rancher
/
security-scan
mirror of https://github.com/rancher/security-scan.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
security-scan/hack/e2e

109 lines
3.8 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
set -eou pipefail
CLUSTER_NAME="kind-${RANDOM}"
KINDCONFIG="$(mktemp)"
E2E_TIMEOUT_SECONDS=600
function cleanup() {
kind delete cluster --name "${CLUSTER_NAME}" | true
rm -rf "${KINDCONFIG}" | true
}
trap cleanup EXIT
function create_kind_cluster(){
echo "Running E2E tests"
sleep "${E2E_TIMEOUT_SECONDS}" && kind delete cluster --name "${CLUSTER_NAME}" | false &
echo "> Spinning up ${KUBERNETES_VERSION} kind cluster"
cat << EOF > "${KINDCONFIG}"
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
image: kindest/node:$KUBERNETES_VERSION
kubeadmConfigPatches:
- |
kind: InitConfiguration
nodeRegistration:
kubeletExtraArgs:
node-labels: "ingress-ready=true"
EOF
kind create cluster --name "${CLUSTER_NAME}" --config "${KINDCONFIG}"
kind load docker-image "${IMAGE}" --name "${CLUSTER_NAME}"
echo "> Pull and load ${SONOBUOY_IMAGE} into kind cluster"
docker pull "${SONOBUOY_IMAGE}"
kind load docker-image "${SONOBUOY_IMAGE}" --name "${CLUSTER_NAME}"
kind export kubeconfig --name "${CLUSTER_NAME}"
}
function deploy_resources(){
echo "> Waiting for kind cluster to be ready"
kubectl wait node "${CLUSTER_NAME}-control-plane" --for=condition=ready --timeout=30s
kubectl wait --for=condition=ready -n local-path-storage -l app=local-path-provisioner pod
echo "> Deploying test resources"
envsubst < ./tests/deploy.yaml | kubectl apply -f -
kubectl wait --for=condition=ready -n cis-operator-system pod security-scan-runner-scan-test --timeout=30s
}
function check_binaries(){
echo "> Check binaries:"
kubectl exec -n cis-operator-system security-scan-runner-scan-test -c rancher-cis-benchmark -- /usr/bin/sonobuoy
kubectl exec -n cis-operator-system security-scan-runner-scan-test -c rancher-cis-benchmark -- /usr/bin/kube-bench version
kubectl exec -n cis-operator-system security-scan-runner-scan-test -c rancher-cis-benchmark -- /usr/local/bin/kubectl version
}
function check_config_files(){
echo "> Check for upstream test files:"
dirs="ack-1.0 aks-1.0 cis-1.23 cis-1.24 cis-1.7 cis-1.8 config.yaml eks-1.0.1 eks-1.1.0 eks-1.2.0 eks-stig-kubernetes-v1r6 gke-1.0 gke-1.2.0 rh-0.7 rh-1.0"
for d in ${dirs}; do
if ! kubectl exec -n cis-operator-system security-scan-runner-scan-test -c rancher-cis-benchmark -- stat "/etc/kube-bench/cfg/$d"; then
echo "/etc/kube-bench/cfg/$d not found"
exit 1
fi
done
echo "> Check for our own test files:"
dirs="$(ls package/cfg)"
for d in ${dirs}; do
if ! kubectl exec -n cis-operator-system security-scan-runner-scan-test -c rancher-cis-benchmark -- stat "/etc/kube-bench/cfg/$d"; then
echo "/etc/kube-bench/cfg/$d not found"
exit 1
fi
done
}
function main() {
create_kind_cluster
deploy_resources
check_binaries
check_config_files
kubectl exec -n cis-operator-system security-scan-runner-scan-test -c rancher-cis-benchmark -- run.sh &
sleep 20 # Wait for the new daemonset to be created
# The rancher-kube-bench container will fail to pull the image because the imagePullPolicy is set to Always,
# which is not ideal when running on a kind cluster.
kubectl patch ds -n cis-operator-system "$(kubectl get ds -n cis-operator-system -l sonobuoy-component=plugin -o name | awk -F/ '{ print $2}')" -p '{"spec": {"template": {"spec":{"containers":[{"name":"rancher-kube-bench","imagePullPolicy":"Never"}]}}}}'
sonobuoyDone=false
while [ "${sonobuoyDone}" != "true" ]; do
sonobuoyDone=$(kubectl get pod -n cis-operator-system security-scan-runner-scan-test -o jsonpath='{.metadata.annotations.field\.cattle\.io/sonobuoyDone}')
sleep 2
done
echo "> CIS Scan Results:"
kubectl exec -n cis-operator-system security-scan-runner-scan-test -c rancher-cis-benchmark -- cat /tmp/kb-summarizer/output/output.json
}
main
Reference in New Issue View Git Blame Copy Permalink