Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

test(kube-bench): Add integration test for kube-bench command #98

Merged
merged 1 commit into from
Jul 28, 2020
Merged

test(kube-bench): Add integration test for kube-bench command #98

merged 1 commit into from
Jul 28, 2020

Conversation

danielpacak
Copy link
Contributor

@danielpacak danielpacak commented Jul 27, 2020
edited
Loading

This PR:

  • Adds scenario for integration test kube-bench command
  • Attempts to test kube-hunter in a similar way to kube-bench, but I gave up for now. The test is failing on GitHub actions runner for some reason.
  • Fixes bug in kube-bench runner, where we called wg.Done() too early. This caused an issue with CISKubeBenchReports which where not sent to Kebernetes API

/cc @krol3

Signed-off-by: Daniel Pacak pacak.daniel@gmail.com

@codecov
Copy link

codecov bot commented Jul 27, 2020
edited
Loading

Codecov Report

Merging #98 into master will decrease coverage by 0.04%.
The diff coverage is 0.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master      #98      +/-   ##
==========================================
- Coverage   11.35%   11.30%   -0.05%     
==========================================
  Files          27       27              
  Lines        1295     1300       +5     
==========================================
  Hits          147      147              
- Misses       1141     1146       +5     
  Partials        7        7
Impacted Files Coverage Δ
pkg/cmd/kube_bench.go 0.00% <0.00%> (ø)
pkg/kubebench/scanner.go 0.00% <0.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bce75c3...34ac151. Read the comment docs.

@danielpacak danielpacak force-pushed the itest_kube_hunter branch 15 times, most recently from 728e9b0 to 2934736 Compare July 28, 2020 11:36
@danielpacak
test(kube-bench): Add integration test for kube-bench command
34ac151 
Signed-off-by: Daniel Pacak <pacak.daniel@gmail.com>
@danielpacak danielpacak changed the title test(kube-hunter): Add integration test for kube-hunter command test(kube-bench): Add integration test for kube-bench command Jul 28, 2020
@danielpacak danielpacak requested a review from lizrice July 28, 2020 13:50
lizrice
lizrice approved these changes Jul 28, 2020
View reviewed changes
Copy link
Contributor

@lizrice lizrice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't have any experience with ginkgo so I am taking your word for it :-)

Couple of small comments / suggestions but I am happy

pkg/kubebench/scanner.go
Comment on lines +117 to +120
Labels: labels.Set{
"app.kubernetes.io/name": "starboard-cli",
kube.LabelResourceKind: string(kube.KindNode),
kube.LabelResourceName: node.Name,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if in addition we should add a label to indicate that it's a kube-bench job? something like "starboard-app": "kube-bench" maybe? (also for pod-spec and for other kinds of tool)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. That's a very good point. I'll take it as a separate issue to review the labels to identify scan job and the underlying tools.
I think it's less relevant for Starboard CLI, but the Operator has no clue which scanner we're running in the starboard namespace.

itest/integration_test.go
// TODO run by the BeforeEach callback fails when it attempts to create Kubernetes objects in the
// TODO starboard namespace that is being terminated.
//
// TODO Maybe the cleanup command should block and wait unit the namespace is terminated?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this might be a good idea for users too. I ran into this recently - cleanup followed quickly by init failed. It was pretty obvious why, but waiting for the namespace to be gone would prevent it from being a problem at all.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created a task to follow up #99

@danielpacak danielpacak merged commit ad6bb85 into master Jul 28, 2020
@danielpacak danielpacak deleted the itest_kube_hunter branch July 28, 2020 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lizrice lizrice lizrice approved these changes

Assignees

@lizrice lizrice

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@danielpacak @lizrice