...
Integration Security tests are deployed (some tests are developped internally) by integration Teams.
Security Tests
Tests | Description | Code | Comments |
|---|---|---|---|
root_pods | check that pods are nor using root user or started as root | kubectl | |
unlimitted_pods | check that limits are set for pods | kubectl | |
cis_kubernetes | perform the k8s cis test suite (upstream src aquasecurity) | ||
nonssl_endpoints | check that all public HTTP endpoints exposed in ONAP cluster use SSL tunnels | kubetl, nmap | |
http_public_endpoints | check that there is no public http endpoints exposed in ONAP cluster | kubectl,nmap | |
jdpw_ports | check that there are no internal java ports | kubectl, procfs | |
kube_hunter | security suite to search k8s vulnerabilities (upstream src aquasecurity) | ||
versions | check that Java and Python are available only in versions recommended by SECCOM. This test is long and run only in Weekly CI chains | cerberus, kubernetes python lib, | |
tern | Check the component licenses within the ONAP dockers | kubectl |
The outcome includes the possibility to accept somes failures and to increase the outcome (main 100%).
Kubescape is the first open-source tool for testing if Kubernetes is deployed securely according to multiple frameworks: regulatory, customized company policies and DevSecOps best practices, such as the NSA-CISA and the MITRE ATT&CK® .
Kubescape scans K8s clusters, YAML files, and HELM charts, and detect misconfigurations and software vulnerabilities at early stages of the CI/CD pipeline and provides a risk score instantly and risk trends over time. Kubescape integrates natively with other DevOps tools, including Jenkins, CircleCI and Github workflows.
...