controlplaneio / netassert Goto Github PK

View Code? Open in Web Editor NEW

364.0 364.0 42.0 5.92 MB

Network security testing for Kubernetes DevSecOps workflows

License: Apache License 2.0

Go 93.07% HCL 5.04% Just 0.82% Shell 1.07%

netassert's People

Contributors

Stargazers

Watchers

netassert's Issues

Some pod names will throw bad substituion error when running tests on GKE.

Thanks for the great work! I had an issue running this tool on pod name that doesn't contain a hypen sign ("-"). Here is my test yaml file:

k8s:
  deployment:
    zhe:abc:
      google.com: 443

And it throws exception like:
environment: line 9: HOST_MAP_zhe:abc: bad substitution

I tried to fix it but seems like other part stopped working after that. Would be great to get some pointers from you:)

Document need for parallel tool, and yj in your path

It assumes you have parallel installed. Should be mentioned in the docs.

It also assumes that yj is in the path. Should be documented, or changed.

Unable to run netassert on k8s cluster running on AWS

Summary of issues encountered:
Running netassert tool against a k8s deployment on AWS failed. with ssh: Could not resolve hostname node-1: Name or service not known. It appears to be attempting to ssh to the k8s node running a target pod.

Expected result:
netassert tool runs successfully without error.

Actual result:

[centos@node-0 network]$ ./netassert/netassert assert.yaml
[2018-10-16T13:19:40.215+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T13:19:40.218+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T13:19:40.220+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T13:19:40.231+0000] ./netassert: 1 tests expected
Academic tradition requires you to cite works you base your article on.
When using programs that use GNU Parallel to process data for publication
please cite:

  O. Tange (2011): GNU Parallel - The Command-Line Power Tool,
  ;login: The USENIX Magazine, February 2011:42-47.

This helps funding further development; AND IT WON'T COST YOU A CENT.
If you pay 10000 EUR you should feel free to use GNU Parallel without citing.

To silence the citation notice: run 'parallel --bibtex'.

[2018-10-16T13:19:40.634+0000] ./netassert: K8S remote test start: worker (namespace: default)
[2018-10-16T13:19:40.886+0000] ./netassert: Connecting to node-1...
[2018-10-16T13:19:40.997+0000] ./netassert: worker fail
[2018-10-16T13:19:41.003+0000] ./netassert: K8S remote test finish
[2018-10-16T13:19:41.009+0000] ./netassert: No instances to test
==============================================================================================================================================================================================================================================
[2018-10-16T13:19:41.028+0000] ./netassert: Results: worker
ssh: Could not resolve hostname node-1: Name or service not known
[2018-10-16T13:19:41.034+0000] ./netassert: worker fail
==============================================================================================================================================================================================================================================
[2018-10-16T13:19:41.039+0000] ./netassert: 1 failed (1s)

What's the setup:

A k8s cluster with 1 master and 3 workers running on AWS and setup using kubeadm
Application stack (pods)

$ kubectl run redis --image=redis
$ for DEPLOYMENT in hasher rng webui worker; do
    kubectl run ${DEPLOYMENT} \
      --image=training/dockercoins_${DEPLOYMENT}:1.0
  done

Network policy applied

kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: default-deny-all-ingress
  namespace: default
spec:
  policyTypes:
    - Ingress
  podSelector: {}
  ingress: []
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: worker-to-rng-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: rng
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: worker

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: worker-to-hasher-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: hasher
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: worker

---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
  name: redis-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      run: redis
  ingress:
  - from:
    - podSelector:
        matchLabels:
          run: hasher
  - from:
    - podSelector:
        matchLabels:
          run: webui

netassert config

k8s: # used for Kubernetes pods
  deployment: # only deployments currently supported
    worker: # pod name, defaults to `default` namespace
      rng: 80
      hasher: 80
      redis: -6379

What is the goal?

Verify worker pod can talk to rng and hasher pods but cannot talk to redis pod e.g.

[centos@node-0 network]$ kubectl exec -it worker-6d5544ff97-9bx6r /usr/bin/curl -- -m3 -i rng
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 35
Server: Werkzeug/0.11.11 Python/3.5.2
Date: Tue, 16 Oct 2018 13:24:41 GMT

RNG running on rng-d86577d96-w4fth
[centos@node-0 network]$ kubectl exec -it worker-6d5544ff97-9bx6r /usr/bin/curl -- -m3 -i hasher
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Content-Length: 42
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Connection: keep-alive
Server: thin

HASHER running on hasher-7559d94c5d-z2dj4
[centos@node-0 network]$ kubectl exec -it worker-6d5544ff97-9bx6r /usr/bin/nc -- -vz -w3 redis 6379
nc: redis (10.97.226.184:6379): Operation timed out
command terminated with exit code 1

Bash script creates pods when deployments are expectede

In docs, kubectl run creates pods and not deployments. Bash script expects deployments to be made:

for DEPLOYMENT_TYPE in \
  frontend \
  microservice \
  database\
  ; do
  DEPLOYMENT="test-${DEPLOYMENT_TYPE}"

  kubectl run "${DEPLOYMENT}" \
    --image=busybox \
    --labels=app=web,role="${DEPLOYMENT_TYPE}" \
    --requests='cpu=10m,memory=32Mi' \
    --expose \
    --port 80 \
    -- sh -c "while true; do { printf 'HTTP/1.1 200 OK\r\n\n I am a ${DEPLOYMENT_TYPE}\n'; } | nc -l -p  80; done"

  kubectl scale deployment "${DEPLOYMENT}" --replicas=3
done

Recommend updating docs to yaml to create deployments for example.

Update documentation on prerequisites (e.g. for yj and parallel)

It will be good to add a Prerequisites section that covers any required dependencies.

Summary of issues encountered when I tried this tool on an EC2 instance:

yj not found in path: the docs doesn't mention anything about yj. This implies that there's an assumption that the user has yj in his/her PATH.
- Workaround: export PATH=$PATH:/path/to/netassert-repo

[2018-10-16T13:06:15.983+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T13:06:15.985+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T13:06:15.988+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T13:06:15.990+0000] ./netassert: yj not found in path

parallel not found in path:
- Workaround: Install "parallel" package.

[centos@node-0 network]$ ./netassert/netassert assert.yaml
[2018-10-16T11:43:26.630+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T11:43:26.633+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T11:43:26.636+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T11:43:26.639+0000] ./netassert: parallel not found in path

$HOME/.parallel/ directory needs to be created
- Workaround: mkdir -p $HOME/.parallel

[centos@node-0 network]$ ./netassert/netassert assert.yaml
[2018-10-16T11:44:40.663+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T11:44:40.665+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T11:44:40.668+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T11:44:40.698+0000] ./netassert: 1 tests expected
parallel: Error: Cannot write to /home/centos/.parallel/ignored_vars.
==============================================================================================================================================================================================================================================
[2018-10-16T11:44:41.192+0000] ./netassert: No results found in /tmp/tmp.C6742Vl7Wj (1s)

still being worked on?

Thanks

Whitelist style assertions

From the README I see that you can specify negative assertions individually using a minus sign:

test-frontend: 
      test-microservice: 80
      test-database: -80

Is there a means of doing something along the lines of:

test-frontend: 
      test-microservice: 80

and having it fail if anything else is accessible?

Typically I'll know which other services a given service should be able to access, but I don't want to have to try and enumerate all the other possible endpoints that it shouldn't be able to access.

controlplaneio / netassert Goto Github PK

netassert's People

Contributors

Stargazers

Watchers

Forkers

netassert's Issues

Some pod names will throw bad substituion error when running tests on GKE.

Document need for parallel tool, and yj in your path

Unable to run netassert on k8s cluster running on AWS

Bash script creates pods when deployments are expectede

Update documentation on prerequisites (e.g. for yj and parallel)

still being worked on?

Whitelist style assertions

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent