#!/bin/bash set -eou pipefail CLUSTER_NAME="kind-${RANDOM}" KINDCONFIG="$(mktemp)" E2E_TIMEOUT_SECONDS=600 function cleanup() { kind delete cluster --name "${CLUSTER_NAME}" | true rm -rf "${KINDCONFIG}" | true } trap cleanup EXIT function create_kind_cluster(){ echo "Running E2E tests" sleep "${E2E_TIMEOUT_SECONDS}" && kind delete cluster --name "${CLUSTER_NAME}" | false & echo "> Spinning up ${KUBERNETES_VERSION} kind cluster" cat << EOF > "${KINDCONFIG}" kind: Cluster apiVersion: kind.x-k8s.io/v1alpha4 nodes: - role: control-plane image: kindest/node:$KUBERNETES_VERSION kubeadmConfigPatches: - | kind: InitConfiguration nodeRegistration: kubeletExtraArgs: node-labels: "ingress-ready=true" EOF kind create cluster --name "${CLUSTER_NAME}" --config "${KINDCONFIG}" kind load docker-image "${IMAGE}" --name "${CLUSTER_NAME}" echo "> Pull and load ${SONOBUOY_IMAGE} into kind cluster" docker pull "${SONOBUOY_IMAGE}" kind load docker-image "${SONOBUOY_IMAGE}" --name "${CLUSTER_NAME}" kind export kubeconfig --name "${CLUSTER_NAME}" } function deploy_resources(){ echo "> Waiting for kind cluster to be ready" kubectl wait node "${CLUSTER_NAME}-control-plane" --for=condition=ready --timeout=30s kubectl wait --for=condition=ready -n local-path-storage -l app=local-path-provisioner pod echo "> Deploying test resources" envsubst < ./tests/deploy.yaml | kubectl apply -f - kubectl wait --for=condition=ready -n rancher-compliance-system pod security-scan-runner-scan-test --timeout=30s } function check_binaries(){ echo "> Check binaries:" kubectl exec -n rancher-compliance-system security-scan-runner-scan-test -c rancher-compliance -- /usr/bin/sonobuoy kubectl exec -n rancher-compliance-system security-scan-runner-scan-test -c rancher-compliance -- /usr/bin/kube-bench version kubectl exec -n rancher-compliance-system security-scan-runner-scan-test -c rancher-compliance -- /usr/local/bin/kubectl version } function check_config_files(){ echo "> Check for upstream test files:" dirs="ack-1.0 aks-1.0 cis-1.23 cis-1.24 cis-1.7 cis-1.8 cis-1.9 cis-1.10 cis-1.11 config.yaml eks-1.0.1 eks-1.1.0 eks-1.2.0 eks-1.5.0 eks-stig-kubernetes-v1r6 gke-1.0 gke-1.2.0 gke-1.6.0 rh-0.7 rh-1.0" for d in ${dirs}; do if ! kubectl exec -n rancher-compliance-system security-scan-runner-scan-test -c rancher-compliance -- stat "/etc/kube-bench/cfg/$d"; then echo "/etc/kube-bench/cfg/$d not found" exit 1 fi done echo "> Check for our own test files:" dirs="$(ls package/cfg)" for d in ${dirs}; do if ! kubectl exec -n rancher-compliance-system security-scan-runner-scan-test -c rancher-compliance -- stat "/etc/kube-bench/cfg/$d"; then echo "/etc/kube-bench/cfg/$d not found" exit 1 fi done } function main() { create_kind_cluster deploy_resources check_binaries check_config_files kubectl exec -n rancher-compliance-system security-scan-runner-scan-test -c rancher-compliance -- run.sh & sleep 20 # Wait for the new daemonset to be created # The rancher-kube-bench container will fail to pull the image because the imagePullPolicy is set to Always, # which is not ideal when running on a kind cluster. kubectl patch ds -n rancher-compliance-system "$(kubectl get ds -n rancher-compliance-system -l sonobuoy-component=plugin -o name | awk -F/ '{ print $2}')" -p '{"spec": {"template": {"spec":{"containers":[{"name":"rancher-kube-bench","imagePullPolicy":"Never"}]}}}}' sonobuoyDone=false while [ "${sonobuoyDone}" != "true" ]; do sonobuoyDone=$(kubectl get pod -n rancher-compliance-system security-scan-runner-scan-test -o jsonpath='{.metadata.annotations.field\.cattle\.io/sonobuoyDone}') sleep 2 done echo "> Compliance Results:" kubectl exec -n rancher-compliance-system security-scan-runner-scan-test -c rancher-compliance -- cat /tmp/kb-summarizer/output/output.json } main