Provide support for air gapped env for security

Sometimes, tested Kubernetes doesn't have direct access to Internet but
access through repository mirrors.
This patch handles this case for security test cases.

Signed-off-by: Sylvain Desbureaux <sylvain.desbureaux@orange.com>
Change-Id: I699d065ee691596c4a5ccf06c22ea76ef00fe497

diff --git a/README.md b/README.md
index 97d8793..dde9d53 100644 (file)
--- a/README.md
+++ b/README.md
@@ -123,7 +123,7 @@ sudo docker run --env-file env \
 To test a Kubernetes without access to Internet, repository mirrors needs to be
 provided.
 
-Currently, only rally tests supports this feature.
+Currently, only rally and security tests supports this feature.
 
 There's two ways for providing the repository mirrors:
 

diff --git a/functest_kubernetes/security/kube-bench-master.yaml b/functest_kubernetes/security/kube-bench-master.yaml
index 755e292..d1a1321 100644 (file)
--- a/functest_kubernetes/security/kube-bench-master.yaml
+++ b/functest_kubernetes/security/kube-bench-master.yaml
@@ -15,7 +15,7 @@ spec:
           effect: NoSchedule
       containers:
         - name: kube-bench
-          image: aquasec/kube-bench:0.3.1
+          image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
           command: ["kube-bench", "master", "--json"]
           volumeMounts:
             - name: var-lib-etcd

diff --git a/functest_kubernetes/security/kube-bench-node.yaml b/functest_kubernetes/security/kube-bench-node.yaml
index 306ad60..9592977 100644 (file)
--- a/functest_kubernetes/security/kube-bench-node.yaml
+++ b/functest_kubernetes/security/kube-bench-node.yaml
@@ -9,7 +9,7 @@ spec:
       hostPID: true
       containers:
         - name: kube-bench
-          image: aquasec/kube-bench:0.3.1
+          image: {{ dockerhub_repo }}/aquasec/kube-bench:0.3.1
           command: ["kube-bench", "node", "--json"]
           volumeMounts:
             - name: var-lib-kubelet

diff --git a/functest_kubernetes/security/kube-hunter.yaml b/functest_kubernetes/security/kube-hunter.yaml
index 6f895c0..b7d2354 100644 (file)
--- a/functest_kubernetes/security/kube-hunter.yaml
+++ b/functest_kubernetes/security/kube-hunter.yaml
@@ -7,7 +7,7 @@ spec:
     spec:
       containers:
       - name: kube-hunter
-        image: aquasec/kube-hunter:0.3.1
+        image: {{ dockerhub_repo }}/aquasec/kube-hunter:0.3.1
         command: ["python", "kube-hunter.py"]
         args: ["--pod", "--report", "json", "--statistics"]
       restartPolicy: Never

diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
index 378b2c2..052c0ad 100644 (file)
--- a/functest_kubernetes/security/security.py
+++ b/functest_kubernetes/security/security.py
@@ -16,10 +16,12 @@ from __future__ import division
 import ast
 import json
 import logging
+import os
 import time
 import textwrap
 import yaml
 
+from jinja2 import Template
 from kubernetes import client
 from kubernetes import config
 from kubernetes import watch
@@ -32,6 +34,7 @@ class SecurityTesting(testcase.TestCase):
     # pylint: disable=too-many-instance-attributes
     """Run Security job"""
     watch_timeout = 1200
+    dockerhub_repo = os.getenv("MIRROR_REPO", "docker.io")
 
     __logger = logging.getLogger(__name__)
 
@@ -63,7 +66,10 @@ class SecurityTesting(testcase.TestCase):
         with open(pkg_resources.resource_filename(
                 "functest_kubernetes",
                 "security/{}.yaml".format(self.job_name))) as yfile:
-            body = yaml.safe_load(yfile)
+            template = Template(yfile.read())
+            body = yaml.safe_load(template.render(
+                dockerhub_repo=os.getenv("DOCKERHUB_REPO",
+                                         self.dockerhub_repo)))
             api_response = self.batchv1.create_namespaced_job(
                 body=body, namespace=self.namespace)
             self.__logger.info("Job %s created", api_response.metadata.name)