From ea4ae5de28b08d5be02425e6ef14c2c68444cbfa Mon Sep 17 00:00:00 2001
From: mrichomme <morgan.richomme@orange.com>
Date: Mon, 10 Feb 2020 17:49:43 +0100
Subject: Add security docker for functest-kubernetes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

run kube-hunter and kube-bench cases dealing with security in kubernetes (check
vulnerabilities) [1][2]

It's the first step only printing the output.

[1]: https://github.com/aquasecurity/kube-bench
[2]: https://github.com/aquasecurity/kube-hunter

Co-Authored-By: Cédric Ollivier <cedric.ollivier@orange.com>
Change-Id: I3bd9bda80046ef7a0c494d51dfb0b8cbfea02bb0
Signed-off-by: mrichomme <morgan.richomme@orange.com>
(cherry picked from commit 98d9f93337ab514fa9aafc1cd1e87473de68b364)
(cherry picked from commit 0626f54b8686134515eab3b9014c5b538405d84f)
---
 docker/core/Dockerfile         |  4 ++--
 docker/security/Dockerfile     |  3 +++
 docker/security/testcases.yaml | 29 +++++++++++++++++++++++++++++
 3 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 docker/security/Dockerfile
 create mode 100644 docker/security/testcases.yaml

(limited to 'docker')

diff --git a/docker/core/Dockerfile b/docker/core/Dockerfile
index 8eb1c652..f51be0ca 100644
--- a/docker/core/Dockerfile
+++ b/docker/core/Dockerfile
@@ -4,9 +4,9 @@ ARG BRANCH=stable/iruya
 ARG OPENSTACK_TAG=stable/stein
 ARG OPNFV_TAG=stable/iruya
 
-RUN apk --no-cache add --update python3 py3-pip bash git grep mailcap && \
+RUN apk --no-cache add --update python3 py3-pip bash git grep libffi openssl mailcap && \
     apk --no-cache add --virtual .build-deps --update \
-        python3-dev build-base && \
+        python3-dev build-base libffi-dev openssl-dev && \
     git init /src/functest-kubernetes && \
     (cd /src/functest-kubernetes && \
         git fetch --tags https://gerrit.opnfv.org/gerrit/functest-kubernetes $BRANCH && \
diff --git a/docker/security/Dockerfile b/docker/security/Dockerfile
new file mode 100644
index 00000000..8cd30169
--- /dev/null
+++ b/docker/security/Dockerfile
@@ -0,0 +1,3 @@
+FROM opnfv/functest-kubernetes-core:iruya
+
+COPY testcases.yaml /usr/lib/python3.6/site-packages/xtesting/ci/testcases.yaml
diff --git a/docker/security/testcases.yaml b/docker/security/testcases.yaml
new file mode 100644
index 00000000..55c0b3be
--- /dev/null
+++ b/docker/security/testcases.yaml
@@ -0,0 +1,29 @@
+---
+tiers:
+    -
+        name: security
+        order: 1
+        ci_loop: '(daily)|(weekly)'
+        description: >-
+            Set of basic security tests.
+        testcases:
+            -
+                case_name: kube_hunter
+                project_name: security
+                criteria: 100
+                blocking: false
+                description: >-
+                    Check that the kubernetes cluster has no known
+                    vulnerabilities
+                run:
+                    name: 'kube_hunter'
+            -
+                case_name: kube_bench
+                project_name: security
+                criteria: 100
+                blocking: false
+                description: >-
+                    Check that the kubernetes cluster has no known
+                    vulnerabilities
+                run:
+                    name: 'kube_bench'
-- 
cgit 1.2.3-korg