This repository has been archived by the owner on Apr 18, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 29
/
test.go
121 lines (107 loc) · 3.68 KB
/
test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
package kubeadm
import (
"fmt"
"strings"
"github.com/flanksource/commons/console"
"github.com/flanksource/karina/pkg/platform"
)
const (
testAuditName = "auditing"
testEncryptionName = "encryption"
)
// Test k8s auditing functionality.
func TestAudit(p *platform.Platform, tr *console.TestResults) {
pf := p.Kubernetes.AuditConfig.PolicyFile
if pf == "" {
return
}
_, err := p.GetClientset()
if err != nil {
tr.Failf(testAuditName, "Failed to get k8s client: %v", err)
// We're done, we can't test anything further.
return
}
// pod, err := p.Client.GetFirstPodByLabelSelector("kube-system", "component=kube-apiserver")
// if err != nil {
// tr.Failf(testAuditName, "Failed to get api-server pod: %v", err)
// return
// }
if logFilePath, ok := p.Kubernetes.APIServerExtraArgs["audit-log-path"]; !ok {
tr.Failf(testAuditName, "No audit-log-path is specified!")
return
} else if logFilePath == "" {
tr.Failf(testAuditName, "Empty audit-log-path is specified!")
return
} else if logFilePath == "-" {
// api-server is configured lo log to stdout, not verifying output
return
}
// else {
// Fails with kubernetes 1.20 due to api server pod missing `du` binary
// dir := filepath.Dir(logFilePath)
// stdout, stderr, err := p.ExecutePodf("kube-system", pod.Name, "kube-apiserver", "/usr/bin/du", "-s", dir)
// if err != nil || stderr != "" {
// tr.Failf(testAuditName, "Failed to get file size statistics: %v\n%v", err, stderr)
// } else {
// tr.Passf(testAuditName, "api-server pod log size is: %v", stdout)
// }
//}
}
// Test k8s encryption provider functionality.
func TestEncryption(p *platform.Platform, tr *console.TestResults) {
tc := p.Kubernetes.EncryptionConfig.EncryptionProviderConfigFile
if tc == "" {
return
}
_, err := p.GetClientset()
if err != nil {
tr.Failf(testEncryptionName, "Failed to get k8s client: %v", err)
// We're done, we can't test anything further.
return
}
etcdPod, err := p.Client.GetFirstPodByLabelSelector("kube-system", "component=etcd")
if err != nil {
tr.Failf(testEncryptionName, "Failed to get etcd pod: %v", err)
return
}
tr.Infof("ETCD pod '%v' found", etcdPod.Name)
ns := "default"
secretName := "encryption-test-secret"
secretKey := "test-secret"
secretValue := "correct-horse-battery-staple"
tr.Infof("Creating secret '%v' in namespace '%v'", secretName, ns)
err = p.Client.CreateOrUpdateSecret(secretName, ns,
map[string]([]byte){
secretKey: []byte(secretValue),
})
if err != nil {
tr.Failf(testEncryptionName, "Failed to create secret: %v", err)
return
}
verificationCommand := fmt.Sprintf("ETCDCTL_API=3 etcdctl get /registry/secrets/%v/%v"+
" --endpoints https://127.0.0.1:2379"+
" --cacert /etc/kubernetes/pki/etcd/ca.crt"+
" --cert /etc/kubernetes/pki/etcd/peer.crt"+
" --key /etc/kubernetes/pki/etcd/peer.key", ns, secretName)
tr.Debugf("verificationCommand: %v", verificationCommand)
stdout, stderr, err := p.ExecutePodf("kube-system", etcdPod.Name, "etcd",
"/bin/sh", "-c", verificationCommand)
if err != nil || stderr != "" {
tr.Failf(testEncryptionName, "Failed to verify secret: %v\n%v", err, stderr)
return
}
if strings.HasPrefix(stdout, "k8s:enc:aescbc:v1:") {
tr.Passf(testEncryptionName, "ETCD reports key %v is encrypted", strings.ReplaceAll(stdout, "\n", ""))
}
s := p.Client.GetSecret(ns, secretName)
got, ok := (*s)[secretKey]
if !ok {
tr.Failf(testEncryptionName, "Failed to find secret key %v in secret %v", secretKey, secretName)
return
}
if string(got) == secretValue {
tr.Passf(testEncryptionName, "Secret %v is readable", secretName)
} else {
tr.Failf(testEncryptionName, "Secret %v could not be read, wanted %v, got %v", secretName, secretValue, got)
}
}