class OnapSecurityDockerRootTest(SecurityTesting):
"""Test that the dockers launched as root."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'root_pods')
super(OnapSecurityDockerRootTest, self).__init__(**kwargs)
self.cmd = ['/check_security_root.sh', 'onap', '-l', '/root_pods_xfail.txt']
self.error_string = "Pods launched with root users"
class OnapSecurityUnlimittedPodTest(SecurityTesting):
"""Check that no pod is launch without limits."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'unlimitted_pods')
super(OnapSecurityUnlimittedPodTest, self).__init__(**kwargs)
- self.cmd = ['/check_unlimitted_pods.sh']
+ self.cmd = ['/check_unlimitted_pods.sh', 'onap', '-l', '/unlimitted_pods_xfail.txt']
self.error_string = "Pods lauched without limits"
class OnapSecurityCisKubernetes(SecurityTesting):
"""Check that kubernetes install is CIS compliant"""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'cis_kubernetes')
super(OnapSecurityCisKubernetes, self).__init__(**kwargs)
self.cmd = ['/check_cis_kubernetes.sh']
self.error_string = "Kubernetes Deployment is not CIS compatible"
"""Check all ports exposed outside of kubernetes cluster looking for plain
http endpoint."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'http_public_endpoints')
super(OnapSecurityHttpPorts, self).__init__(**kwargs)
self.cmd = ['/check_for_nonssl_endpoints.sh', 'onap', '-l', '/nonssl_xfail.txt']
self.error_string = "Public http endpoints still found"
"""Check that all ports exposed outside of kubernetes cluster use SSL
tunnels."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'nonssl_endpoints')
super(OnapSecurityNonSSLPorts, self).__init__(**kwargs)
self.cmd = ['/usr/local/bin/sslendpoints', '-xfail', '/nonssl_xfail.txt']
self.error_string = "Public non-SSL endpoints still found"
class OnapSecurityJdwpPorts(SecurityTesting):
"""Check that no jdwp ports are exposed."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'jdpw_ports')
super(OnapSecurityJdwpPorts, self).__init__(**kwargs)
self.cmd = ['/check_for_jdwp.sh', 'onap', '-l', '/jdwp_xfail.txt']
self.error_string = "JDWP ports found"
class OnapSecurityKubeHunter(SecurityTesting):
"""Check k8s vulnerabilities."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'kube_hunter')
super(OnapSecurityKubeHunter, self).__init__(**kwargs)
config.load_kube_config(config_file='/root/.kube/config')
client_kubernetes = client.CoreV1Api()
class OnapSecurityVersions(SecurityTesting):
"""Check that Java and Python are available only in versions recommended by SECCOM."""
def __init__(self, **kwargs):
- if "case_name" not in kwargs:
- kwargs.get("case_name", 'versions')
super(OnapSecurityVersions, self).__init__(**kwargs)
self.cmd = ['/check_versions.sh', 'onap', '-r', '/check_versions/recommended_versions.yaml']
self.error_string = "Not recommended versions found"
#!/bin/bash
+usage() {
+ cat <<EOF
+Usage: $(basename $0) <k8s-namespace> [-l <white list file>]
+ -l: unlimitted pod xfail file
+EOF
+ exit ${1:-0}
+}
+
+if [ "$#" -lt 1 ]; then
+ usage
+ exit 1
+fi
+
+K8S_NAMESPACE=$1
+FILTERED_PODS_LIST=$(mktemp unlimitted_pods_XXXXXX)
+WL_RAW_FILE_PATH=$(mktemp raw_filtered_unlimitted_XXXXXX)
+
+manage_list() {
+ # init filtered port list file
+ if [ ! -f $WL_FILE_PATH ];then
+ echo "File not found"
+ usage
+ fi
+ grep -o '^[^#]*' $WL_FILE_PATH > $WL_RAW_FILE_PATH
+}
+
+### getopts
+while :
+do
+ case $2 in
+ -h|--help|help) usage;;
+ -l) WL_FILE_PATH=$3;manage_list;shift;;
+ -*) usage 1 ;;
+ *) break ;;
+ esac
+done
echo "------------------------------------------------------------------------"
echo "-------------------- ONAP Security tests ----------------------------"
code=0
# get the pod list
-for pod in `kubectl get pod -n onap|grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do
+for pod in `kubectl get pod -n $K8S_NAMESPACE |grep -v "NAME"|grep "Running\|Completed" |grep -v functest |grep -v integration | awk '{print $1}'`;do
kubectl describe pod $pod -n onap|grep "Limits";
if [ $? == 1 ] ; then
echo $pod ;
fi;
-done | grep -v Limits > NoLimitContainer.txt
+done | grep -v Limits > $FILTERED_PODS_LIST
+
+while IFS= read -r line; do
+ # for each line we test if it is in the white list with a regular expression
+ while IFS= read -r wl_line; do
+ wl_name=$(echo $wl_line | awk {'print $1'})
+ if grep -e $K8S_NAMESPACE-$wl_name <<< "$line" > /dev/null ;then
+ # Found in white list, exclude it
+ sed -i "/$line/d" $FILTERED_PODS_LIST
+ fi
+ # tmp ugly workaround to exlude dep (temporary dcae dockers)
+ if grep -e dep-$wl_name <<< "$line" > /dev/null ;then
+ sed -i "/$line/d" $FILTERED_PODS_LIST
+ fi
+ done < $WL_RAW_FILE_PATH
+done < $FILTERED_PODS_LIST
+
-if [ -s NoLimitContainer.txt ]
+if [ -s $FILTERED_PODS_LIST ]
then
code=1
- nb_errors=`cat NoLimitContainer.txt | wc -l`
+ nb_errors=`cat $FILTERED_PODS_LIST | wc -l`
echo "Test FAIL: $nb_errors pod(s) launched without limit"
- cat NoLimitContainer.txt
+ cat $FILTERED_PODS_LIST
else
echo "Test PASS: No pod launched without limit"
fi
Code Review / integration / xtesting.git / commitdiff