-
Notifications
You must be signed in to change notification settings - Fork 130
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #55 from 2niknatan/unit-test
Adding unit test
- Loading branch information
Showing
5 changed files
with
334 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
import unittest | ||
from engine import utils, privleged_containers | ||
from engine.privleged_containers import get_privileged_containers | ||
from api import api_client | ||
|
||
list_of_risky_containers = ["test1-yes", "test3-yes", "test5ac2-yes", "test6a-yes", "test6b-yes", | ||
"test7c2-yes", "test8c-yes"] | ||
list_of_not_risky_containers = ["test5ac1-no", "test1-no", "test2b-no", "test7c1-no"] | ||
|
||
list_of_risky_users = ["kubiscan-sa"] | ||
list_of_not_risky_users = ["kubiscan-sa2", "default"] | ||
|
||
list_of_privileged_pods = ["etcd-minikube", "kube-apiserver-minikube", "kube-controller-manager-minikube", | ||
"kube-scheduler-minikube", "storage-provisioner"] | ||
|
||
|
||
def get_containers_by_names(): | ||
risky_pods = utils.get_risky_pods() | ||
risky_containers_by_name = [] | ||
for risky_pod in risky_pods or []: | ||
for container in risky_pod.containers: | ||
risky_containers_by_name.append(container.name) | ||
return risky_containers_by_name | ||
|
||
|
||
def get_risky_users_by_name(): | ||
risky_users = utils.get_all_risky_subjects() | ||
risky_users_by_name = [] | ||
for risky_user in risky_users: | ||
risky_users_by_name.append(risky_user.user_info.name) | ||
return risky_users_by_name | ||
|
||
|
||
class TestKubiScan(unittest.TestCase): | ||
api_client.api_init() | ||
|
||
def test_get_risky_pods(self): | ||
risky_containers_by_name = get_containers_by_names() | ||
for container in list_of_risky_containers: | ||
self.assertIn(container, risky_containers_by_name) | ||
for container in list_of_not_risky_containers: | ||
self.assertNotIn(container, risky_containers_by_name) | ||
|
||
def test_get_all_risky_roles(self): | ||
risky_users_by_name = get_risky_users_by_name() | ||
for user in list_of_risky_users: | ||
self.assertIn(user, risky_users_by_name) | ||
for user in list_of_not_risky_users: | ||
self.assertNotIn(user, risky_users_by_name) | ||
|
||
def test_get_privileged_containers(self): | ||
pods = get_privileged_containers() | ||
string_list_of_privileged_pods = [] | ||
for pod in pods: | ||
string_list_of_privileged_pods.append(pod.metadata.name) | ||
for pod_name in list_of_privileged_pods: | ||
self.assertIn(pod_name, string_list_of_privileged_pods) | ||
|
||
|
||
if __name__ == '__main__': | ||
unittest.main() |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,203 @@ | ||
#!/bin/bash | ||
GREEN='\033[3;92m' | ||
BCYAN='\033[1;96m' | ||
UCYAN='\033[4;96m' | ||
NO_COLOR='\033[0m' | ||
|
||
|
||
if [ "$1" = "-h" ]; | ||
then | ||
echo -e "${UCYAN}How to run unit-test:${NO_COLOR}" | ||
echo -e "${BCYAN}$(cat readme)${NO_COLOR}" | ||
exit 0 | ||
fi | ||
|
||
DEFAULT_SECRET=$(kubectl get sa default -o=jsonpath='{.secrets[0].name}') | ||
echo -e "${GREEN}Creating kubiscan-sa...${NO_COLOR}" | ||
kubectl apply -f kubiscan-sa | ||
echo -e "${GREEN}Creating kubiscan-sa2...${NO_COLOR}" | ||
kubectl apply -f kubiscan-sa2 | ||
KUBISCAN_SA_SECRET=$(kubectl get sa kubiscan-sa -o=jsonpath='{.secrets[0].name}') | ||
KUBISCAN_SA2_SECRET=$(kubectl get sa kubiscan-sa2 -o=jsonpath='{.secrets[0].name}') | ||
echo -e "${BCYAN}kubiscan-sa secret: "$KUBISCAN_SA_SECRET", kubiscan-sa2 secret: "$KUBISCAN_SA2_SECRET ${NO_COLOR}"" | ||
|
||
echo -e "${GREEN}Creating test1-yes pod...${NO_COLOR}" | ||
kubectl apply -f - << EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test1-yes | ||
spec: | ||
serviceAccountName: kubiscan-sa | ||
containers: | ||
- name: test1-yes | ||
image: nginx | ||
EOF | ||
|
||
echo -e "${GREEN}Creating test5-yes pod...${NO_COLOR}" | ||
kubectl apply -f - << EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test5a-yes | ||
namespace: default | ||
spec: | ||
serviceAccountName: kubiscan-sa | ||
containers: | ||
- image: nginx | ||
name: test5ac1-no | ||
volumeMounts: | ||
- name: secret-volume | ||
readOnly: true | ||
mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" | ||
- image: nginx | ||
name: test5ac2-yes | ||
volumes: | ||
- name: secret-volume | ||
secret: | ||
secretName: "$DEFAULT_SECRET" | ||
EOF | ||
|
||
echo -e "${GREEN}Creating test8-yes pod...${NO_COLOR}" | ||
kubectl apply -f - << EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test8-yes | ||
namespace: default | ||
spec: | ||
serviceAccountName: kubiscan-sa | ||
containers: | ||
- image: nginx | ||
name: test8c-yes | ||
volumeMounts: | ||
- name: secret-volume | ||
readOnly: true | ||
mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" | ||
- name: secret-volume2 | ||
mountPath: "/var/run/secrets/tokens" | ||
volumes: | ||
- name: secret-volume | ||
secret: | ||
secretName: "$KUBISCAN_SA_SECRET" | ||
- name: secret-volume2 | ||
secret: | ||
secretName: "$KUBISCAN_SA2_SECRET" | ||
EOF | ||
|
||
echo -e "${GREEN}Creating test1-no pod...${NO_COLOR}" | ||
kubectl apply -f - <<EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test1-no | ||
spec: | ||
serviceAccountName: default | ||
containers: | ||
- name: test1-no | ||
image: nginx | ||
EOF | ||
|
||
echo -e "${GREEN}Creating test2b-no pod...${NO_COLOR}" | ||
kubectl apply -f - <<EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test2b-no | ||
spec: | ||
serviceAccountName: default | ||
volumes: | ||
- name: secret-volume | ||
secret: | ||
secretName: "$KUBISCAN_SA2_SECRET" | ||
containers: | ||
- name: test2b-no | ||
image: nginx | ||
volumeMounts: | ||
- name: secret-volume | ||
readOnly: true | ||
mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" | ||
EOF | ||
|
||
echo -e "${GREEN}Creating test3-yes pod...${NO_COLOR}" | ||
kubectl apply -f - << EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test3-yes | ||
namespace: default | ||
spec: | ||
containers: | ||
- | ||
image: nginx | ||
name: test3-yes | ||
volumeMounts: | ||
- | ||
mountPath: /var/run/secrets/tokens2 | ||
name: sa | ||
- | ||
mountPath: /var/run/secrets/kubernetes.io/serviceaccount | ||
name: secret-volume | ||
readOnly: true | ||
serviceAccountName: default | ||
volumes: | ||
- | ||
name: sa | ||
projected: | ||
sources: | ||
- | ||
serviceAccountToken: | ||
audience: some-oidc-audience | ||
expirationSeconds: 86400 | ||
path: sa | ||
- | ||
name: secret-volume | ||
secret: | ||
secretName: "$KUBISCAN_SA_SECRET" | ||
EOF | ||
|
||
echo -e "${GREEN}Creating test6-yes pod...${NO_COLOR}" | ||
kubectl apply -f - <<EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test6-yes | ||
namespace: default | ||
spec: | ||
serviceAccountName: kubiscan-sa | ||
containers: | ||
- image: nginx | ||
name: test6a-yes | ||
- image: nginx | ||
name: test6b-yes | ||
EOF | ||
|
||
|
||
echo -e "${GREEN}Creating test7-yes pod...${NO_COLOR}" | ||
kubectl apply -f - <<EOF | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: test7-yes | ||
namespace: default | ||
spec: | ||
serviceAccountName: kubiscan-sa | ||
containers: | ||
- image: nginx | ||
name: test7c1-no | ||
volumeMounts: | ||
- name: secret-volume | ||
readOnly: true | ||
mountPath: "/var/run/secrets/kubernetes.io/serviceaccount" | ||
- name: not-token-secret | ||
mountPath: "/var/run/secrets/tokens" | ||
- image: nginx | ||
name: test7c2-yes | ||
volumes: | ||
- name: secret-volume | ||
secret: | ||
secretName: "${KUBISCAN_SA2_SECRET}" | ||
- name: not-token-secret | ||
secret: | ||
secretName: mysecret | ||
EOF |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: kubiscan-sa | ||
namespace: default | ||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: kubiscan-clusterrolebinding | ||
subjects: | ||
- kind: ServiceAccount | ||
name: kubiscan-sa | ||
namespace: default | ||
apiGroup: "" | ||
roleRef: | ||
kind: ClusterRole | ||
name: kubiscan-clusterrole | ||
apiGroup: "" | ||
--- | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: kubiscan-clusterrole | ||
rules: | ||
- apiGroups: ["*"] | ||
resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings", "pods", "secrets"] | ||
verbs: ["get", "list"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: kubiscan-sa2 | ||
namespace: default | ||
--- | ||
kind: ClusterRoleBinding | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: kubiscan-clusterrolebinding2 | ||
subjects: | ||
- kind: ServiceAccount | ||
name: kubiscan-sa2 | ||
namespace: default | ||
apiGroup: "" | ||
roleRef: | ||
kind: ClusterRole | ||
name: kubiscan-clusterrole2 | ||
apiGroup: "" | ||
--- | ||
kind: ClusterRole | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
metadata: | ||
name: kubiscan-clusterrole2 | ||
rules: | ||
- apiGroups: ["*"] | ||
resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings", "pods"] | ||
verbs: ["get", "list"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
|
||
[1] Commit and push your changes to your repository. | ||
[2] Make sure minikube is down on the host. | ||
[3] Make sure docker is installed on the host. | ||
[4] Type the following command: | ||
"docker run --network host -v /var/run/docker.sock:/var/run/docker.sock -ti natan2nik/kubiscan-unittest:latest" | ||
-Make sure you are in the container as root | ||
[5] Type the following commands: | ||
"cd /tmp" | ||
"git clone <your repo>" | ||
"cd KubiScan/for_unit_test/" | ||
"./kubectl_apply.sh" | ||
[6] For the unit-test run the following command: | ||
python3 -m pytest -v unit_test.py |