Skip to content

Commit a1d7b90

Browse files
chen-keinanchen-keinan
authored
test: pass args dynamic to e2e (#134)
* test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> * test: pass args dynamic to e2e Signed-off-by: chenk <hen.keinan@gmail.com> --------- Signed-off-by: chenk <hen.keinan@gmail.com>
1 parent 40a4431 commit a1d7b90

File tree

8 files changed

+742
-13
lines changed

8 files changed

+742
-13
lines changed

.github/workflows/build.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -146,6 +146,8 @@ jobs:
146146
- name: Run node-collector job
147147
run: >
148148
149+
go run ./tests/e2e/job-update.go
150+
149151
kubectl apply -f ./tests/e2e/job.yaml
150152
151153
kubectl wait --for=condition=Complete --timeout=30s job/node-collector

pkg/collector/collect_test.go

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -223,7 +223,7 @@ func TestNodeCommamnd(t *testing.T) {
223223
t.Run(tt.name, func(t *testing.T) {
224224
fd, err := os.ReadFile(tt.commandsFilePath)
225225
assert.NoError(t, err)
226-
commands, err := compressAndEncode(fd)
226+
commands, err := CompressAndEncode(fd)
227227
assert.NoError(t, err)
228228
got, err := GetNodesCommands(string(commands), map[string]string{}, "master")
229229
assert.NoError(t, err)
@@ -232,7 +232,7 @@ func TestNodeCommamnd(t *testing.T) {
232232
}
233233
}
234234

235-
func compressAndEncode(data []byte) (string, error) {
235+
func CompressAndEncode(data []byte) (string, error) {
236236
cm, err := bzip2Compress(data)
237237
if err != nil {
238238
return "", err

tests/e2e/commands.yaml

Lines changed: 349 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,349 @@
1+
---
2+
commands:
3+
- audit: stat -c %U:%G /etc/kubernetes/admin.conf
4+
id: CMD-0014
5+
key: adminConfFileOwnership
6+
nodeType: master
7+
platforms:
8+
- k8s
9+
title: admin.conf file ownership
10+
- audit: stat -c %a /etc/kubernetes/admin.conf
11+
id: CMD-0013
12+
key: adminConfFilePermissions
13+
nodeType: master
14+
platforms:
15+
- k8s
16+
title: admin.conf file permissions
17+
- audit: stat -c %U:%G $(ps -ef | grep $kubelet.bins |grep 'client-ca-file' | grep
18+
-o 'client-ca-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1') 2>
19+
/dev/null
20+
id: CMD-0029
21+
key: certificateAuthoritiesFileOwnership
22+
nodeType: worker
23+
platforms:
24+
- k8s
25+
title: Client certificate authorities file ownership
26+
- audit: stat -c %a $(ps -ef | grep kubelet |grep 'client-ca-file' | grep -o
27+
'client-ca-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1') 2>
28+
/dev/null
29+
id: CMD-0028
30+
key: certificateAuthoritiesFilePermissions
31+
nodeType: worker
32+
platforms:
33+
- k8s
34+
title: Client certificate authorities file permissions
35+
- audit: stat -c %U:%G /*/cni/*
36+
id: CMD-0010
37+
key: containerNetworkInterfaceFileOwnership
38+
nodeType: master
39+
platforms:
40+
- k8s
41+
title: Container Network Interface file ownership
42+
- audit: stat -c %a /*/cni/*
43+
id: CMD-0009
44+
key: containerNetworkInterfaceFilePermissions
45+
nodeType: master
46+
platforms:
47+
- k8s
48+
title: Container Network Interface file permissions
49+
- audit: stat -c %U:%G $controllermanager.kubeconfig
50+
id: CMD-0018
51+
key: controllerManagerConfFileOwnership
52+
nodeType: master
53+
platforms:
54+
- k8s
55+
title: controller-manager.conf file ownership
56+
- audit: stat -c %a $controllermanager.kubeconfig
57+
id: CMD-0017
58+
key: controllerManagerConfFilePermissions
59+
nodeType: master
60+
platforms:
61+
- k8s
62+
title: controller-manager.conf file permissions
63+
- audit: stat -c %U:%G $etcd.datadirs
64+
id: CMD-0012
65+
key: etcdDataDirectoryOwnership
66+
nodeType: master
67+
platforms:
68+
- k8s
69+
title: Etcd data directory Ownership
70+
- audit: stat -c %a $etcd.datadirs
71+
id: CMD-0011
72+
key: etcdDataDirectoryPermissions
73+
nodeType: master
74+
platforms:
75+
- k8s
76+
title: Etcd data directory permissions
77+
- audit: stat -c %U:%G $apiserver.confs
78+
id: CMD-0002
79+
key: kubeAPIServerSpecFileOwnership
80+
nodeType: master
81+
platforms:
82+
- k8s
83+
title: API server pod specification file ownership
84+
- audit: stat -c %a $apiserver.confs
85+
id: CMD-0001
86+
key: kubeAPIServerSpecFilePermission
87+
nodeType: master
88+
platforms:
89+
- k8s
90+
title: API server pod specification file permissions
91+
- audit: stat -c %U:%G $controllermanager.confs
92+
id: CMD-0004
93+
key: kubeControllerManagerSpecFileOwnership
94+
nodeType: master
95+
platforms:
96+
- k8s
97+
title: Controller manager pod specification file ownership is set to root:root
98+
- audit: stat -c %a $controllermanager.confs
99+
id: CMD-0003
100+
key: kubeControllerManagerSpecFilePermission
101+
nodeType: master
102+
platforms:
103+
- k8s
104+
title: Controller manager pod specification file permissions
105+
- audit: stat -c %U:%G $etcd.confs
106+
id: CMD-0008
107+
key: kubeEtcdSpecFileOwnership
108+
nodeType: master
109+
platforms:
110+
- k8s
111+
title: Etcd pod specification file ownership
112+
- audit: stat -c %a $etcd.confs
113+
id: CMD-0007
114+
key: kubeEtcdSpecFilePermission
115+
nodeType: master
116+
platforms:
117+
- k8s
118+
title: Etcd pod specification file permissions
119+
- audit: stat -c %U:%G $(ls -R $kubelet.cafile | awk
120+
'/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0
121+
}')
122+
id: CMD-0019
123+
key: kubePKIDirectoryFileOwnership
124+
nodeType: master
125+
platforms:
126+
- k8s
127+
title: Kubernetes PKI directory and file ownership
128+
- audit: stat -c %a $(ls -aR $kubelet.cafile | awk
129+
'/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print s"/"$0}'
130+
| grep \.key$)
131+
id: CMD-0021
132+
key: kubePKIKeyFilePermissions
133+
nodeType: master
134+
platforms:
135+
- k8s
136+
title: Kubernetes PKI certificate file permissions
137+
- audit: stat -c %U:%G $scheduler.confs
138+
id: CMD-0006
139+
key: kubeSchedulerSpecFileOwnership
140+
nodeType: master
141+
platforms:
142+
- k8s
143+
title: Scheduler pod specification file ownership
144+
- audit: stat -c %a $scheduler.confs
145+
id: CMD-0005
146+
key: kubeSchedulerSpecFilePermission
147+
nodeType: master
148+
platforms:
149+
- k8s
150+
title: Scheduler pod specification file permissions
151+
- audit: output=`stat -c %U:%G $(ps -ef | grep $proxy.bins |grep 'kubeconfig' |
152+
grep -o 'kubeconfig=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1')
153+
2>/dev/null` || echo $output
154+
id: CMD-0025
155+
key: kubeconfigFileExistsOwnership
156+
nodeType: worker
157+
platforms:
158+
- k8s
159+
title: Kubeconfig file exists ensure ownership
160+
- audit: output=`stat -c %a $(ps -ef | grep $proxy.bins |grep 'kubeconfig' | grep
161+
-o 'kubeconfig=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1')
162+
2>/dev/null` || echo $output
163+
id: CMD-0024
164+
key: kubeconfigFileExistsPermissions
165+
nodeType: worker
166+
platforms:
167+
- k8s
168+
title: Kubeconfig file exists ensure permissions
169+
- audit: ps -ef | grep $kubelet.bins |grep ' --anonymous-auth' | grep -o '
170+
--anonymous-auth=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
171+
id: CMD-0032
172+
key: kubeletAnonymousAuthArgumentSet
173+
nodeType: worker
174+
platforms:
175+
- k8s
176+
title: kubelet --anonymous-auth argument is set
177+
- audit: ps -ef | grep $kubelet.bins |grep ' --authorization-mode' | grep -o '
178+
--authorization-mode=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
179+
id: CMD-0033
180+
key: kubeletAuthorizationModeArgumentSet
181+
nodeType: worker
182+
platforms:
183+
- k8s
184+
title: kubelet --authorization-mode argument is set
185+
- audit: ps -ef | grep $kubelet.bins |grep ' --client-ca-file' | grep -o '
186+
--client-ca-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
187+
id: CMD-0034
188+
key: kubeletClientCaFileArgumentSet
189+
nodeType: worker
190+
platforms:
191+
- k8s
192+
title: kubelet --client-ca-file argument is set
193+
- audit: stat -c %U:%G $kubelet.kubeconfig
194+
id: CMD-0027
195+
key: kubeletConfFileOwnership
196+
nodeType: worker
197+
platforms:
198+
- k8s
199+
title: kubelet.conf file ownership
200+
- audit: stat -c %a $kubelet.kubeconfig
201+
id: CMD-0026
202+
key: kubeletConfFilePermissions
203+
nodeType: worker
204+
platforms:
205+
- k8s
206+
title: kubelet.conf file permissions
207+
- audit: stat -c %U:%G $kubelet.confs
208+
id: CMD-0031
209+
key: kubeletConfigYamlConfigurationFileOwnership
210+
nodeType: worker
211+
platforms:
212+
- k8s
213+
title: kubelet config.yaml configuration file ownership
214+
- audit: stat -c %a $kubelet.confs
215+
id: CMD-0030
216+
key: kubeletConfigYamlConfigurationFilePermission
217+
nodeType: worker
218+
platforms:
219+
- k8s
220+
title: kubelet config.yaml configuration file permissions
221+
- audit: ps -ef | grep $kubelet.bins |grep ' --event-qps' | grep -o '
222+
--event-qps=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
223+
id: CMD-0040
224+
key: kubeletEventQpsArgumentSet
225+
nodeType: worker
226+
platforms:
227+
- k8s
228+
title: kubelet --event-qps argument is set
229+
- audit: ps -ef | grep $kubelet.bins |grep ' --hostname-override' | grep -o '
230+
--hostname-override=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
231+
id: CMD-0039
232+
key: kubeletHostnameOverrideArgumentSet
233+
nodeType: worker
234+
platforms:
235+
- k8s
236+
title: kubelet hostname-override argument is set
237+
- audit: ps -ef | grep $kubelet.bins |grep ' --make-iptables-util-chains' | grep
238+
-o ' --make-iptables-util-chains=[^"]\S*' | awk -F "=" '{print $2}' |awk
239+
'FNR <= 1'
240+
id: CMD-0038
241+
key: kubeletMakeIptablesUtilChainsArgumentSet
242+
nodeType: worker
243+
platforms:
244+
- k8s
245+
title: kubelet --make-iptables-util-chains argument is set
246+
- audit: ps -ef | grep $kubelet.bins |grep 'TLSCipherSuites' | grep -o
247+
'TLSCipherSuites=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
248+
id: CMD-0045
249+
key: kubeletOnlyUseStrongCryptographic
250+
nodeType: worker
251+
platforms:
252+
- k8s
253+
title: Kubelet only makes use of Strong Cryptographic
254+
- audit: ps -ef | grep $kubelet.bins |grep ' --protect-kernel-defaults' | grep -o
255+
' --protect-kernel-defaults=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR
256+
<= 1'
257+
id: CMD-0037
258+
key: kubeletProtectKernelDefaultsArgumentSet
259+
nodeType: worker
260+
platforms:
261+
- k8s
262+
title: kubelet --protect-kernel-defaults argument is set
263+
- audit: ps -ef | grep $kubelet.bins |grep ' --read-only-port' | grep -o '
264+
--read-only-port=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
265+
id: CMD-0035
266+
key: kubeletReadOnlyPortArgumentSet
267+
nodeType: worker
268+
platforms:
269+
- k8s
270+
title: kubelet --read-only-port argument is set
271+
- audit: ps -ef | grep $kubelet.bins |grep ' --rotate-certificates' | grep -o '
272+
--rotate-certificates=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
273+
id: CMD-0043
274+
key: kubeletRotateCertificatesArgumentSet
275+
nodeType: worker
276+
platforms:
277+
- k8s
278+
title: kubelet --rotate-certificates argument is set
279+
- audit: ps -ef | grep $kubelet.bins |grep 'RotateKubeletServerCertificate' | grep
280+
-o 'RotateKubeletServerCertificate=[^"]\S*' | awk -F "=" '{print $2}' |awk
281+
'FNR <= 1'
282+
id: CMD-0044
283+
key: kubeletRotateKubeletServerCertificateArgumentSet
284+
nodeType: worker
285+
platforms:
286+
- k8s
287+
title: kubelet RotateKubeletServerCertificate argument is set
288+
- audit: stat -c %U:%G $kubelet.svc
289+
id: CMD-0023
290+
key: kubeletServiceFileOwnership
291+
nodeType: worker
292+
platforms:
293+
- k8s
294+
title: Kubelet service file ownership
295+
- audit: stat -c %a $kubelet.svc
296+
id: CMD-0022
297+
key: kubeletServiceFilePermissions
298+
nodeType: worker
299+
platforms:
300+
- k8s
301+
title: Kubelet service file permissions
302+
- audit: ps -ef | grep $kubelet.bins |grep ' --streamingConnectionIdleTimeout' |
303+
grep -o ' --streamingConnectionIdleTimeout=[^"]\S*' | awk -F "=" '{print
304+
$2}' |awk 'FNR <= 1'
305+
id: CMD-0036
306+
key: kubeletStreamingConnectionIdleTimeoutArgumentSet
307+
nodeType: worker
308+
platforms:
309+
- k8s
310+
title: kubelet --streaming-connection-idle-timeout argument is set
311+
- audit: ps -ef | grep $kubelet.bins |grep ' --tls-cert-file' | grep -o '
312+
--tls-cert-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
313+
id: CMD-0041
314+
key: kubeletTlsCertFileTlsArgumentSet
315+
nodeType: worker
316+
platforms:
317+
- k8s
318+
title: kubelet --tls-cert-file argument is set
319+
- audit: ps -ef | grep $kubelet.bins |grep ' --tls-private-key-file' | grep -o '
320+
--tls-private-key-file=[^"]\S*' | awk -F "=" '{print $2}' |awk 'FNR <= 1'
321+
id: CMD-0042
322+
key: kubeletTlsPrivateKeyFileArgumentSet
323+
nodeType: worker
324+
platforms:
325+
- k8s
326+
title: kubelet --tls-private-key-file argument is set
327+
- audit: stat -c %a $(ls -aR $kubelet.cafile |
328+
awk'/:$/&&f{s=$0;f=0}/:$/&&!f{sub(/:$/,"");s=$0;f=1;next}NF&&f{print
329+
s"/"$0}' | grep \.crt$)
330+
id: CMD-0020
331+
key: kubernetesPKICertificateFilePermissions
332+
nodeType: master
333+
platforms:
334+
- k8s
335+
title: Kubernetes PKI certificate file permissions
336+
- audit: stat -c %U:%G $scheduler.kubeconfig
337+
id: CMD-0016
338+
key: schedulerConfFileOwnership
339+
nodeType: master
340+
platforms:
341+
- k8s
342+
title: scheduler.conf file ownership
343+
- audit: stat -c %a $scheduler.kubeconfig
344+
id: CMD-0015
345+
key: schedulerConfFilePermissions
346+
nodeType: master
347+
platforms:
348+
- k8s
349+
title: scheduler.conf file permissions

0 commit comments

Comments
 (0)