Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test: Verify if configmaps are encrypted #1996

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

haskojur
Copy link
Contributor

@haskojur haskojur commented Apr 19, 2024

Description

By default in kubernetes system, encrypting of data inside object like configmaps is not enabled, so data in etcd are available for potential attacker.
Encrypting of configmaps is possible in newer versions of kubernetes. When this configuration is done, all newly created configmaps has encrypted data in etcd key-value store.
This testcase creates new sonfigmap with random suffix (to avoid confilct). Then we will use similar command in etcd pod to verify if encryption is working:
ETCDCTL_API=3 etcdctl \ --cacert=/etc/kubernetes/pki/etcd/ca.crt \ --cert=/etc/kubernetes/pki/etcd/server.crt \ --key=/etc/kubernetes/pki/etcd/server.key \ get /registry/configmaps/default/my-configmap | hexdump -C

Issues:

Refs: #1994

How has this been tested:

  • Covered by existing integration testing
  • Added integration testing to cover
  • Verified all A/C passes
    • develop
    • master
    • tag/other branch
  • Test environment
    • Shared Packet K8s cluster
    • New Packet K8s cluster
    • Kind cluster
  • Have not tested

Types of changes:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update

Checklist:

Documentation

  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • No updates required.

Code Review

  • Does the test handle fatal exceptions, ie. rescue block

Issue

  • Tasks in issue are checked off

@haskojur haskojur changed the title (WIP) Test: Verify if configmaps are encrypted Test: Verify if configmaps are encrypted Apr 19, 2024
@haskojur haskojur marked this pull request as draft April 19, 2024 13:26
@haskojur haskojur changed the title Test: Verify if configmaps are encrypted (WIP) Test: Verify if configmaps are encrypted Apr 19, 2024
@haskojur haskojur marked this pull request as ready for review April 25, 2024 12:42
@haskojur haskojur changed the title (WIP) Test: Verify if configmaps are encrypted Test: Verify if configmaps are encrypted Apr 26, 2024
Copy link
Collaborator

@taylor taylor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@haskojur
Copy link
Contributor Author

haskojur commented May 3, 2024

@HashNuke can you give me a feedback for this one please? :)

@lixuna lixuna requested a review from HashNuke May 10, 2024 18:23
@@ -83,4 +83,16 @@ describe "Platform" do
$?.success?.should be_true
(/PASSED: No Helm Tiller containers are running/ =~ response_s).should_not be_nil
end

it "'verify_configmaps_encryption' should pass if encryption is enabled in etcd", tags: ["platform:security"] do
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the idea of spec test in this repo is to run complete test cases by command-line, so I'd suggest to follow it also with this newly added test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants