The former deployment asked for all-in-one.
Change-Id: I12e470cec9e82b82c6f3ea5ff2431087f5deb9be
Signed-off-by: Cédric Ollivier <cedric.ollivier@orange.com>
(cherry picked from commit
bced94b6fe24c7e939fb22834deb77477e4a9bb9)
- container: functest-kubernetes-security
tests:
- kube_hunter
- - kube_bench
+ - kube_bench_master
+ - kube_bench_node
- container: functest-kubernetes-benchmarking
tests:
- xrally_kubernetes_full
tiers:
-
name: security
- ci_loop: '(daily)|(weekly)'
description: >-
Set of basic security tests.
testcases:
Check that the kubernetes cluster has no known
vulnerabilities
run:
- name: 'kube_hunter'
+ name: kube_hunter
args:
severity: high
-
- case_name: kube_bench
+ case_name: kube_bench_master
project_name: functest
criteria: 100
blocking: false
description: >-
- Check that the kubernetes cluster has no known
- vulnerabilities
+ Checks whether Kubernetes is deployed securely by running
+ the master checks documented in the CIS Kubernetes
+ Benchmark.
run:
- name: 'kube_bench'
+ name: kube_bench
+ args:
+ target: master
+
+ -
+ case_name: kube_bench_node
+ project_name: functest
+ criteria: 100
+ blocking: false
+ description: >-
+ Checks whether Kubernetes is deployed securely by running
+ the node checks documented in the CIS Kubernetes
+ Benchmark.
+ run:
+ name: kube_bench
+ args:
+ target: node
--- /dev/null
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: kube-bench-master
+spec:
+ template:
+ spec:
+ hostPID: true
+ nodeSelector:
+ node-role.kubernetes.io/master: ""
+ tolerations:
+ - key: node-role.kubernetes.io/master
+ operator: Exists
+ effect: NoSchedule
+ containers:
+ - name: kube-bench
+ image: aquasec/kube-bench:0.3.1
+ command: ["kube-bench", "master", "--json"]
+ volumeMounts:
+ - name: var-lib-etcd
+ mountPath: /var/lib/etcd
+ readOnly: true
+ - name: etc-kubernetes
+ mountPath: /etc/kubernetes
+ readOnly: true
+ # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+ # You can omit this mount if you specify --version as part of the command.
+ - name: usr-bin
+ mountPath: /usr/local/mount-from-host/bin
+ readOnly: true
+ restartPolicy: Never
+ volumes:
+ - name: var-lib-etcd
+ hostPath:
+ path: "/var/lib/etcd"
+ - name: etc-kubernetes
+ hostPath:
+ path: "/etc/kubernetes"
+ - name: usr-bin
+ hostPath:
+ path: "/usr/bin"
apiVersion: batch/v1
kind: Job
metadata:
- name: kube-bench
+ name: kube-bench-node
spec:
template:
- metadata:
- labels:
- app: kube-bench
spec:
hostPID: true
containers:
- name: kube-bench
image: aquasec/kube-bench:0.3.1
- command: ["kube-bench"]
- args: ["--json"]
+ command: ["kube-bench", "node", "--json"]
volumeMounts:
- - name: var-lib-etcd
- mountPath: /var/lib/etcd
- readOnly: true
- name: var-lib-kubelet
mountPath: /var/lib/kubelet
readOnly: true
readOnly: true
restartPolicy: Never
volumes:
- - name: var-lib-etcd
- hostPath:
- path: "/var/lib/etcd"
- name: var-lib-kubelet
hostPath:
path: "/var/lib/kubelet"
__logger = logging.getLogger(__name__)
- def __init__(self, **kwargs):
- super(KubeBench, self).__init__(**kwargs)
- self.job_name = "kube-bench"
-
def run(self, **kwargs):
+ self.job_name = "kube-bench-{}".format(kwargs.get("target", "node"))
super(KubeBench, self).run(**kwargs)
self.details["report"] = ast.literal_eval(self.pod_log)
msg = prettytable.PrettyTable(
Code Review / functest-kubernetes.git / commitdiff