aboutsummaryrefslogtreecommitdiffstats
path: root/functest_kubernetes/security
AgeCommit message (Collapse)AuthorFilesLines
2024-01-13Apply privileged pod security standard to kube-benchCédric Ollivier1-1/+3
Change-Id: I0336d73f8a9663ef259adfe4377ce20499844021 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com> (cherry picked from commit 1bd69d63994d66582f4e7967e4a1f703dc247c69)
2024-01-13Enforce baseline Pod Security StandardCédric Ollivier1-1/+2
It allows running both security and ims testcases vs clusters where PodSecurityConfiguration enforces "restricted" [1]. [1] https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-admission-controller/ Change-Id: I9eb420cbb695ec8fb002f25cfd3c96ab50118fcc Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com> (cherry picked from commit 553d57ffd4ff9c3c4f319454a4d190ac7aa4cc76)
2023-11-30Update to v1.28Cédric Ollivier3-3/+3
Change-Id: I3007d4545cb80b54b9858dafbfc2442b32bcbb5e Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2022-10-14By default just print all vulnerabilitiesCédric Ollivier1-10/+5
It's the behavior expected by RA2. Please change it via testcases.yaml if needed. Change-Id: I84b02fa273f63ea1930bd356739243756032533d Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2022-10-06Update kube bench test cases to latest devCédric Ollivier4-8/+121
Change-Id: I6edcfcced84d46a06933f4a5dc1702cfa90e3f9a Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2022-10-06Update hube-hunterCédric Ollivier1-2/+2
Change-Id: I41e9a4a95a53bf51286951db2911475a8d2dd3a9 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2021-11-15Update linters and fix all new issuesCédric Ollivier1-3/+3
It mostly adds encoding in open calls and leverages f-strings. It removes ansible-lint as it now asks for ansible, roles and collections. Change-Id: I3ef729f44b2c721b14d19df27805938298aa2c67 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2021-09-11Set encoding utf-8 when opening fileCédric Ollivier1-1/+2
Change-Id: I4e756552173247499ba882bfee4fbe8738fbae3d Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2021-08-18Update to Alpine 3.14Cédric Ollivier1-5/+6
It also disabled wrong order check as it fails vs kubernetes amongst others. [1] https://github.com/PyCQA/pylint/issues/2175 Change-Id: I3d641c213067428848212a148d25d78051c5674f Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2021-03-24Provide support for air gapped env for securitySylvain Desbureaux4-4/+10
Sometimes, tested Kubernetes doesn't have direct access to Internet but access through repository mirrors. This patch handles this case for security test cases. Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com> Change-Id: I699d065ee691596c4a5ccf06c22ea76ef00fe497
2020-09-22Stop hardcoding ims- as generate_nameCédric Ollivier1-1/+8
Change-Id: I3ea22a4050ff1eb609cffb61edc41c49fab44366 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-09-14Don't run disruptive hunter checksCédric Ollivier1-1/+1
Change-Id: I52cb8303950269946774546cf8e413166c70a33c Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-09-13Split kube-bench master and nodeCédric Ollivier3-16/+45
The former deployment asked for all-in-one. Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-09-13self.details must be a dictCédric Ollivier1-2/+2
Change-Id: I4f65a9eeb7eda471371668db9abfa49e2875c5b0 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-09-12Improve kube_bench outputCédric Ollivier2-0/+20
It also fills self.details. Change-Id: Ie73215ebcbd34de9d457fd364de4ab9cbdf64319 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-09-12Enhance kube-hunter result postprocessingCédric Ollivier2-4/+64
It fills self.details and checks if the test case passes according to criteria (severity = high by default) Change-Id: Ib20779b4b5dca078c65b546c8703bc99856c6f41 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-09-08Set all image tagsCédric Ollivier2-3/+3
It allows offline testing via xrally_kubernetes, k8s_vims, kube_bench and kube_hunter. Change-Id: I3084abec19f06a894d0083ecb3ed61882eddd785 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-09-08Remove latest in all imagesCédric Ollivier1-1/+1
The Kubernetes default pull policy is IfNotPresent unless the image tag is :latest in which case the default policy is Always. IfNotPresent causes the Kubelet to skip pulling an image if it already exists [1] [1] https://kind.sigs.k8s.io/docs/user/quick-start/ Change-Id: I83dac6165d2bbef165ca852dd03e5b76a5356f2f Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-08-23Fix kube-hunter commandCédric Ollivier1-1/+1
https://github.com/aquasecurity/kube-hunter/commit/3e06647b4c09257cb994bbdd174ee621e2af5406 Change-Id: Idf470f0161aaeb7a326a3e2a4e680445d9f00eac Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-08-13Make K8s security tests namespace awareCédric Ollivier1-15/+28
It now creates a namespace to allow running the test cases twice in parallel. It also overprotects clean operations to force a full delete. Change-Id: Ie0becd8ea9126328e7280591bacc0d88e14dd031 Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-03-14Override the right log filesCédric Ollivier1-0/+3
Else Xtesting publishes the default xtesting.log [1] [1] https://build.opnfv.org/ci/job/functest-kubernetes-opnfv-functest-kubernetes-security-latest-kube_hunter-run/2/console Change-Id: I0b9b9eda04762771d4e10f0d124b4d5f2975a4da Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
2020-03-13Add security docker for functest-kubernetesmrichomme4-0/+186
run kube-hunter and kube-bench cases dealing with security in kubernetes (check vulnerabilities) [1][2] It's the first step only printing the output. [1]: https://github.com/aquasecurity/kube-bench [2]: https://github.com/aquasecurity/kube-hunter Co-Authored-By: Cédric Ollivier <cedric.ollivier@orange.com> Change-Id: I3bd9bda80046ef7a0c494d51dfb0b8cbfea02bb0 Signed-off-by: mrichomme <morgan.richomme@orange.com>