3 # Copyright (c) 2020 Orange and others.
5 # All rights reserved. This program and the accompanying materials
6 # are made available under the terms of the Apache License, Version 2.0
7 # which accompanies this distribution, and is available at
8 # http://www.apache.org/licenses/LICENSE-2.0
11 Define the parent for Kubernetes testing.
14 from __future__ import division
20 from kubernetes import client
21 from kubernetes import config
22 from kubernetes import watch
24 from xtesting.core import testcase
27 class SecurityTesting(testcase.TestCase):
28 # pylint: disable=too-many-instance-attributes
29 """Run Security job"""
33 __logger = logging.getLogger(__name__)
35 def __init__(self, **kwargs):
36 super(SecurityTesting, self).__init__(**kwargs)
37 config.load_kube_config()
38 self.corev1 = client.CoreV1Api()
39 self.batchv1 = client.BatchV1Api()
42 self.output_log_name = 'functest-kubernetes.log'
43 self.output_debug_log_name = 'functest-kubernetes.debug.log'
48 It runs a single security job and then simply prints its output asis.
52 # pylint: disable=bad-continuation
53 with open(pkg_resources.resource_filename(
54 "functest_kubernetes",
55 "security/{}.yaml".format(self.job_name))) as yfile:
56 body = yaml.safe_load(yfile)
57 api_response = self.batchv1.create_namespaced_job(
58 body=body, namespace="default")
59 self.__logger.info("Job %s created", api_response.metadata.name)
60 self.__logger.debug("create_namespaced_job: %s", api_response)
61 watch_job = watch.Watch()
62 for event in watch_job.stream(
63 func=self.batchv1.list_namespaced_job,
64 namespace=self.namespace, timeout_seconds=self.watch_timeout):
65 if (event["object"].metadata.name == self.job_name and
66 event["object"].status.succeeded == 1):
68 "%s started in %0.2f sec", event['object'].metadata.name,
69 time.time()-self.start_time)
71 pods = self.corev1.list_namespaced_pod(
72 self.namespace, label_selector='job-name={}'.format(self.job_name))
73 self.pod = pods.items[0].metadata.name
74 api_response = self.corev1.read_namespaced_pod_log(
75 name=self.pod, namespace=self.namespace)
76 self.__logger.warning("\n\n%s", api_response)
79 def run(self, **kwargs):
81 self.start_time = time.time()
84 except client.rest.ApiException:
85 self.__logger.exception("Cannot run %s", self.job_name)
86 self.stop_time = time.time()
90 api_response = self.corev1.delete_namespaced_pod(
91 name=self.pod, namespace=self.namespace)
92 self.__logger.debug("delete_namespaced_pod: %s", api_response)
93 except client.rest.ApiException:
96 api_response = self.batchv1.delete_namespaced_job(
97 name=self.job_name, namespace=self.namespace)
99 "delete_namespaced_deployment: %s", api_response)
100 except client.rest.ApiException:
104 class KubeHunter(SecurityTesting):
105 """kube-hunter hunts for security weaknesses in Kubernetes clusters.
107 See https://github.com/aquasecurity/kube-hunter for more details
110 def __init__(self, **kwargs):
111 super(KubeHunter, self).__init__(**kwargs)
112 self.job_name = "kube-hunter"
115 class KubeBench(SecurityTesting):
116 """kube-bench checks whether Kubernetes is deployed securelyself.
118 It runs the checks documented in the CIS Kubernetes Benchmark.
120 See https://github.com/aquasecurity/kube-bench for more details
123 def __init__(self, **kwargs):
124 super(KubeBench, self).__init__(**kwargs)
125 self.job_name = "kube-bench"