- jdpw_ports: check that there are no internal java ports
- kube_hunter: security suite to search k8s vulnerabilities (upstream src
aquasecurity)
+- versions: check that Java and Python are available only in versions
+ recommended by SECCOM
## Usage
+FROM golang:1.13 AS build_yq
+WORKDIR /go/src/github.com/mikefarah/
+RUN git clone https://github.com/mikefarah/yq.git --depth 1
+WORKDIR /go/src/github.com/mikefarah/yq
+RUN CGO_ENABLED=0 go install -a -ldflags '-w -s -extldflags "-static"'
+
FROM golang:1.13 AS build_aqua
WORKDIR /go/src/github.com/aquasecurity/
RUN git clone https://github.com/aquasecurity/kube-bench.git --depth 1
COPY scripts/root_pods_xfail.txt /root_pods_xfail.txt
COPY scripts/check_unlimitted_pods.sh /check_unlimitted_pods.sh
COPY scripts/check_cis_kubernetes.sh /check_cis_kubernetes.sh
+COPY scripts/check_versions.sh /check_versions.sh
+COPY --from=build_yq /go/bin/yq /usr/local/bin/yq
COPY --from=build_aqua /go/bin/kube-bench /usr/local/bin/kube-bench
COPY --from=build_aqua /go/src/github.com/aquasecurity/kube-bench/cfg/ /cfg/
COPY --from=build_onap /go/bin/sslendpoints /usr/local/bin/sslendpoints
RUN set -x && \
apk --no-cache add --update curl ca-certificates openssl procps util-linux \
- nmap nmap-scripts && \
+ nmap nmap-scripts jq && \
apk --no-cache add --virtual .build-deps --update \
python3-dev linux-headers gcc musl-dev && \
chmod +x /usr/local/bin/kubectl && \
git clone --depth 1 https://github.com/aquasecurity/kube-hunter.git /kube-hunter && \
+ mkdir /check_versions && \
adduser kubectl -Du 2342 -h /config && \
wget https://storage.googleapis.com/kubernetes-helm/helm-${HELM_VERSION}-linux-amd64.tar.gz -O - | tar -xzO linux-amd64/helm > /usr/local/bin/helm && \
wget -O /check_for_nonssl_endpoints.sh https://git.onap.org/integration/plain/test/security/check_for_nonssl_endpoints.sh?h=$ONAP_TAG &&\
wget -O /check_for_jdwp.sh https://git.onap.org/integration/plain/test/security/check_for_jdwp.sh?h=$ONAP_TAG &&\
wget -O /jdwp_xfail.txt https://git.onap.org/integration/plain/test/security/jdwp_xfail.txt?h=$ONAP_TAG &&\
wget -O /nonssl_xfail.txt https://git.onap.org/integration/plain/test/security/nonssl_xfail.txt?h=$ONAP_TAG &&\
+ wget -O /check_versions/k8s_bin_versions_inspector.py https://git.onap.org/integration/plain/test/security/check_versions/src/k8s_bin_versions_inspector.py?h=$ONAP_TAG &&\
+ wget -O /check_versions/requirements.txt https://git.onap.org/integration/plain/test/security/check_versions/env/requirements.txt?h=$ONAP_TAG &&\
+ wget -O /check_versions/recommended_versions.yaml https://git.onap.org/integration/seccom/plain/recommended_versions.yaml?h=$ONAP_TAG &&\
chmod +x /usr/local/bin/helm && \
chmod +x /usr/local/bin/kube-bench && \
chmod +x /usr/local/bin/sslendpoints && \
pip3 install --no-cache-dir \
git+https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting.git@$ONAP_TESTS_TAG#subdirectory=security && \
cd /kube-hunter && pip3 install -r /kube-hunter/requirements.txt && \
+ pip3 install -r /check_versions/requirements.txt && \
apk del .build-deps
COPY docker/testcases.yaml /usr/lib/python3.8/site-packages/xtesting/ci/testcases.yaml
Check k8s CVE.
run:
name: 'kube_hunter'
+ -
+ case_name: versions
+ project_name: security
+ criteria: 100
+ blocking: false
+ description: >-
+ Check that Java and Python are available only in versions
+ recommended by SECCOM
+ run:
+ name: 'versions'
kube_hunter_cmd.append(j.address)
self.cmd = kube_hunter_cmd
self.error_string = "Vulnerabilties detected."
+
+
+class OnapSecurityVersions(SecurityTesting):
+ """Check that Java and Python are available only in versions recommended by SECCOM."""
+ def __init__(self, **kwargs):
+ if "case_name" not in kwargs:
+ kwargs.get("case_name", 'versions')
+ super(OnapSecurityVersions, self).__init__(**kwargs)
+ self.cmd = ['/check_versions.sh', 'onap', '-r', '/check_versions/recommended_versions.yaml']
+ self.error_string = "Not recommended versions found"
--- /dev/null
+#!/usr/bin/env bash
+
+usage() {
+ cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-r <recommended versions file>]
+ -r: recommended versions file
+EOF
+ exit ${1:-0}
+}
+
+if [ "$#" -lt 1 ]; then
+ usage 1
+fi
+
+K8S_NAMESPACE=$1
+VERSIONS=$(mktemp versions_XXXXXX)
+
+### getopts
+while :
+do
+ case $2 in
+ -h|--help|help) usage ;;
+ -r) RECOMMENDED_VERSIONS_FILE_PATH=$3;shift ;;
+ -*) usage 1 ;;
+ *) break ;;
+ esac
+done
+
+get_recommendation() {
+ local component="$1"
+ local recommendations="${RECOMMENDED_VERSIONS_FILE_PATH:-recommended_versions.yaml}"
+
+ yq read "$recommendations" "${component}.recommended_versions" | sed 's/^- //' # removes YAML list prefix
+}
+
+check_python3_version() {
+ local recommended_versions="${1:-$(get_recommendation python3)}"
+ local versions="${2:-$VERSIONS}"
+
+ local unrecommended="$(cat $versions)" # to be filtered out according to recommendations
+ for rver in $recommended_versions; do
+ unrecommended="$(jq --arg rver "$rver" \
+ '.[] | select(.versions.python[]!=$rver) | "\(.pod) \(.container) \(.versions.python[])"' \
+ <(echo "$unrecommended") \
+ | tr -d '"' \
+ | sort -u)"
+ done
+
+ echo "$unrecommended"
+}
+
+check_java11_version() {
+ local recommended_versions="${1:-$(get_recommendation java11)}"
+ local versions="${2:-$VERSIONS}"
+
+ local unrecommended="$(cat $versions)" # to be filtered out according to recommendations
+ for rver in $recommended_versions; do
+ unrecommended="$(jq --arg rver "$rver" \
+ '.[] | select(.versions.java[]!=$rver) | "\(.pod) \(.container) \(.versions.java[])"' \
+ <(echo "$unrecommended") \
+ | tr -d '"' \
+ | sort -u)"
+ done
+
+ echo "$unrecommended"
+}
+
+echo "------------------------------------------------------------------------"
+echo "-------------------- ONAP Security tests ----------------------------"
+echo "-------------------- Test components versions in pods ---------------"
+echo "------------------------------------------------------------------------"
+
+code=0
+
+# get the components versions list
+python3 /check_versions/k8s_bin_versions_inspector.py \
+ -i -c /root/.kube/config -f json \
+ -s "metadata.namespace==$K8S_NAMESPACE" > "$VERSIONS"
+
+unrecommended_python="$(check_python3_version)"
+unrecommended_java="$(check_java11_version)"
+
+if [ -z "$unrecommended_python" -a -z "$unrecommended_java" ]; then
+ echo "Test PASS: All components available in recommended versions only"
+else
+ code=1
+ echo "Test FAIL: Components other than recommended versions found"
+ cat <(echo POD CONTAINER PYTHON) <(echo "$unrecommended_python") | column -t -s' '
+ cat <(echo POD CONTAINER JAVA) <(echo "$unrecommended_java") | column -t -s' '
+fi
+
+exit "$code"
nonssl_endpoints = onap_security.security_tests:OnapSecurityNonSSLPorts
jdpw_ports = onap_security.security_tests:OnapSecurityJdwpPorts
kube_hunter = onap_security.security_tests:OnapSecurityKubeHunter
+ versions = onap_security.security_tests:OnapSecurityVersions
Code Review / integration / xtesting.git / commitdiff