...
Create ~/validation/bluval/bluval-sdtfc.yaml to customize the Test
blueprint:
name: sdtfc
layers:
- os
- k8s
os: &os
-
name: lynis
what: lynis
optional: "False"k8s: &k8s
-
name: kube-hunter
what: kube-hunter
optional: "False"Update ~/validation/bluval/volumes.yaml file
volumes:
# location of the ssh key to access the cluster
ssh_key_dir:
local: '/home/edge/.ssh'
target: '/root/.ssh'
# location of the k8s access files (config file, certificates, keys)
kube_config_dir:
local: '/home/edge/kube/'
target: '/root/.kube/'
# location of the customized variables.yaml
custom_variables_file:
local: '/home/edge/validation/tests/variables.yaml'
target: '/opt/akraino/validation/tests/variables.yaml'
# location of the bluval-<blueprint>.yaml file
blueprint_dir:
local: '/home/edge/validation/bluval'
target: '/opt/akraino/validation/bluval'
# location on where to store the results on the local jumpserver
results_dir:
local: '/home/edge/results'
target: '/opt/akraino/results'
# location on where to store openrc file
openrc:
local: ''
target: '/root/openrc'# parameters that will be passed to the container at each layer
layers:
# volumes mounted at all layers; volumes specific for a different layer are below
common:
- custom_variables_file
- blueprint_dir
- results_dir
hardware:
- ssh_key_dir
os:
- ssh_key_dir
networking:
- ssh_key_dir
docker:
- ssh_key_dir
k8s:
- ssh_key_dir
- kube_config_dir
k8s_networking:
- ssh_key_dir
- kube_config_dir
openstack:
- openrc
sds:
sdn:
vim:Update ~/validation/tests/variables.yaml file
### Input variables cluster's master host
host: <IP Address> # cluster's master host address
username: <username> # login name to connect to cluster
password: <password> # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa # Identity file for authenticationRun Blucon
$ bash validation/bluval/blucon.sh sdtfc
Expected output
Test Results
Insert Results URL
...
- KHV002
- KHV005
- KHV050
- CAP_NET_RAW Enabled
- Access to pod's secrets
Fix for KHV002
$ kubectl replace -f - <<EOF apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "false" labels: kubernetes.io/bootstrapping: rbac-defaults name: system:public-info-viewer rules: - nonResourceURLs: - /healthz - /livez - /readyz verbs: - get EOF |
Fix for KHV005, KHV050, Access to pod's secrets
$ kubectl replace -f - <<EOF apiVersion: v1 kind: ServiceAccount metadata: name: default namespace: default automountServiceAccountToken: false EOF |
Test Dashboards
Single pane view of how the test score looks like for the Blue print.
...