Add security docker for functest-kubernetes

run kube-hunter and kube-bench cases dealing with security in kubernetes (check
vulnerabilities) [1][2]

It's the first step only printing the output.

[1]: https://github.com/aquasecurity/kube-bench
[2]: https://github.com/aquasecurity/kube-hunter

Co-Authored-By: Cédric Ollivier <cedric.ollivier@orange.com>
Change-Id: I3bd9bda80046ef7a0c494d51dfb0b8cbfea02bb0
Signed-off-by: mrichomme <morgan.richomme@orange.com>
(cherry picked from commit 98d9f93337ab514fa9aafc1cd1e87473de68b364)
(cherry picked from commit 0626f54b8686134515eab3b9014c5b538405d84f)

diff --git a/.travis.yml b/.travis.yml
index 0f7496b..aea3f75 100644 (file)
--- a/.travis.yml
+++ b/.travis.yml
@@ -34,19 +34,31 @@ jobs:
           --platforms linux/amd64 \
           --template ${DOCKER_USERNAME}/functest-kubernetes-core:ARCH-iruya \
           --target ${DOCKER_USERNAME}/functest-kubernetes-core:iruya
-    - stage: build functest-kubernetes-healthcheck image
+    - stage: build functest-kubernetes-[healthcheck,security] images
       script: sudo -E bash build.sh
       env:
         - REPO="${DOCKER_USERNAME}"
         - amd64_dirs="docker/healthcheck"
         - arm64_dirs=""
-    - stage: publish functest-kubernetes-healthcheck manifests
+    - script: sudo -E bash build.sh
+      env:
+        - REPO="${DOCKER_USERNAME}"
+        - amd64_dirs="docker/security"
+        - arm64_dirs=""
+        - arm_dirs=""
+    - stage: publish functest-kubernetes-[healthcheck,security] manifests
       script: >
         sudo manifest-tool push from-args \
           --platforms linux/amd64 \
           --template \
           ${DOCKER_USERNAME}/functest-kubernetes-healthcheck:ARCH-iruya \
           --target ${DOCKER_USERNAME}/functest-kubernetes-healthcheck:iruya
+    - script: >
+        sudo manifest-tool push from-args \
+          --platforms linux/amd64 \
+          --template \
+            ${DOCKER_USERNAME}/functest-kubernetes-security:ARCH-iruya \
+          --target ${DOCKER_USERNAME}/functest-kubernetes-security:iruya
     - stage: build functest-kubernetes-smoke image
       script: sudo -E bash build.sh
       env:

diff --git a/build.sh b/build.sh
index 2a1cf2d..8f5b36e 100644 (file)
--- a/build.sh
+++ b/build.sh
@@ -6,7 +6,8 @@ repo=${REPO:-opnfv}
 amd64_dirs=${amd64_dirs-"\
 docker/core \
 docker/healthcheck \
-docker/smoke"}
+docker/smoke \
+docker/security"}
 arm64_dirs=${arm64_dirs-${amd64_dirs}}
 build_opts=(--pull=true --no-cache --force-rm=true)
 

diff --git a/docker/core/Dockerfile b/docker/core/Dockerfile
index 8eb1c65..f51be0c 100644 (file)
--- a/docker/core/Dockerfile
+++ b/docker/core/Dockerfile
@@ -4,9 +4,9 @@ ARG BRANCH=stable/iruya
 ARG OPENSTACK_TAG=stable/stein
 ARG OPNFV_TAG=stable/iruya
 
-RUN apk --no-cache add --update python3 py3-pip bash git grep mailcap && \
+RUN apk --no-cache add --update python3 py3-pip bash git grep libffi openssl mailcap && \
     apk --no-cache add --virtual .build-deps --update \
-        python3-dev build-base && \
+        python3-dev build-base libffi-dev openssl-dev && \
     git init /src/functest-kubernetes && \
     (cd /src/functest-kubernetes && \
         git fetch --tags https://gerrit.opnfv.org/gerrit/functest-kubernetes $BRANCH && \

diff --git a/docker/security/Dockerfile b/docker/security/Dockerfile
new file mode 100644 (file)
index 0000000..8cd3016
--- /dev/null
+++ b/docker/security/Dockerfile
@@ -0,0 +1,3 @@
+FROM opnfv/functest-kubernetes-core:iruya
+
+COPY testcases.yaml /usr/lib/python3.6/site-packages/xtesting/ci/testcases.yaml

diff --git a/docker/security/testcases.yaml b/docker/security/testcases.yaml
new file mode 100644 (file)
index 0000000..55c0b3b
--- /dev/null
+++ b/docker/security/testcases.yaml
@@ -0,0 +1,29 @@
+---
+tiers:
+    -
+        name: security
+        order: 1
+        ci_loop: '(daily)|(weekly)'
+        description: >-
+            Set of basic security tests.
+        testcases:
+            -
+                case_name: kube_hunter
+                project_name: security
+                criteria: 100
+                blocking: false
+                description: >-
+                    Check that the kubernetes cluster has no known
+                    vulnerabilities
+                run:
+                    name: 'kube_hunter'
+            -
+                case_name: kube_bench
+                project_name: security
+                criteria: 100
+                blocking: false
+                description: >-
+                    Check that the kubernetes cluster has no known
+                    vulnerabilities
+                run:
+                    name: 'kube_bench'

diff --git a/functest_kubernetes/security/__init__.py b/functest_kubernetes/security/__init__.py
new file mode 100644 (file)
index 0000000..e69de29

diff --git a/functest_kubernetes/security/kube-bench.yaml b/functest_kubernetes/security/kube-bench.yaml
new file mode 100644 (file)
index 0000000..ec42ba1
--- /dev/null
+++ b/functest_kubernetes/security/kube-bench.yaml
@@ -0,0 +1,51 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kube-bench
+spec:
+  template:
+    metadata:
+      labels:
+        app: kube-bench
+    spec:
+      hostPID: true
+      containers:
+        - name: kube-bench
+          image: aquasec/kube-bench:latest
+          command: ["kube-bench"]
+          volumeMounts:
+            - name: var-lib-etcd
+              mountPath: /var/lib/etcd
+              readOnly: true
+            - name: var-lib-kubelet
+              mountPath: /var/lib/kubelet
+              readOnly: true
+            - name: etc-systemd
+              mountPath: /etc/systemd
+              readOnly: true
+            - name: etc-kubernetes
+              mountPath: /etc/kubernetes
+              readOnly: true
+              # /usr/local/mount-from-host/bin is mounted to access kubectl / kubelet, for auto-detecting the Kubernetes version.
+              # You can omit this mount if you specify --version as part of the command.
+            - name: usr-bin
+              mountPath: /usr/local/mount-from-host/bin
+              readOnly: true
+      restartPolicy: Never
+      volumes:
+        - name: var-lib-etcd
+          hostPath:
+            path: "/var/lib/etcd"
+        - name: var-lib-kubelet
+          hostPath:
+            path: "/var/lib/kubelet"
+        - name: etc-systemd
+          hostPath:
+            path: "/etc/systemd"
+        - name: etc-kubernetes
+          hostPath:
+            path: "/etc/kubernetes"
+        - name: usr-bin
+          hostPath:
+            path: "/usr/bin"

diff --git a/functest_kubernetes/security/kube-hunter.yaml b/functest_kubernetes/security/kube-hunter.yaml
new file mode 100644 (file)
index 0000000..ce88c06
--- /dev/null
+++ b/functest_kubernetes/security/kube-hunter.yaml
@@ -0,0 +1,14 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kube-hunter
+spec:
+  template:
+    spec:
+      containers:
+      - name: kube-hunter
+        image: aquasec/kube-hunter
+        command: ["python", "kube-hunter.py"]
+        args: ["--pod"]
+      restartPolicy: Never
+  backoffLimit: 4

diff --git a/functest_kubernetes/security/security.py b/functest_kubernetes/security/security.py
new file mode 100644 (file)
index 0000000..f4e10ca
--- /dev/null
+++ b/functest_kubernetes/security/security.py
@@ -0,0 +1,122 @@
+#!/usr/bin/env python
+
+# Copyright (c) 2020 Orange and others.
+#
+# All rights reserved. This program and the accompanying materials
+# are made available under the terms of the Apache License, Version 2.0
+# which accompanies this distribution, and is available at
+# http://www.apache.org/licenses/LICENSE-2.0
+
+"""
+Define the parent for Kubernetes testing.
+"""
+
+from __future__ import division
+
+import logging
+import time
+import yaml
+
+from kubernetes import client
+from kubernetes import config
+from kubernetes import watch
+import pkg_resources
+from xtesting.core import testcase
+
+
+class SecurityTesting(testcase.TestCase):
+    """Run Security job"""
+    namespace = 'default'
+    watch_timeout = 1200
+
+    __logger = logging.getLogger(__name__)
+
+    def __init__(self, **kwargs):
+        super(SecurityTesting, self).__init__(**kwargs)
+        config.load_kube_config()
+        self.corev1 = client.CoreV1Api()
+        self.batchv1 = client.BatchV1Api()
+        self.pod = None
+        self.job_name = None
+
+    def deploy_job(self):
+        """Run Security job
+
+        It runs a single security job and then simply prints its output asis.
+        """
+
+        assert self.job_name
+        # pylint: disable=bad-continuation
+        with open(pkg_resources.resource_filename(
+                "functest_kubernetes",
+                "security/{}.yaml".format(self.job_name))) as yfile:
+            body = yaml.safe_load(yfile)
+            api_response = self.batchv1.create_namespaced_job(
+                body=body, namespace="default")
+            self.__logger.info("Job %s created", api_response.metadata.name)
+            self.__logger.debug("create_namespaced_job: %s", api_response)
+        watch_job = watch.Watch()
+        for event in watch_job.stream(
+                func=self.batchv1.list_namespaced_job,
+                namespace=self.namespace, timeout_seconds=self.watch_timeout):
+            if (event["object"].metadata.name == self.job_name and
+                    event["object"].status.succeeded == 1):
+                self.__logger.info(
+                    "%s started in %0.2f sec", event['object'].metadata.name,
+                    time.time()-self.start_time)
+                watch_job.stop()
+        pods = self.corev1.list_namespaced_pod(
+            self.namespace, label_selector='job-name={}'.format(self.job_name))
+        self.pod = pods.items[0].metadata.name
+        api_response = self.corev1.read_namespaced_pod_log(
+            name=self.pod, namespace=self.namespace)
+        self.__logger.warning("\n\n%s", api_response)
+        self.result = 100
+
+    def run(self, **kwargs):
+        assert self.job_name
+        self.start_time = time.time()
+        try:
+            self.deploy_job()
+        except client.rest.ApiException:
+            self.__logger.exception("Cannot run %s", self.job_name)
+        self.stop_time = time.time()
+
+    def clean(self):
+        try:
+            api_response = self.corev1.delete_namespaced_pod(
+                name=self.pod, namespace=self.namespace)
+            self.__logger.debug("delete_namespaced_pod: %s", api_response)
+        except client.rest.ApiException:
+            pass
+        try:
+            api_response = self.batchv1.delete_namespaced_job(
+                name=self.job_name, namespace=self.namespace)
+            self.__logger.debug(
+                "delete_namespaced_deployment: %s", api_response)
+        except client.rest.ApiException:
+            pass
+
+
+class KubeHunter(SecurityTesting):
+    """kube-hunter hunts for security weaknesses in Kubernetes clusters.
+
+    See https://github.com/aquasecurity/kube-hunter for more details
+    """
+
+    def __init__(self, **kwargs):
+        super(KubeHunter, self).__init__(**kwargs)
+        self.job_name = "kube-hunter"
+
+
+class KubeBench(SecurityTesting):
+    """kube-bench checks whether Kubernetes is deployed securelyself.
+
+    It runs the checks documented in the CIS Kubernetes Benchmark.
+
+    See https://github.com/aquasecurity/kube-bench for more details
+    """
+
+    def __init__(self, **kwargs):
+        super(KubeBench, self).__init__(**kwargs)
+        self.job_name = "kube-bench"

diff --git a/requirements.txt b/requirements.txt
index b4c2a34..60ca942 100644 (file)
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,3 +3,4 @@
 # process, which may cause wedges in the gate later.
 pbr!=2.1.0 # Apache-2.0
 xtesting # Apache-2.0
+kubernetes # Apache-2.0

diff --git a/setup.cfg b/setup.cfg
index 2c0ec26..0b22313 100644 (file)
--- a/setup.cfg
+++ b/setup.cfg
@@ -10,3 +10,5 @@ packages = functest_kubernetes
 xtesting.testcase =
     k8s_smoke = functest_kubernetes.k8stest:K8sSmokeTest
     k8s_conformance = functest_kubernetes.k8stest:K8sConformanceTest
+    kube_hunter = functest_kubernetes.security.security:KubeHunter
+    kube_bench = functest_kubernetes.security.security:KubeBench

diff --git a/tox.ini b/tox.ini
index 24eff92..67aad41 100644 (file)
--- a/tox.ini
+++ b/tox.ini
@@ -23,7 +23,7 @@ commands = flake8
 
 [testenv:pylint]
 basepython = python3.6
-commands = pylint --disable=locally-disabled --reports=n functest_kubernetes
+commands = pylint --ignore-imports=y --disable=locally-disabled --reports=n functest_kubernetes
 
 [testenv:yamllint]
 basepython = python3.6