...
Test Results
Feature Project Tests
NOT PERFORMED
The Test inputs
Test Procedure
...
| Code Block | ||
|---|---|---|
| ||
cd validation
vi bluval-pcei.yaml
blueprint:
name: pcei
layers:
- os
- docker
- k8s
# Any hardware some basic tests
os: &os_pcei
-
name: ltp
what: ltp
optional: "True"
-
name: cyclictest
what: cyclictest
optional: "True"
-
name: lynis
what: lynis
optional: "False"
-
name: vuls
what: vuls
optional: "False"
docker: &docker_base
-
name: docker_bench
what: docker_bench
optional: "True"
k8s: &k8s
-
name: conformance
what: conformance
optional: "False"
-
name: etcd_ha
what: etcd_ha
optional: "True"
-
name: kube-hunter
what: kube-hunter
optional: "False"
cd /home/onaplab/validation/bluval
vi volumes.yaml
volumes:
# location of the ssh key to access the cluster
ssh_key_dir:
local: '/home/onaplab/.ssh'
target: '/root/.ssh'
# location of the k8s access files (config file, certificates, keys)
kube_config_dir:
local: '/home/onaplab/kube'
target: '/root/.kube/'
# location of the customized variables.yaml
custom_variables_file:
local: '/home/onaplab/validation/tests/variables.yaml'
target: '/opt/akraino/validation/tests/variables.yaml'
# location of the bluval-<blueprint>.yaml file
blueprint_dir:
local: '/home/onaplab/validation/bluval'
target: '/opt/akraino/validation/bluval'
# location on where to store the results on the local jumpserver
results_dir:
local: '/home/onaplab/results'
target: '/opt/akraino/results'
# location on where to store openrc file
openrc:
local: ''
target: '/root/openrc'
# parameters that will be passed to the container at each layer
layers:
# volumes mounted at all layers; volumes specific for a different layer are below
common:
- custom_variables_file
- blueprint_dir
- results_dir
hardware:
- ssh_key_dir
os:
- ssh_key_dir
networking:
- ssh_key_dir
docker:
- ssh_key_dir
k8s:
- ssh_key_dir
- kube_config_dir
k8s_networking:
- ssh_key_dir
- kube_config_dir
openstack:
- openrc
sds:
sdn:
vim:
cd /home/onaplab/validation/tests
vi variables.yaml
### Input variables cluster's master host
host: 10.121.7.147 # cluster's master host address
username: onaplab # login name to connect to cluster
password: onaplab # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa # Identity file for authentication
|
6. Run BluVal Robot:
| Code Block | ||
|---|---|---|
| ||
cd
bash validation/bluval/blucon.sh pcei |
Expected output
Test Results
Vuls
CVEs Found:
| CVE | CVSS | URL | Exception |
|---|---|---|---|
| CVE-2016-1585 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2016-1585 | Requested by another BP |
| CVE-2017-18342 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-18342 | Requested by another BP |
| CVE-2017-8283 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2017-8283 | Requested by PCEI |
| CVE-2018-20839 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2018-20839 | Requested by another BP |
| CVE-2019-17041 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17041 | Requested by another BP |
| CVE-2019-17042 | 9.8 | https://nvd.nist.gov/vuln/detail/CVE-2019-17042 | Requested by another BP |
| CVE-2019-19814 | 9.3 | https://nvd.nist.gov/vuln/detail/CVE-2019-19814 | Requested by PCEI |
Lynis
K8S Conformance
Exception Requested:
Kube-Hunter
Vulnerabilities found
| ID | Status |
|---|---|
| KHV002 | Fixed |
| KHV005 | Pending |
| KHV050 | Pending |
| CAP_NET_RAW | Pending |
Fix for KHV002:
On SUT K8S Cluster:
| Code Block | ||
|---|---|---|
| ||
kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:public-info-viewer
rules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- get
EOF |
Test Dashboards
Single pane view of how the test score looks like for the Blue print.
...