From c19c14b42cfab32cbf0390307cdc855150176a25 Mon Sep 17 00:00:00 2001 From: "dt241s@att.com" Date: Mon, 3 Aug 2020 18:27:33 +0000 Subject: [PATCH] Add Apparmor Aqua Feature testing for Utility Containers This covers mysqlclient,openstack and Postgresql UC's. 1)Removed Apparmor validation scripts from Deploy script. 2)This has been added as a part of AVT. Change-Id: I6176b4b46b9add650695c4324bcc9bf65f332eb7 --- .../test_mysqlclient_utility_container.py | 18 ++++++++ .../test_openstack_utility_container.py | 18 ++++++++ .../tests/utility/postgresql/__init__.py | 0 .../test_postgresql_utility_container.py | 41 +++++++++++++++++ tools/deployment/040-mysqlclient-utility.sh | 16 ------- tools/deployment/050-openstack-utility.sh | 46 ------------------- tools/deployment/060-postgresql-utility.sh | 16 ------- tools/run_avt.sh | 1 + 8 files changed, 78 insertions(+), 78 deletions(-) create mode 100644 kube_utility_container/tests/utility/postgresql/__init__.py create mode 100644 kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py diff --git a/kube_utility_container/tests/utility/mysqlclient/test_mysqlclient_utility_container.py b/kube_utility_container/tests/utility/mysqlclient/test_mysqlclient_utility_container.py index 39638f20..7443fe81 100644 --- a/kube_utility_container/tests/utility/mysqlclient/test_mysqlclient_utility_container.py +++ b/kube_utility_container/tests/utility/mysqlclient/test_mysqlclient_utility_container.py @@ -37,3 +37,21 @@ class TestMysqlclientUtilityContainer(TestBase): f" value {expected} set for read_only_root_filesystem" f" in pod {mysqlclient_utility_pod.metadata.name}") self.assertEqual(0, len(failures), failures) + + def test_verify_apparmor(self): + """To verify mysqlclient-utility Apparmor""" + failures = [] + expected = "runtime/default" + mysqlclient_utility_pod = \ + self.client._get_utility_container(self.deployment_name) + for container in mysqlclient_utility_pod.spec.containers: + annotations_common = \ + 'container.apparmor.security.beta.kubernetes.io/' + annotations_key = annotations_common + container.name + if expected != mysqlclient_utility_pod.metadata.annotations[ + annotations_key]: + failures.append( + f"container {container.name} belongs to pod " + f"{mysqlclient_utility_pod.metadata.name} " + f"is not having expected apparmor profile set") + self.assertEqual(0, len(failures), failures) diff --git a/kube_utility_container/tests/utility/openstack/test_openstack_utility_container.py b/kube_utility_container/tests/utility/openstack/test_openstack_utility_container.py index c1669ce8..95546578 100644 --- a/kube_utility_container/tests/utility/openstack/test_openstack_utility_container.py +++ b/kube_utility_container/tests/utility/openstack/test_openstack_utility_container.py @@ -37,3 +37,21 @@ class TestOpenstackUtilityContainer(TestBase): f" value {expected} set for read_only_root_filesystem" f" in pod {openstack_utility_pod.metadata.name}") self.assertEqual(0, len(failures), failures) + + def test_verify_apparmor(self): + """To verify openstack-utility Apparmor""" + failures = [] + expected = "runtime/default" + openstack_utility_pod = \ + self.client._get_utility_container(self.deployment_name) + for container in openstack_utility_pod.spec.containers: + annotations_common = \ + 'container.apparmor.security.beta.kubernetes.io/' + annotations_key = annotations_common + container.name + if expected != openstack_utility_pod.metadata.annotations[ + annotations_key]: + failures.append( + f"container {container.name} belongs to pod " + f"{openstack_utility_pod.metadata.name} " + f"is not having expected apparmor profile set") + self.assertEqual(0, len(failures), failures) diff --git a/kube_utility_container/tests/utility/postgresql/__init__.py b/kube_utility_container/tests/utility/postgresql/__init__.py new file mode 100644 index 00000000..e69de29b diff --git a/kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py b/kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py new file mode 100644 index 00000000..ca5c5ec6 --- /dev/null +++ b/kube_utility_container/tests/utility/postgresql/test_postgresql_utility_container.py @@ -0,0 +1,41 @@ +# Copyright 2020 AT&T Intellectual Property. All other rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import unittest + +from kube_utility_container.tests.utility.base import TestBase + +class TestPostgresqlUtilityContainer(TestBase): + @classmethod + def setUpClass(cls): + cls.deployment_name = 'postgresql-utility' + super(TestPostgresqlUtilityContainer, cls).setUpClass() + + def test_verify_apparmor(self): + """To verify postgresql-utility Apparmor""" + failures = [] + expected = "runtime/default" + postgresql_utility_pod = \ + self.client._get_utility_container(self.deployment_name) + for container in postgresql_utility_pod.spec.containers: + annotations_common = \ + 'container.apparmor.security.beta.kubernetes.io/' + annotations_key = annotations_common + container.name + if expected != postgresql_utility_pod.metadata.annotations[ + annotations_key]: + failures.append( + f"container {container.name} belongs to pod " + f"{postgresql_utility_pod.metadata.name} " + f"is not having expected apparmor profile set") + self.assertEqual(0, len(failures), failures) diff --git a/tools/deployment/040-mysqlclient-utility.sh b/tools/deployment/040-mysqlclient-utility.sh index 453117b8..08c7e03d 100755 --- a/tools/deployment/040-mysqlclient-utility.sh +++ b/tools/deployment/040-mysqlclient-utility.sh @@ -20,19 +20,3 @@ helm upgrade --install mysqlclient-utility ./charts/mysqlclient-utility --namesp : "${OSH_INFRA_PATH:="../openstack-helm-infra"}" cd "${OSH_INFRA_PATH}" ./tools/deployment/common/wait-for-pods.sh $namespace - -#Validate Apparmor -mysql_pod=$(kubectl get pods --namespace=$namespace -o wide | grep mysqlclient | awk '{print $1}') -expected_profile="docker-default (enforce)" -profile=`kubectl -n $namespace exec $mysql_pod -- cat /proc/1/attr/current` -echo "Profile running: $profile" - if test "$profile" != "$expected_profile" - then - if test "$proc_name" == "pause" - then - echo "Root process (pause) can run docker-default, it's ok." - else - echo "$profile is the WRONG PROFILE!!" - return 1 - fi - fi \ No newline at end of file diff --git a/tools/deployment/050-openstack-utility.sh b/tools/deployment/050-openstack-utility.sh index 37db6435..538d0b53 100755 --- a/tools/deployment/050-openstack-utility.sh +++ b/tools/deployment/050-openstack-utility.sh @@ -20,49 +20,3 @@ helm upgrade --install openstack-utility ./charts/openstack-utility --namespace= : "${OSH_INFRA_PATH:="../openstack-helm-infra"}" cd "${OSH_INFRA_PATH}" ./tools/deployment/common/wait-for-pods.sh $namespace - -#Validate Apparmor -ouc_pod=$(kubectl get pods --namespace=$namespace -o wide | grep openstack | awk '{print $1}') -expected_profile="docker-default (enforce)" - -#Below can be used for multiple Processes.Grab the processes (numbered directories) from the /proc directory, -# and then sort them. Highest proc number indicates most recent process. -#unsorted_process_file="/tmp/unsorted_proc_list" -#sorted_process_file="/tmp/proc_list" -#kubectl -n $namespace exec $ouc_pod -- ls -1 /proc | grep -e "^[0-9]*$" > $unsorted_process_file -#sort --numeric-sort $unsorted_process_file > $sorted_process_file - -# The last/latest process in the list will actually be the "ls" command above, -# which isn't running any more, so remove it. -#sed -i '$ d' $sorted_process_file - -#while IFS='' read -r process || [[ -n "$process" ]]; do - #echo "Process ID: $process" - #proc_name=`kubectl -n $namespace exec $ouc_pod -- cat /proc/$process/status | grep "Name:" | awk -F' ' '{print $2}'` - #echo "Process Name: $proc_name" -# profile=`kubectl -n $namespace exec $ouc_pod -- cat /proc/1/attr/current` -# echo "Profile running: $profile" -# if test "$profile" != "$expected_profile" -# then -# if test "$proc_name" == "pause" -# then -# echo "Root process (pause) can run docker-default, it's ok." -# else -# echo "$profile is the WRONG PROFILE!!" -# return 1 -# fi -# fi -#done < $sorted_process_file - -profile=`kubectl -n $namespace exec $ouc_pod -- cat /proc/1/attr/current` -echo "Profile running: $profile" - if test "$profile" != "$expected_profile" - then - if test "$proc_name" == "pause" - then - echo "Root process (pause) can run docker-default, it's ok." - else - echo "$profile is the WRONG PROFILE!!" - return 1 - fi - fi diff --git a/tools/deployment/060-postgresql-utility.sh b/tools/deployment/060-postgresql-utility.sh index fd391589..d841b122 100755 --- a/tools/deployment/060-postgresql-utility.sh +++ b/tools/deployment/060-postgresql-utility.sh @@ -19,19 +19,3 @@ helm upgrade --install postgresql-utility ./charts/postgresql-utility --namespac : "${OSH_INFRA_PATH:="../openstack-helm-infra"}" cd "${OSH_INFRA_PATH}" ./tools/deployment/common/wait-for-pods.sh $namespace - -#Validate Apparmor -pos_pod=$(kubectl get pods --namespace=$namespace -o wide | grep postgresql | awk '{print $1}') -expected_profile="docker-default (enforce)" -profile=`kubectl -n $namespace exec $pos_pod -- cat /proc/1/attr/current` -echo "Profile running: $profile" - if test "$profile" != "$expected_profile" - then - if test "$proc_name" == "pause" - then - echo "Root process (pause) can run docker-default, it's ok." - else - echo "$profile is the WRONG PROFILE!!" - return 1 - fi - fi \ No newline at end of file diff --git a/tools/run_avt.sh b/tools/run_avt.sh index bc38e3b4..4d04f40b 100755 --- a/tools/run_avt.sh +++ b/tools/run_avt.sh @@ -51,6 +51,7 @@ function run_feature_tests() { python -m unittest discover -s ${PLUGINS}/tests/utility/ceph -v python -m unittest discover -s ${PLUGINS}/tests/utility/mysqlclient -v python -m unittest discover -s ${PLUGINS}/tests/utility/openstack -v + python -m unittest discover -s ${PLUGINS}/tests/utility/postgresql -v } function run_unit_tests() {