You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Introduction

This document describes tests that were performed for PCEI R4:

  1. PCEI Deployment Tests
  2. PCEI End-to-End Validation Tests
  3. BluVal Tests

Overall Test Architecture

Describe  the components of Test set up

Test Bed

Test Framework

  1. PCEI Deployment Tests

Described in the PCEI R4 Installation Guide

  1. PCEI End-to-End Validation Tests

Described in the PCEI R4 End-to-End Validation Guide

  1. BluVal Tests

Described in the BluVal Test section of this document.

Traffic Generator

Not used.

For end-to-end functional verification, a simulated IoT Client was provided. Please refer to PCEI R4 End-to-End Validation Guide.

Test API description

Akraino common tests

The Test inputs

Test Procedure

Expected output

Test Results

Blueprint extension tests

The Test inputs

Test Procedure

Expected output

Test Results

Feature Project Tests

NOT PERFORMED

The Test inputs

Test Procedure

Expected output

Test Results


BluVal Tests

The Test inputs

BluVal Test Environment setup according to:

Bluval User Guide

Test Procedure

  1. Deploy a Test VM
  2. Install Docker: https://docs.docker.com/engine/install/ubuntu/
  3. Clone BluVal Validation Framework into the Test VM:
  4. Copy SUT's .kube/config file and SSH key to the Test VM
  5. Configure validation environment:
cd validation
vi bluval-pcei.yaml
blueprint:
    name: pcei 
    layers:
        - os
        - docker
        - k8s
    # Any hardware some basic tests

    os: &os_pcei
        -
            name: ltp
            what: ltp
            optional: "True"
        -
            name: cyclictest
            what: cyclictest
            optional: "True"
        -
            name: lynis
            what: lynis
            optional: "False"
        -
            name: vuls
            what: vuls
            optional: "False"

    docker: &docker_base
        -
            name: docker_bench
            what: docker_bench
            optional: "True"

    k8s: &k8s
        -
            name: conformance
            what: conformance
            optional: "False"
        -
            name: etcd_ha
            what: etcd_ha
            optional: "True"
        -
            name: kube-hunter
            what: kube-hunter
            optional: "False"
            
cd /home/onaplab/validation/bluval
vi volumes.yaml
volumes:
    # location of the ssh key to access the cluster
    ssh_key_dir:
        local: '/home/onaplab/.ssh'
        target: '/root/.ssh'
    # location of the k8s access files (config file, certificates, keys)
    kube_config_dir:
        local: '/home/onaplab/kube'
        target: '/root/.kube/'
    # location of the customized variables.yaml
    custom_variables_file:
        local: '/home/onaplab/validation/tests/variables.yaml'
        target: '/opt/akraino/validation/tests/variables.yaml'
    # location of the bluval-<blueprint>.yaml file
    blueprint_dir:
        local: '/home/onaplab/validation/bluval'
        target: '/opt/akraino/validation/bluval'
    # location on where to store the results on the local jumpserver
    results_dir:
        local: '/home/onaplab/results'
        target: '/opt/akraino/results'
    # location on where to store openrc file
    openrc:
        local: ''
        target: '/root/openrc'

# parameters that will be passed to the container at each layer
layers:
    # volumes mounted at all layers; volumes specific for a different layer are below
    common:
        - custom_variables_file
        - blueprint_dir
        - results_dir
    hardware:
        - ssh_key_dir
    os:
        - ssh_key_dir
    networking:
        - ssh_key_dir
    docker:
        - ssh_key_dir
    k8s:
        - ssh_key_dir
        - kube_config_dir
    k8s_networking:
        - ssh_key_dir
        - kube_config_dir
    openstack:
        - openrc
    sds:
    sdn:
    vim:

cd /home/onaplab/validation/tests
vi variables.yaml
### Input variables cluster's master host
host: 10.121.7.147             # cluster's master host address
username: onaplab            # login name to connect to cluster
password: onaplab         # login password to connect to cluster
ssh_keyfile: /root/.ssh/id_rsa        # Identity file for authentication

6. Run BluVal Robot:

cd
bash validation/bluval/blucon.sh pcei

Expected output

Test Results

Vuls

CVEs Found:

CVECVSSURLException
CVE-2016-15859.8https://nvd.nist.gov/vuln/detail/CVE-2016-1585Requested by another BP
CVE-2017-183429.8https://nvd.nist.gov/vuln/detail/CVE-2017-18342Requested by another BP
CVE-2017-82839.8https://nvd.nist.gov/vuln/detail/CVE-2017-8283Requested by PCEI
CVE-2018-208399.8https://nvd.nist.gov/vuln/detail/CVE-2018-20839Requested by another BP
CVE-2019-170419.8https://nvd.nist.gov/vuln/detail/CVE-2019-17041Requested by another BP
CVE-2019-170429.8https://nvd.nist.gov/vuln/detail/CVE-2019-17042Requested by another BP
CVE-2019-198149.3https://nvd.nist.gov/vuln/detail/CVE-2019-19814Requested by PCEI
Lynis

K8S Conformance

Exception Requested:

Kube-Hunter

Vulnerabilities found

IDStatus
KHV002Fixed
KHV005Pending
KHV050Pending
CAP_NET_RAWPending


Fix for KHV002:

On SUT K8S Cluster:

kubectl replace -f - <<EOF
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "false"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: system:public-info-viewer
rules:
- nonResourceURLs:
  - /healthz
  - /livez
  - /readyz
  verbs:
  - get
EOF


Test Dashboards

Single pane view of how the test score looks like for the Blue print.


Additional Testing

Bottlenecks/Errata

  • No labels