Versions Compared

Old Version 21

changes.mady.by.user Yoshiko Tsuji

Saved on

compared with

New Version 22

changes.mady.by.user Yoshiko Tsuji

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test

    blueprint:
    name: sdtfc
    layers:
    - os
    - k8s
    os: &os
    -
    name: lynis
    what: lynis
    optional: "False"

    k8s: &k8s
    -
    name: kube-hunter
    what: kube-hunter
    optional: "False"


  2. Update ~/validation/bluval/volumes.yaml file

    volumes:
    # location of the ssh key to access the cluster
    ssh_key_dir:
    local: '/home/edge/.ssh'
    target: '/root/.ssh'
    # location of the k8s access files (config file, certificates, keys)
    kube_config_dir:
    local: '/home/edge/kube/'
    target: '/root/.kube/'
    # location of the customized variables.yaml
    custom_variables_file:
    local: '/home/edge/validation/tests/variables.yaml'
    target: '/opt/akraino/validation/tests/variables.yaml'
    # location of the bluval-<blueprint>.yaml file
    blueprint_dir:
    local: '/home/edge/validation/bluval'
    target: '/opt/akraino/validation/bluval'
    # location on where to store the results on the local jumpserver
    results_dir:
    local: '/home/edge/results'
    target: '/opt/akraino/results'
    # location on where to store openrc file
    openrc:
    local: ''
    target: '/root/openrc'

    # parameters that will be passed to the container at each layer
    layers:
    # volumes mounted at all layers; volumes specific for a different layer are below
    common:
    - custom_variables_file
    - blueprint_dir
    - results_dir
    hardware:
    - ssh_key_dir
    os:
    - ssh_key_dir
    networking:
    - ssh_key_dir
    docker:
    - ssh_key_dir
    k8s:
    - ssh_key_dir
    - kube_config_dir
    k8s_networking:
    - ssh_key_dir
    - kube_config_dir
    openstack:
    - openrc
    sds:
    sdn:
    vim:


  3. Update ~/validation/tests/variables.yaml file

    ### Input variables cluster's master host
    host: <IP Address> # cluster's master host address
    username: <username> # login name to connect to cluster
    password: <password> # login password to connect to cluster
    ssh_keyfile: /root/.ssh/id_rsa # Identity file for authentication


  4. Run Blucon

    $ bash validation/bluval/blucon.sh sdtfc

Expected output


Test Results

Insert Results URL

...

  • KHV002
  • KHV005
  • KHV050
  • CAP_NET_RAW Enabled
  • Access to pod's secrets

Fix for KHV002

$  kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "false"
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: system:public-info-viewer
rules:
- nonResourceURLs:
- /healthz
- /livez
- /readyz
verbs:
- get
EOF


Fix for KHV005, KHV050, Access to pod's secrets

$  kubectl replace -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
namespace: default
automountServiceAccountToken: false
EOF



Test Dashboards

Single pane view of how the test score looks like for the Blue print.

...