + - name: srv-kubernetes + hostPath: + path: "/srv/kubernetes" - name: etc-kubernetes hostPath: path: "/etc/kubernetes" - name: usr-bin hostPath: path: "/usr/bin" + - name: etc-cni-netd + hostPath: + path: "/etc/cni/net.d/" + - name: opt-cni-bin + hostPath: + path: "/opt/cni/bin/" diff --git a/functest_kubernetes/security/kube-hunter.yaml b/functest_kubernetes/security/kube-hunter.yaml index d1169618..0b58cab7 100644 --- a/functest_kubernetes/security/kube-hunter.yaml +++ b/functest_kubernetes/security/kube-hunter.yaml @@ -7,7 +7,7 @@ spec: spec: containers: - name: kube-hunter - image: {{ dockerhub_repo }}/aquasec/kube-hunter:0.6.8 + image: {{ dockerhub_repo }}/aquasec/kube-hunter:latest command: ["kube-hunter"] args: ["--pod", "--report", "json", "--statistics"] restartPolicy: Never diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py index 751fd29b..cfbb391e 100644 --- a/functest_kubernetes/security/security.py +++ b/functest_kubernetes/security/security.py @@ -214,7 +214,7 @@ class KubeBench(SecurityTesting): header_style='upper', padding_width=5, field_names=['node_type', 'version', 'test_desc', 'pass', 'fail', 'warn']) - for details in self.details["report"]: + for details in self.details["report"]["Controls"]: for test in details['tests']: msg.add_row( [details['node_type'], details['version'], test['desc'], |