-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
rapidast scan execution as kuttl testsuite
- Loading branch information
Showing
13 changed files
with
362 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
FROM golang:1.20-bullseye | ||
|
||
# Copy the repository files | ||
COPY . /tmp/self-node-remediation-qe | ||
|
||
WORKDIR /tmp | ||
|
||
# Set the Go path and Go cache environment variables | ||
ENV GOPATH=/tmp/go | ||
ENV GOBIN=/tmp/go/bin | ||
ENV GOCACHE=/tmp/.cache/go-build | ||
ENV PATH=$PATH:$GOBIN | ||
|
||
# Create the /tmp/go/bin and build cache directories, and grant read and write permissions to all users | ||
RUN mkdir -p /tmp/go/bin $GOCACHE \ | ||
&& chmod -R 777 /tmp/go/bin $GOPATH $GOCACHE | ||
|
||
# Install dependencies required by test cases and debugging | ||
RUN apt-get update && apt-get install -y jq vim libreadline-dev dnsutils iproute2 python | ||
|
||
# Install kuttl | ||
RUN curl -LO https://github.com/kudobuilder/kuttl/releases/download/v0.15.0/kubectl-kuttl_0.15.0_linux_x86_64 \ | ||
&& chmod +x kubectl-kuttl_0.15.0_linux_x86_64 \ | ||
&& mv kubectl-kuttl_0.15.0_linux_x86_64 /usr/local/bin/kuttl | ||
|
||
# Install kubectl and oc | ||
RUN curl -LO https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest/openshift-client-linux.tar.gz \ | ||
&& tar -xzf openshift-client-linux.tar.gz \ | ||
&& chmod +x oc kubectl \ | ||
&& mv oc kubectl /usr/local/bin/ | ||
|
||
# Set the working directory | ||
WORKDIR /tmp/self-node-remediation-qe |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# rapidast execution for self-node-remediation operator | ||
|
||
This test is running [rapidast](https://github.com/RedHatProductSecurity/rapidast) scan targeting the api extension that the self-node-remediation operator | ||
provides to the openshift api. | ||
|
||
The test steps ensure the generation of the needed token to retrieve the api extension urls, customize the | ||
rapidast config file, runs the scan in a docker instance and check for the results. | ||
|
||
Follow these step to run manually the scan inside the container: | ||
|
||
* Create the container image: | ||
|
||
`cd test/e2e-rh-sdl` | ||
|
||
`podman build . -t e2e-rh-sdl` | ||
|
||
* Run the container (adapt the kubeconfig file path to your environment): | ||
|
||
`podman run -it -v ~/clusterconfigs/auth/:/kube/config:Z --env KUBECONFIG=/kube/config/kubeconfig e2e-rh-sdl /bin/bash` | ||
|
||
* Launch the scan using kuttl utility: | ||
|
||
`ARTIFACT_DIR=/tmp KUBECONFIG=$KUBECONFIG kuttl test --timeout=300 --test=snr rapidast/` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: project.openshift.io/v1 | ||
kind: Project | ||
metadata: | ||
labels: | ||
kubernetes.io/metadata.name: rapidast-snr | ||
pod-security.kubernetes.io/audit: privileged | ||
pod-security.kubernetes.io/enforce: privileged | ||
pod-security.kubernetes.io/warn: privileged | ||
security.openshift.io/scc.podSecurityLabelSync: "false" | ||
name: rapidast-snr | ||
spec: | ||
finalizers: | ||
- kubernetes | ||
status: | ||
phase: Active |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: rapidast-snr | ||
labels: | ||
security.openshift.io/scc.podSecurityLabelSync: "false" | ||
pod-security.kubernetes.io/enforce: "privileged" | ||
pod-security.kubernetes.io/audit: "privileged" | ||
pod-security.kubernetes.io/warn: "privileged" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: privileged-sa | ||
namespace: rapidast-snr | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-snr-binding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:openshift:scc:privileged | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-snr | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-snr-cluster-admin | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-snr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: privileged-sa | ||
namespace: rapidast-snr | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-snr-binding | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:openshift:scc:privileged | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-snr | ||
|
||
--- | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: ClusterRoleBinding | ||
metadata: | ||
name: rapidast-snr-cluster-admin | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: cluster-admin | ||
subjects: | ||
- kind: ServiceAccount | ||
name: privileged-sa | ||
namespace: rapidast-snr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: rapidast-configmap | ||
namespace: rapidast-snr |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestStep | ||
commands: | ||
- script: ./create_rapidast_configmap.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: rapidast-job | ||
namespace: rapidast-snr | ||
status: | ||
succeeded: 1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,63 @@ | ||
apiVersion: v1 | ||
kind: PersistentVolumeClaim | ||
metadata: | ||
name: rapidast-pvc | ||
namespace: rapidast-snr | ||
spec: | ||
accessModes: | ||
- ReadWriteOnce | ||
resources: | ||
requests: | ||
storage: 1Gi | ||
volumeMode: Filesystem | ||
|
||
--- | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: rapidast-job | ||
namespace: rapidast-snr | ||
spec: | ||
backoffLimit: 3 | ||
completionMode: NonIndexed | ||
completions: 1 | ||
parallelism: 1 | ||
suspend: false | ||
template: | ||
metadata: | ||
labels: | ||
job-name: rapidast-job | ||
name: rapidast-job | ||
spec: | ||
serviceAccount: privileged-sa | ||
serviceAccountName: privileged-sa | ||
containers: | ||
- command: | ||
- sh | ||
- -c | ||
- rapidast.py --log-level debug --config /helm/config/rapidastconfig.yaml && find /home/rapidast/results/snr -name zap-report.json -exec cat {} \; | ||
image: quay.io/redhatproductsecurity/rapidast:latest | ||
imagePullPolicy: Always | ||
name: rapidast-chart | ||
resources: {} | ||
securityContext: | ||
privileged: true | ||
terminationMessagePath: /dev/termination-log | ||
terminationMessagePolicy: File | ||
volumeMounts: | ||
- mountPath: /helm/config | ||
name: config-volume | ||
- mountPath: /home/rapidast/results/ | ||
name: results-volume | ||
dnsPolicy: ClusterFirst | ||
restartPolicy: Never | ||
schedulerName: default-scheduler | ||
terminationGracePeriodSeconds: 30 | ||
volumes: | ||
- configMap: | ||
defaultMode: 420 | ||
name: rapidast-configmap | ||
name: config-volume | ||
- name: results-volume | ||
persistentVolumeClaim: | ||
claimName: rapidast-pvc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
apiVersion: kuttl.dev/v1beta1 | ||
kind: TestAssert | ||
timeout: 180 | ||
commands: | ||
- script: ./rapidast/snr/results.sh |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eou pipefail | ||
|
||
NAMESPACE="rapidast-snr" | ||
API_CLUSTER=$(grep "server: https://" $KUBECONFIG | sed -r 's#.+?//##' | head -1) | ||
TOKEN=$(oc create token privileged-sa -n $NAMESPACE) | ||
API_CLUSTER_NAME=$(echo $API_CLUSTER | cut -d ':' -f 1) | ||
OAST_CALLBACK_PORT=$(python -c "import socket; s=socket.socket(); s.bind((\"\", 0)); print(s.getsockname()[1]); s.close()") | ||
OAST_CALLBACK_ADDRESS=$(ip -o route get `(dig +short $API_CLUSTER_NAME)` | awk '{ print $3 }') | ||
|
||
# Define the content for the ConfigMap | ||
configmap_content=$(cat <<EOF | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: rapidast-configmap | ||
namespace: ${NAMESPACE} | ||
data: | ||
rapidastconfig.yaml: | | ||
config: | ||
configVersion: 4 | ||
application: | ||
shortName: "snr" | ||
url: "https://${API_CLUSTER}" | ||
general: | ||
authentication: | ||
type: "http_header" | ||
parameters: | ||
name: "Authorization" | ||
value: "Bearer ${TOKEN}" | ||
container: | ||
type: "none" | ||
scanners: | ||
zap: | ||
apiScan: | ||
apis: | ||
apiUrl: "https://$API_CLUSTER/openapi/v3/apis/self-node-remediation.medik8s.io/v1alpha1" | ||
activeScan: | ||
policy: "Operator-scan" | ||
miscOptions: | ||
enableUI: False | ||
updateAddons: False | ||
overrideConfigs: | ||
- formhandler.fields.field(0).fieldId=namespace | ||
- formhandler.fields.field(0).value=openshift-operators | ||
- oast.callback.port=$OAST_CALLBACK_PORT | ||
- oast.callback.remoteaddr=$OAST_CALLBACK_ADDRESS | ||
EOF | ||
) | ||
|
||
# Create the ConfigMap | ||
echo "$configmap_content" | oc -n ${NAMESPACE} create -f - |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -eou pipefail | ||
|
||
# Temp directory to store generated pod yaml | ||
TMP_DIR=/tmp | ||
|
||
# Where to store sync'd results -- defaults to current dir | ||
ARTIFACT_DIR=${ARTIFACT_DIR} | ||
|
||
# Name for rapiterm pod | ||
RANDOM_NAME=rapiterm-$RANDOM | ||
|
||
# Name of PVC in RapiDAST Resource, i.e. which PVC to mount to grab results | ||
PVC=rapidast-pvc | ||
|
||
IMAGE_REPOSITORY=quay.io/redhatproductsecurity/rapidast-term | ||
IMAGE_TAG=latest | ||
NAMESPACE=rapidast-snr | ||
|
||
cat <<EOF > $TMP_DIR/$RANDOM_NAME | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: $RANDOM_NAME | ||
namespace: $NAMESPACE | ||
spec: | ||
containers: | ||
- name: terminal | ||
image: '$IMAGE_REPOSITORY:$IMAGE_TAG' | ||
command: ['sleep', '300'] | ||
imagePullPolicy: Always | ||
volumeMounts: | ||
- name: results-volume | ||
mountPath: /zap/results/ | ||
resources: | ||
limits: | ||
cpu: 100m | ||
memory: 500Mi | ||
requests: | ||
cpu: 50m | ||
memory: 100Mi | ||
volumes: | ||
- name: results-volume | ||
persistentVolumeClaim: | ||
claimName: $PVC | ||
EOF | ||
|
||
kubectl apply -f $TMP_DIR/$RANDOM_NAME | ||
rm $TMP_DIR/$RANDOM_NAME | ||
kubectl -n $NAMESPACE wait --for=condition=Ready pod/$RANDOM_NAME | ||
kubectl -n $NAMESPACE cp $RANDOM_NAME:/zap/results $ARTIFACT_DIR | ||
|
||
# Function to search for 'session' file and zap-report.json recursively | ||
search_for_files() { | ||
local dir="$1/snr" | ||
local found_session=0 | ||
local found_zap_report=0 | ||
|
||
while IFS= read -r -d '' file; do | ||
if [[ "$file" == *"session"* ]]; then | ||
found_session=1 | ||
elif [[ "$file" == *"zap-report.json" ]]; then | ||
found_zap_report=1 | ||
fi | ||
done < <(find "$dir" -type f \( -name "session*" -o -name "zap-report.json" \) -print0) | ||
|
||
if [[ "$found_session" -eq 0 || "$found_zap_report" -eq 0 ]]; then | ||
echo "Either 'session' file or 'zap-report.json' files not found in subdirectories of $dir, failing..." | ||
exit 1 | ||
fi | ||
} | ||
|
||
# Search for 'session' file and zap-report.json in subdirectories of $ARTIFACT_DIR | ||
search_for_files "$ARTIFACT_DIR" | ||
|