Merge pull request #55 from 2niknatan/unit-test

Adding unit test
cyberark · Nov 27, 2022 · b8e7f42 · b8e7f42
2 parents 4b14c08 + afdb59a
commit b8e7f42
Show file tree

Hide file tree

Showing 5 changed files with 334 additions and 0 deletions.
diff --git a/unit_test.py b/unit_test.py
@@ -0,0 +1,61 @@
+import unittest
+from engine import utils, privleged_containers
+from engine.privleged_containers import get_privileged_containers
+from api import api_client
+
+list_of_risky_containers = ["test1-yes", "test3-yes", "test5ac2-yes", "test6a-yes", "test6b-yes",
+                            "test7c2-yes", "test8c-yes"]
+list_of_not_risky_containers = ["test5ac1-no", "test1-no", "test2b-no", "test7c1-no"]
+
+list_of_risky_users = ["kubiscan-sa"]
+list_of_not_risky_users = ["kubiscan-sa2", "default"]
+
+list_of_privileged_pods = ["etcd-minikube", "kube-apiserver-minikube", "kube-controller-manager-minikube",
+                           "kube-scheduler-minikube", "storage-provisioner"]
+
+
+def get_containers_by_names():
+    risky_pods = utils.get_risky_pods()
+    risky_containers_by_name = []
+    for risky_pod in risky_pods or []:
+        for container in risky_pod.containers:
+            risky_containers_by_name.append(container.name)
+    return risky_containers_by_name
+
+
+def get_risky_users_by_name():
+    risky_users = utils.get_all_risky_subjects()
+    risky_users_by_name = []
+    for risky_user in risky_users:
+        risky_users_by_name.append(risky_user.user_info.name)
+    return risky_users_by_name
+
+
+class TestKubiScan(unittest.TestCase):
+    api_client.api_init()
+
+    def test_get_risky_pods(self):
+        risky_containers_by_name = get_containers_by_names()
+        for container in list_of_risky_containers:
+            self.assertIn(container, risky_containers_by_name)
+        for container in list_of_not_risky_containers:
+            self.assertNotIn(container, risky_containers_by_name)
+
+    def test_get_all_risky_roles(self):
+        risky_users_by_name = get_risky_users_by_name()
+        for user in list_of_risky_users:
+            self.assertIn(user, risky_users_by_name)
+        for user in list_of_not_risky_users:
+            self.assertNotIn(user, risky_users_by_name)
+
+    def test_get_privileged_containers(self):
+        pods = get_privileged_containers()
+        string_list_of_privileged_pods = []
+        for pod in pods:
+            string_list_of_privileged_pods.append(pod.metadata.name)
+        for pod_name in list_of_privileged_pods:
+            self.assertIn(pod_name, string_list_of_privileged_pods)
+
+
+if __name__ == '__main__':
+    unittest.main()
diff --git a/unit_test/kubectl_apply.sh b/unit_test/kubectl_apply.sh
@@ -0,0 +1,203 @@
+#!/bin/bash
+GREEN='\033[3;92m'
+BCYAN='\033[1;96m'
+UCYAN='\033[4;96m'
+NO_COLOR='\033[0m'
+
+
+if [ "$1" = "-h" ];
+then
+  echo -e "${UCYAN}How to run unit-test:${NO_COLOR}"
+  echo -e "${BCYAN}$(cat readme)${NO_COLOR}"
+  exit 0
+fi
+
+DEFAULT_SECRET=$(kubectl get sa default -o=jsonpath='{.secrets[0].name}')
+echo -e "${GREEN}Creating kubiscan-sa...${NO_COLOR}"
+kubectl apply -f kubiscan-sa
+echo -e "${GREEN}Creating kubiscan-sa2...${NO_COLOR}"
+kubectl apply -f kubiscan-sa2
+KUBISCAN_SA_SECRET=$(kubectl get sa kubiscan-sa -o=jsonpath='{.secrets[0].name}')
+KUBISCAN_SA2_SECRET=$(kubectl get sa kubiscan-sa2 -o=jsonpath='{.secrets[0].name}')
+echo -e "${BCYAN}kubiscan-sa secret: "$KUBISCAN_SA_SECRET", kubiscan-sa2 secret: "$KUBISCAN_SA2_SECRET ${NO_COLOR}""
+
+echo -e "${GREEN}Creating test1-yes pod...${NO_COLOR}"
+kubectl apply -f - << EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test1-yes
+spec:
+  serviceAccountName: kubiscan-sa
+  containers:
+  - name: test1-yes
+    image: nginx
+EOF
+
+echo -e "${GREEN}Creating test5-yes pod...${NO_COLOR}"
+kubectl apply -f - << EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test5a-yes
+  namespace: default
+spec:
+  serviceAccountName: kubiscan-sa
+  containers:
+  - image: nginx
+    name: test5ac1-no
+    volumeMounts:
+    - name: secret-volume
+      readOnly: true
+      mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+  - image: nginx
+    name: test5ac2-yes
+  volumes:
+  - name: secret-volume
+    secret:
+      secretName: "$DEFAULT_SECRET"
+EOF
+
+echo -e "${GREEN}Creating test8-yes pod...${NO_COLOR}"
+kubectl apply -f - << EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test8-yes
+  namespace: default
+spec:
+  serviceAccountName: kubiscan-sa
+  containers:
+  - image: nginx
+    name: test8c-yes
+    volumeMounts:
+    - name: secret-volume
+      readOnly: true
+      mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+    - name: secret-volume2
+      mountPath: "/var/run/secrets/tokens"
+  volumes:
+  - name: secret-volume
+    secret:
+      secretName: "$KUBISCAN_SA_SECRET"
+  - name: secret-volume2
+    secret:
+      secretName: "$KUBISCAN_SA2_SECRET"
+EOF
+
+echo -e "${GREEN}Creating test1-no pod...${NO_COLOR}"
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test1-no
+spec:
+  serviceAccountName: default
+  containers:
+  - name: test1-no
+    image: nginx
+EOF
+
+echo -e "${GREEN}Creating test2b-no pod...${NO_COLOR}"
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test2b-no
+spec:
+  serviceAccountName: default
+  volumes:
+  - name: secret-volume
+    secret:
+      secretName: "$KUBISCAN_SA2_SECRET"
+  containers:
+  - name: test2b-no
+    image: nginx
+    volumeMounts:
+    - name: secret-volume
+      readOnly: true
+      mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+EOF
+
+echo -e "${GREEN}Creating test3-yes pod...${NO_COLOR}"
+kubectl apply -f - << EOF
+apiVersion: v1
+kind: Pod
+metadata: 
+  name: test3-yes
+  namespace: default
+spec: 
+  containers: 
+    - 
+      image: nginx
+      name: test3-yes
+      volumeMounts: 
+        - 
+          mountPath: /var/run/secrets/tokens2
+          name: sa
+        - 
+          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: secret-volume
+          readOnly: true
+  serviceAccountName: default
+  volumes: 
+    - 
+      name: sa
+      projected: 
+        sources: 
+          - 
+            serviceAccountToken: 
+              audience: some-oidc-audience
+              expirationSeconds: 86400
+              path: sa
+    - 
+      name: secret-volume
+      secret: 
+        secretName: "$KUBISCAN_SA_SECRET"
+EOF
+
+echo -e "${GREEN}Creating test6-yes pod...${NO_COLOR}"
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test6-yes
+  namespace: default
+spec:
+  serviceAccountName: kubiscan-sa
+  containers:
+  - image: nginx
+    name: test6a-yes
+  - image: nginx
+    name: test6b-yes
+EOF
+
+
+echo -e "${GREEN}Creating test7-yes pod...${NO_COLOR}"
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: Pod
+metadata:
+  name: test7-yes
+  namespace: default
+spec:
+  serviceAccountName: kubiscan-sa
+  containers:
+  - image: nginx
+    name: test7c1-no
+    volumeMounts:
+    - name: secret-volume
+      readOnly: true
+      mountPath: "/var/run/secrets/kubernetes.io/serviceaccount"
+    - name: not-token-secret
+      mountPath: "/var/run/secrets/tokens"
+  - image: nginx
+    name: test7c2-yes
+  volumes:
+  - name: secret-volume
+    secret:
+      secretName: "${KUBISCAN_SA2_SECRET}"
+  - name: not-token-secret
+    secret:
+      secretName: mysecret
+EOF
diff --git a/unit_test/kubiscan-sa b/unit_test/kubiscan-sa
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubiscan-sa
+  namespace: default
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata: 
+  name: kubiscan-clusterrolebinding
+subjects: 
+- kind: ServiceAccount 
+  name: kubiscan-sa
+  namespace: default
+  apiGroup: ""
+roleRef: 
+  kind: ClusterRole
+  name: kubiscan-clusterrole
+  apiGroup: ""
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata: 
+  name: kubiscan-clusterrole
+rules: 
+- apiGroups: ["*"]
+  resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings", "pods", "secrets"]
+  verbs: ["get", "list"]
diff --git a/unit_test/kubiscan-sa2 b/unit_test/kubiscan-sa2
@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubiscan-sa2
+  namespace: default
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata: 
+  name: kubiscan-clusterrolebinding2
+subjects: 
+- kind: ServiceAccount 
+  name: kubiscan-sa2
+  namespace: default
+  apiGroup: ""
+roleRef: 
+  kind: ClusterRole
+  name: kubiscan-clusterrole2
+  apiGroup: ""
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata: 
+  name: kubiscan-clusterrole2
+rules: 
+- apiGroups: ["*"]
+  resources: ["roles", "clusterroles", "rolebindings", "clusterrolebindings", "pods"]
+  verbs: ["get", "list"]
diff --git a/unit_test/readme b/unit_test/readme
@@ -0,0 +1,14 @@
+
+[1] Commit and push your changes to your repository.
+[2] Make sure minikube is down on the host.
+[3] Make sure docker is installed on the host.
+[4] Type the following command:
+    "docker run --network host -v /var/run/docker.sock:/var/run/docker.sock -ti natan2nik/kubiscan-unittest:latest"
+-Make sure you are in the container as root
+[5] Type the following commands:
+    "cd /tmp"
+    "git clone <your repo>"
+    "cd KubiScan/for_unit_test/"
+    "./kubectl_apply.sh"
+[6] For the unit-test run the following command:
+    python3 -m pytest -v unit_test.py