From c5ffd6613f4ad87bd4fec618411cbb06c8278301 Mon Sep 17 00:00:00 2001 From: Cédric Ollivier Date: Sun, 13 Sep 2020 14:53:26 +0200 Subject: Split kube-bench master and node MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The former deployment asked for all-in-one. Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be Signed-off-by: Cédric Ollivier (cherry picked from commit bced94b6fe24c7e939fb22834deb77477e4a9bb9) --- ansible/site.yml | 3 +- docker/security/testcases.yaml | 28 +++++++++--- .../security/kube-bench-master.yaml | 42 +++++++++++++++++ functest_kubernetes/security/kube-bench-node.yaml | 42 +++++++++++++++++ functest_kubernetes/security/kube-bench.yaml | 52 ---------------------- functest_kubernetes/security/security.py | 5 +-- 6 files changed, 109 insertions(+), 63 deletions(-) create mode 100644 functest_kubernetes/security/kube-bench-master.yaml create mode 100644 functest_kubernetes/security/kube-bench-node.yaml delete mode 100644 functest_kubernetes/security/kube-bench.yaml diff --git a/ansible/site.yml b/ansible/site.yml index 5b996168..daa046c4 100644 --- a/ansible/site.yml +++ b/ansible/site.yml @@ -53,7 +53,8 @@ - container: functest-kubernetes-security tests: - kube_hunter - - kube_bench + - kube_bench_master + - kube_bench_node - container: functest-kubernetes-benchmarking tests: - xrally_kubernetes_full diff --git a/docker/security/testcases.yaml b/docker/security/testcases.yaml index e5423a47..c4f7e69b 100644 --- a/docker/security/testcases.yaml +++ b/docker/security/testcases.yaml @@ -2,7 +2,6 @@ tiers: - name: security - ci_loop: '(daily)|(weekly)' description: >- Set of basic security tests. testcases: @@ -15,17 +14,34 @@ tiers: Check that the kubernetes cluster has no known vulnerabilities run: - name: 'kube_hunter' + name: kube_hunter args: severity: high - - case_name: kube_bench + case_name: kube_bench_master project_name: functest criteria: 100 blocking: false description: >- - Check that the kubernetes cluster has no known - vulnerabilities + Checks whether Kubernetes is deployed securely by running + the master checks documented in the CIS Kubernetes + Benchmark. run: - name: 'kube_bench' + name: kube_bench + args: + target: master + + - + case_name: kube_bench_node + project_name: functest + criteria: 100 + blocking: false + description: >- + Checks whether Kubernetes is deployed securely by running + the node checks documented in the CIS Kubernetes + Benchmark. + run: + name: kube_bench + args: + target: node diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml new file mode 100644 index 00000000..755e2923 --- /dev/null +++ b/functest_kubernetes/security/kube-bench-master.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-master +spec: + template: + spec: + hostPID: true + nodeSelector: + node-role.kubernetes.io/master: "" + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + containers: + - name: kube-bench + image: aquasec/kube-bench:0.3.1 + command: ["kube-bench", "master", "--json"] + volumeMounts: + - name: var-lib-etcd + mountPath: /var/lib/etcd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-etcd + hostPath: + path: "/var/lib/etcd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" diff --git a/functest_kubernetes/security/kube-bench-node.yaml b/functest_kubernetes/security/kube-bench-node.yaml new file mode 100644 index 00000000..306ad600 --- /dev/null +++ b/functest_kubernetes/security/kube-bench-node.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: kube-bench-node +spec: + template: + spec: + hostPID: true + containers: + - name: kube-bench + image: aquasec/kube-bench:0.3.1 + command: ["kube-bench", "node", "--json"] + volumeMounts: + - name: var-lib-kubelet + mountPath: /var/lib/kubelet + readOnly: true + - name: etc-systemd + mountPath: /etc/systemd + readOnly: true + - name: etc-kubernetes + mountPath: /etc/kubernetes + readOnly: true + # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. + # You can omit this mount if you specify --version as part of the command. + - name: usr-bin + mountPath: /usr/local/mount-from-host/bin + readOnly: true + restartPolicy: Never + volumes: + - name: var-lib-kubelet + hostPath: + path: "/var/lib/kubelet" + - name: etc-systemd + hostPath: + path: "/etc/systemd" + - name: etc-kubernetes + hostPath: + path: "/etc/kubernetes" + - name: usr-bin + hostPath: + path: "/usr/bin" diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench.yaml deleted file mode 100644 index 2f2c57d6..00000000 --- a/functest_kubernetes/security/kube-bench.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: kube-bench -spec: - template: - metadata: - labels: - app: kube-bench - spec: - hostPID: true - containers: - - name: kube-bench - image: aquasec/kube-bench:0.3.1 - command: ["kube-bench"] - args: ["--json"] - volumeMounts: - - name: var-lib-etcd - mountPath: /var/lib/etcd - readOnly: true - - name: var-lib-kubelet - mountPath: /var/lib/kubelet - readOnly: true - - name: etc-systemd - mountPath: /etc/systemd - readOnly: true - - name: etc-kubernetes - mountPath: /etc/kubernetes - readOnly: true - # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version. - # You can omit this mount if you specify --version as part of the command. - - name: usr-bin - mountPath: /usr/local/mount-from-host/bin - readOnly: true - restartPolicy: Never - volumes: - - name: var-lib-etcd - hostPath: - path: "/var/lib/etcd" - - name: var-lib-kubelet - hostPath: - path: "/var/lib/kubelet" - - name: etc-systemd - hostPath: - path: "/etc/systemd" - - name: etc-kubernetes - hostPath: - path: "/etc/kubernetes" - - name: usr-bin - hostPath: - path: "/usr/bin" diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py index e6413764..fe3d8a93 100644 --- a/functest_kubernetes/security/security.py +++ b/functest_kubernetes/security/security.py @@ -192,11 +192,8 @@ class KubeBench(SecurityTesting): __logger = logging.getLogger(__name__) - def __init__(self, **kwargs): - super(KubeBench, self).__init__(**kwargs) - self.job_name = "kube-bench" - def run(self, **kwargs): + self.job_name = "kube-bench-{}".format(kwargs.get("target", "node")) super(KubeBench, self).run(**kwargs) self.details["report"] = ast.literal_eval(self.pod_log) msg = prettytable.PrettyTable( -- cgit 1.2.3-korg