Add Apparmor testing for Calico,Ceph,Compute,Etcd Utility Containers
1)Removed Apparmor validation scripts from Deploy script. 2)This has been added as a part of AVT. Change-Id: Ic634bd59d0bf7804cf2ffa72609bf168731d4fae Signed-off-by: diwakar thyagaraj <diwakar.chitoor.thyagaraj@att.com>
This commit is contained in:
diwakar thyagaraj
parent
ca99a26592
commit
83e20d3d2f
@ -64,3 +64,21 @@ class TestCalicoUtilityContainer(TestBase):
|
||||
latest_pod_logs = (pod_logs.split(date_2))[1:]
|
||||
self.assertNotEqual(
|
||||
0, len(latest_pod_logs), "Not able to get the latest logs")
|
||||
|
||||
def test_verify_apparmor(self):
|
||||
"""To verify calico-utility Apparmor"""
|
||||
failures = []
|
||||
expected = "runtime/default"
|
||||
calico_utility_pod = \
|
||||
self.client._get_utility_container(self.deployment_name)
|
||||
for container in calico_utility_pod.spec.containers:
|
||||
annotations_common = \
|
||||
'container.apparmor.security.beta.kubernetes.io/'
|
||||
annotations_key = annotations_common + container.name
|
||||
if expected != calico_utility_pod.metadata.annotations[
|
||||
annotations_key]:
|
||||
failures.append(
|
||||
f"container {container.name} belongs to pod "
|
||||
f"{calico_utility_pod.metadata.name} "
|
||||
f"is not having expected apparmor profile set")
|
||||
self.assertEqual(0, len(failures), failures)
|
||||
|
||||
@ -29,3 +29,21 @@ class TestCephUtilityContainer(TestBase):
|
||||
self.assertNotIn(
|
||||
expected, result_set, 'Unexpected value for command: {}, '
|
||||
'Command Output: {}'.format(exec_cmd, result_set))
|
||||
|
||||
def test_verify_apparmor(self):
|
||||
"""To verify ceph-utility Apparmor"""
|
||||
failures = []
|
||||
expected = "runtime/default"
|
||||
ceph_utility_pod = \
|
||||
self.client._get_utility_container(self.deployment_name)
|
||||
for container in ceph_utility_pod.spec.containers:
|
||||
annotations_common = \
|
||||
'container.apparmor.security.beta.kubernetes.io/'
|
||||
annotations_key = annotations_common + container.name
|
||||
if expected != ceph_utility_pod.metadata.annotations[
|
||||
annotations_key]:
|
||||
failures.append(
|
||||
f"container {container.name} belongs to pod "
|
||||
f"{calico_utility_pod.metadata.name} "
|
||||
f"is not having expected apparmor profile set")
|
||||
self.assertEqual(0, len(failures), failures)
|
||||
|
||||
@ -81,3 +81,21 @@ class TestComputeUtilityContainer(TestBase):
|
||||
latest_pod_logs = (pod_logs.split(date_2))[1:]
|
||||
self.assertNotEqual(
|
||||
0, len(latest_pod_logs), "Not able to get the latest logs")
|
||||
|
||||
def test_verify_apparmor(self):
|
||||
"""To verify compute-utility Apparmor"""
|
||||
failures = []
|
||||
expected = "runtime/default"
|
||||
compute_utility_pod = \
|
||||
self.client._get_utility_container(self.deployment_name)
|
||||
for container in compute_utility_pod.spec.containers:
|
||||
annotations_common = \
|
||||
'container.apparmor.security.beta.kubernetes.io/'
|
||||
annotations_key = annotations_common + container.name
|
||||
if expected != compute_utility_pod.metadata.annotations[
|
||||
annotations_key]:
|
||||
failures.append(
|
||||
f"container {container.name} belongs to pod "
|
||||
f"{compute_utility_pod.metadata.name} "
|
||||
f"is not having expected apparmor profile set")
|
||||
self.assertEqual(0, len(failures), failures)
|
||||
|
||||
@ -41,3 +41,21 @@ class TestEtcdUtilityContainer(TestBase):
|
||||
self.assertIn(
|
||||
expected, result_set, 'Unexpected value for command: {}, '
|
||||
'Command Output: {}'.format(exec_cmd, result_set))
|
||||
|
||||
def test_verify_apparmor(self):
|
||||
"""To verify etcdctl-utility Apparmor"""
|
||||
failures = []
|
||||
expected = "runtime/default"
|
||||
etcdctl_utility_pod = \
|
||||
self.client._get_utility_container(self.deployment_name)
|
||||
for container in etcdctl_utility_pod.spec.containers:
|
||||
annotations_common = \
|
||||
'container.apparmor.security.beta.kubernetes.io/'
|
||||
annotations_key = annotations_common + container.name
|
||||
if expected != etcdctl_utility_pod.metadata.annotations[
|
||||
annotations_key]:
|
||||
failures.append(
|
||||
f"container {container.name} belongs to pod "
|
||||
f"{etcd_utility_pod.metadata.name} "
|
||||
f"is not having expected apparmor profile set")
|
||||
self.assertEqual(0, len(failures), failures)
|
||||
|
||||
@ -19,20 +19,4 @@ helm upgrade --install calicoctl-utility ./charts/calicoctl-utility --namespace=
|
||||
# Wait for Deployment
|
||||
: "${OSH_INFRA_PATH:="../openstack-helm-infra"}"
|
||||
cd "${OSH_INFRA_PATH}"
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
|
||||
#Validate Apparmor
|
||||
cal_pod=$(kubectl get pods --namespace=$namespace -o wide | grep calico | awk '{print $1}')
|
||||
expected_profile="docker-default (enforce)"
|
||||
profile=`kubectl -n $namespace exec $cal_pod -- cat /proc/1/attr/current`
|
||||
echo "Profile running: $profile"
|
||||
if test "$profile" != "$expected_profile"
|
||||
then
|
||||
if test "$proc_name" == "pause"
|
||||
then
|
||||
echo "Root process (pause) can run docker-default, it's ok."
|
||||
else
|
||||
echo "$profile is the WRONG PROFILE!!"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
@ -57,20 +57,4 @@ helm upgrade --install ceph-utility ./charts/ceph-utility --namespace=$namespace
|
||||
# Wait for Deployment
|
||||
: "${OSH_INFRA_PATH:="../openstack-helm-infra"}"
|
||||
cd "${OSH_INFRA_PATH}"
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
|
||||
#Validate Apparmor
|
||||
ceph_pod=$(kubectl get pods --namespace=$namespace -o wide | grep ceph | grep 1/1 | awk '{print $1}')
|
||||
expected_profile="docker-default (enforce)"
|
||||
profile=`kubectl -n $namespace exec $ceph_pod -- cat /proc/1/attr/current`
|
||||
echo "Profile running: $profile"
|
||||
if test "$profile" != "$expected_profile"
|
||||
then
|
||||
if test "$proc_name" == "pause"
|
||||
then
|
||||
echo "Root process (pause) can run docker-default, it's ok."
|
||||
else
|
||||
echo "$profile is the WRONG PROFILE!!"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
@ -20,20 +20,4 @@ helm upgrade --install compute-utility ./charts/compute-utility --namespace=$nam
|
||||
# Wait for Deployment
|
||||
: "${OSH_INFRA_PATH:="../openstack-helm-infra"}"
|
||||
cd "${OSH_INFRA_PATH}"
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
|
||||
#Validate Apparmor
|
||||
com_pod=$(kubectl get pods --namespace=$namespace -o wide | grep compute | awk '{print $1}')
|
||||
expected_profile="docker-default (enforce)"
|
||||
profile=`kubectl -n $namespace exec $com_pod -- cat /proc/1/attr/current`
|
||||
echo "Profile running: $profile"
|
||||
if test "$profile" != "$expected_profile"
|
||||
then
|
||||
if test "$proc_name" == "pause"
|
||||
then
|
||||
echo "Root process (pause) can run docker-default, it's ok."
|
||||
else
|
||||
echo "$profile is the WRONG PROFILE!!"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
@ -19,20 +19,4 @@ helm upgrade --install etcdctl-utility ./charts/etcdctl-utility --namespace=$nam
|
||||
# Wait for Deployment
|
||||
: "${OSH_INFRA_PATH:="../openstack-helm-infra"}"
|
||||
cd "${OSH_INFRA_PATH}"
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
|
||||
#Validate Apparmor
|
||||
etc_pod=$(kubectl get pods --namespace=$namespace -o wide | grep etcdctl | awk '{print $1}')
|
||||
expected_profile="docker-default (enforce)"
|
||||
profile=`kubectl -n $namespace exec $etc_pod -- cat /proc/1/attr/current`
|
||||
echo "Profile running: $profile"
|
||||
if test "$profile" != "$expected_profile"
|
||||
then
|
||||
if test "$proc_name" == "pause"
|
||||
then
|
||||
echo "Root process (pause) can run docker-default, it's ok."
|
||||
else
|
||||
echo "$profile is the WRONG PROFILE!!"
|
||||
return 1
|
||||
fi
|
||||
fi
|
||||
./tools/deployment/common/wait-for-pods.sh $namespace
|
||||
Loading…
x
Reference in New Issue
Block a user