diff --git a/kube_utility_container/tests/utility/calico/test_calico_utility_container.py b/kube_utility_container/tests/utility/calico/test_calico_utility_container.py index e70a5838..cab9cf64 100644 --- a/kube_utility_container/tests/utility/calico/test_calico_utility_container.py +++ b/kube_utility_container/tests/utility/calico/test_calico_utility_container.py @@ -64,3 +64,21 @@ class TestCalicoUtilityContainer(TestBase): latest_pod_logs = (pod_logs.split(date_2))[1:] self.assertNotEqual( 0, len(latest_pod_logs), "Not able to get the latest logs") + + def test_verify_apparmor(self): + """To verify calico-utility Apparmor""" + failures = [] + expected = "runtime/default" + calico_utility_pod = \ + self.client._get_utility_container(self.deployment_name) + for container in calico_utility_pod.spec.containers: + annotations_common = \ + 'container.apparmor.security.beta.kubernetes.io/' + annotations_key = annotations_common + container.name + if expected != calico_utility_pod.metadata.annotations[ + annotations_key]: + failures.append( + f"container {container.name} belongs to pod " + f"{calico_utility_pod.metadata.name} " + f"is not having expected apparmor profile set") + self.assertEqual(0, len(failures), failures) diff --git a/kube_utility_container/tests/utility/ceph/test_ceph_utility_container.py b/kube_utility_container/tests/utility/ceph/test_ceph_utility_container.py index 5d873561..8d3a5b6b 100644 --- a/kube_utility_container/tests/utility/ceph/test_ceph_utility_container.py +++ b/kube_utility_container/tests/utility/ceph/test_ceph_utility_container.py @@ -29,3 +29,21 @@ class TestCephUtilityContainer(TestBase): self.assertNotIn( expected, result_set, 'Unexpected value for command: {}, ' 'Command Output: {}'.format(exec_cmd, result_set)) + + def test_verify_apparmor(self): + """To verify ceph-utility Apparmor""" + failures = [] + expected = "runtime/default" + ceph_utility_pod = \ + self.client._get_utility_container(self.deployment_name) + for container in ceph_utility_pod.spec.containers: + annotations_common = \ + 'container.apparmor.security.beta.kubernetes.io/' + annotations_key = annotations_common + container.name + if expected != ceph_utility_pod.metadata.annotations[ + annotations_key]: + failures.append( + f"container {container.name} belongs to pod " + f"{calico_utility_pod.metadata.name} " + f"is not having expected apparmor profile set") + self.assertEqual(0, len(failures), failures) diff --git a/kube_utility_container/tests/utility/compute/test_compute_utility_container.py b/kube_utility_container/tests/utility/compute/test_compute_utility_container.py index 5b55851b..ddb3edd7 100644 --- a/kube_utility_container/tests/utility/compute/test_compute_utility_container.py +++ b/kube_utility_container/tests/utility/compute/test_compute_utility_container.py @@ -81,3 +81,21 @@ class TestComputeUtilityContainer(TestBase): latest_pod_logs = (pod_logs.split(date_2))[1:] self.assertNotEqual( 0, len(latest_pod_logs), "Not able to get the latest logs") + + def test_verify_apparmor(self): + """To verify compute-utility Apparmor""" + failures = [] + expected = "runtime/default" + compute_utility_pod = \ + self.client._get_utility_container(self.deployment_name) + for container in compute_utility_pod.spec.containers: + annotations_common = \ + 'container.apparmor.security.beta.kubernetes.io/' + annotations_key = annotations_common + container.name + if expected != compute_utility_pod.metadata.annotations[ + annotations_key]: + failures.append( + f"container {container.name} belongs to pod " + f"{compute_utility_pod.metadata.name} " + f"is not having expected apparmor profile set") + self.assertEqual(0, len(failures), failures) diff --git a/kube_utility_container/tests/utility/etcd/test_etcd_utility_container.py b/kube_utility_container/tests/utility/etcd/test_etcd_utility_container.py index 05a1e403..a25dc510 100644 --- a/kube_utility_container/tests/utility/etcd/test_etcd_utility_container.py +++ b/kube_utility_container/tests/utility/etcd/test_etcd_utility_container.py @@ -41,3 +41,21 @@ class TestEtcdUtilityContainer(TestBase): self.assertIn( expected, result_set, 'Unexpected value for command: {}, ' 'Command Output: {}'.format(exec_cmd, result_set)) + + def test_verify_apparmor(self): + """To verify etcdctl-utility Apparmor""" + failures = [] + expected = "runtime/default" + etcdctl_utility_pod = \ + self.client._get_utility_container(self.deployment_name) + for container in etcdctl_utility_pod.spec.containers: + annotations_common = \ + 'container.apparmor.security.beta.kubernetes.io/' + annotations_key = annotations_common + container.name + if expected != etcdctl_utility_pod.metadata.annotations[ + annotations_key]: + failures.append( + f"container {container.name} belongs to pod " + f"{etcd_utility_pod.metadata.name} " + f"is not having expected apparmor profile set") + self.assertEqual(0, len(failures), failures) diff --git a/tools/deployment/005-calicoctl-utility.sh b/tools/deployment/005-calicoctl-utility.sh index 6c1d7db3..bcc0b4e2 100755 --- a/tools/deployment/005-calicoctl-utility.sh +++ b/tools/deployment/005-calicoctl-utility.sh @@ -19,20 +19,4 @@ helm upgrade --install calicoctl-utility ./charts/calicoctl-utility --namespace= # Wait for Deployment : "${OSH_INFRA_PATH:="../openstack-helm-infra"}" cd "${OSH_INFRA_PATH}" -./tools/deployment/common/wait-for-pods.sh $namespace - -#Validate Apparmor -cal_pod=$(kubectl get pods --namespace=$namespace -o wide | grep calico | awk '{print $1}') -expected_profile="docker-default (enforce)" -profile=`kubectl -n $namespace exec $cal_pod -- cat /proc/1/attr/current` -echo "Profile running: $profile" - if test "$profile" != "$expected_profile" - then - if test "$proc_name" == "pause" - then - echo "Root process (pause) can run docker-default, it's ok." - else - echo "$profile is the WRONG PROFILE!!" - return 1 - fi - fi +./tools/deployment/common/wait-for-pods.sh $namespace \ No newline at end of file diff --git a/tools/deployment/010-ceph-utility.sh b/tools/deployment/010-ceph-utility.sh index f24f6c58..cb280945 100755 --- a/tools/deployment/010-ceph-utility.sh +++ b/tools/deployment/010-ceph-utility.sh @@ -57,20 +57,4 @@ helm upgrade --install ceph-utility ./charts/ceph-utility --namespace=$namespace # Wait for Deployment : "${OSH_INFRA_PATH:="../openstack-helm-infra"}" cd "${OSH_INFRA_PATH}" -./tools/deployment/common/wait-for-pods.sh $namespace - -#Validate Apparmor -ceph_pod=$(kubectl get pods --namespace=$namespace -o wide | grep ceph | grep 1/1 | awk '{print $1}') -expected_profile="docker-default (enforce)" -profile=`kubectl -n $namespace exec $ceph_pod -- cat /proc/1/attr/current` -echo "Profile running: $profile" - if test "$profile" != "$expected_profile" - then - if test "$proc_name" == "pause" - then - echo "Root process (pause) can run docker-default, it's ok." - else - echo "$profile is the WRONG PROFILE!!" - return 1 - fi - fi \ No newline at end of file +./tools/deployment/common/wait-for-pods.sh $namespace \ No newline at end of file diff --git a/tools/deployment/020-compute-utility.sh b/tools/deployment/020-compute-utility.sh index 49f1eec4..6ad32ad0 100755 --- a/tools/deployment/020-compute-utility.sh +++ b/tools/deployment/020-compute-utility.sh @@ -20,20 +20,4 @@ helm upgrade --install compute-utility ./charts/compute-utility --namespace=$nam # Wait for Deployment : "${OSH_INFRA_PATH:="../openstack-helm-infra"}" cd "${OSH_INFRA_PATH}" -./tools/deployment/common/wait-for-pods.sh $namespace - -#Validate Apparmor -com_pod=$(kubectl get pods --namespace=$namespace -o wide | grep compute | awk '{print $1}') -expected_profile="docker-default (enforce)" -profile=`kubectl -n $namespace exec $com_pod -- cat /proc/1/attr/current` -echo "Profile running: $profile" - if test "$profile" != "$expected_profile" - then - if test "$proc_name" == "pause" - then - echo "Root process (pause) can run docker-default, it's ok." - else - echo "$profile is the WRONG PROFILE!!" - return 1 - fi - fi \ No newline at end of file +./tools/deployment/common/wait-for-pods.sh $namespace \ No newline at end of file diff --git a/tools/deployment/030-etcdctl-utility.sh b/tools/deployment/030-etcdctl-utility.sh index 845f351c..aef2c3aa 100755 --- a/tools/deployment/030-etcdctl-utility.sh +++ b/tools/deployment/030-etcdctl-utility.sh @@ -19,20 +19,4 @@ helm upgrade --install etcdctl-utility ./charts/etcdctl-utility --namespace=$nam # Wait for Deployment : "${OSH_INFRA_PATH:="../openstack-helm-infra"}" cd "${OSH_INFRA_PATH}" -./tools/deployment/common/wait-for-pods.sh $namespace - -#Validate Apparmor -etc_pod=$(kubectl get pods --namespace=$namespace -o wide | grep etcdctl | awk '{print $1}') -expected_profile="docker-default (enforce)" -profile=`kubectl -n $namespace exec $etc_pod -- cat /proc/1/attr/current` -echo "Profile running: $profile" - if test "$profile" != "$expected_profile" - then - if test "$proc_name" == "pause" - then - echo "Root process (pause) can run docker-default, it's ok." - else - echo "$profile is the WRONG PROFILE!!" - return 1 - fi - fi \ No newline at end of file +./tools/deployment/common/wait-for-pods.sh $namespace \ No newline at end of file