controlplaneio / netassert Goto Github PK
View Code? Open in Web Editor NEWNetwork security testing for Kubernetes DevSecOps workflows
License: Apache License 2.0
Network security testing for Kubernetes DevSecOps workflows
License: Apache License 2.0
Thanks for the great work! I had an issue running this tool on pod name that doesn't contain a hypen sign ("-"). Here is my test yaml file:
k8s:
deployment:
zhe:abc:
google.com: 443
And it throws exception like:
environment: line 9: HOST_MAP_zhe:abc: bad substitution
I tried to fix it but seems like other part stopped working after that. Would be great to get some pointers from you:)
It assumes you have parallel installed. Should be mentioned in the docs.
It also assumes that yj is in the path. Should be documented, or changed.
Summary of issues encountered:
Running netassert
tool against a k8s deployment on AWS failed. with ssh: Could not resolve hostname node-1: Name or service not known
. It appears to be attempting to ssh to the k8s node running a target pod.
Expected result:
netassert
tool runs successfully without error.
Actual result:
[centos@node-0 network]$ ./netassert/netassert assert.yaml
[2018-10-16T13:19:40.215+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T13:19:40.218+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T13:19:40.220+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T13:19:40.231+0000] ./netassert: 1 tests expected
Academic tradition requires you to cite works you base your article on.
When using programs that use GNU Parallel to process data for publication
please cite:
O. Tange (2011): GNU Parallel - The Command-Line Power Tool,
;login: The USENIX Magazine, February 2011:42-47.
This helps funding further development; AND IT WON'T COST YOU A CENT.
If you pay 10000 EUR you should feel free to use GNU Parallel without citing.
To silence the citation notice: run 'parallel --bibtex'.
[2018-10-16T13:19:40.634+0000] ./netassert: K8S remote test start: worker (namespace: default)
[2018-10-16T13:19:40.886+0000] ./netassert: Connecting to node-1...
[2018-10-16T13:19:40.997+0000] ./netassert: worker fail
[2018-10-16T13:19:41.003+0000] ./netassert: K8S remote test finish
[2018-10-16T13:19:41.009+0000] ./netassert: No instances to test
==============================================================================================================================================================================================================================================
[2018-10-16T13:19:41.028+0000] ./netassert: Results: worker
ssh: Could not resolve hostname node-1: Name or service not known
[2018-10-16T13:19:41.034+0000] ./netassert: worker fail
==============================================================================================================================================================================================================================================
[2018-10-16T13:19:41.039+0000] ./netassert: 1 failed (1s)
What's the setup:
kubeadm
$ kubectl run redis --image=redis
$ for DEPLOYMENT in hasher rng webui worker; do
kubectl run ${DEPLOYMENT} \
--image=training/dockercoins_${DEPLOYMENT}:1.0
done
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: default-deny-all-ingress
namespace: default
spec:
policyTypes:
- Ingress
podSelector: {}
ingress: []
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: worker-to-rng-policy
namespace: default
spec:
podSelector:
matchLabels:
run: rng
ingress:
- from:
- podSelector:
matchLabels:
run: worker
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: worker-to-hasher-policy
namespace: default
spec:
podSelector:
matchLabels:
run: hasher
ingress:
- from:
- podSelector:
matchLabels:
run: worker
---
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
name: redis-policy
namespace: default
spec:
podSelector:
matchLabels:
run: redis
ingress:
- from:
- podSelector:
matchLabels:
run: hasher
- from:
- podSelector:
matchLabels:
run: webui
k8s: # used for Kubernetes pods
deployment: # only deployments currently supported
worker: # pod name, defaults to `default` namespace
rng: 80
hasher: 80
redis: -6379
What is the goal?
worker
pod can talk to rng
and hasher
pods but cannot talk to redis
pod e.g.[centos@node-0 network]$ kubectl exec -it worker-6d5544ff97-9bx6r /usr/bin/curl -- -m3 -i rng
HTTP/1.0 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 35
Server: Werkzeug/0.11.11 Python/3.5.2
Date: Tue, 16 Oct 2018 13:24:41 GMT
RNG running on rng-d86577d96-w4fth
[centos@node-0 network]$ kubectl exec -it worker-6d5544ff97-9bx6r /usr/bin/curl -- -m3 -i hasher
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Content-Length: 42
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Connection: keep-alive
Server: thin
HASHER running on hasher-7559d94c5d-z2dj4
[centos@node-0 network]$ kubectl exec -it worker-6d5544ff97-9bx6r /usr/bin/nc -- -vz -w3 redis 6379
nc: redis (10.97.226.184:6379): Operation timed out
command terminated with exit code 1
In docs, kubectl run
creates pods and not deployments. Bash script expects deployments to be made:
for DEPLOYMENT_TYPE in \
frontend \
microservice \
database\
; do
DEPLOYMENT="test-${DEPLOYMENT_TYPE}"
kubectl run "${DEPLOYMENT}" \
--image=busybox \
--labels=app=web,role="${DEPLOYMENT_TYPE}" \
--requests='cpu=10m,memory=32Mi' \
--expose \
--port 80 \
-- sh -c "while true; do { printf 'HTTP/1.1 200 OK\r\n\n I am a ${DEPLOYMENT_TYPE}\n'; } | nc -l -p 80; done"
kubectl scale deployment "${DEPLOYMENT}" --replicas=3
done
Recommend updating docs to yaml
to create deployments for example.
It will be good to add a Prerequisites section that covers any required dependencies.
Summary of issues encountered when I tried this tool on an EC2 instance:
yj
not found in path: the docs doesn't mention anything about yj
. This implies that there's an assumption that the user has yj
in his/her PATH.
export PATH=$PATH:/path/to/netassert-repo
[2018-10-16T13:06:15.983+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T13:06:15.985+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T13:06:15.988+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T13:06:15.990+0000] ./netassert: yj not found in path
parallel
not found in path:
parallel
" package.[centos@node-0 network]$ ./netassert/netassert assert.yaml
[2018-10-16T11:43:26.630+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T11:43:26.633+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T11:43:26.636+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T11:43:26.639+0000] ./netassert: parallel not found in path
$HOME/.parallel/
directory needs to be created
mkdir -p $HOME/.parallel
[centos@node-0 network]$ ./netassert/netassert assert.yaml
[2018-10-16T11:44:40.663+0000] ./netassert: Using test file 'assert.yaml'
[2018-10-16T11:44:40.665+0000] ./netassert: Using Docker image 'controlplane/netassert:0.1'
[2018-10-16T11:44:40.668+0000] ./netassert: Tests will timeout after '120' seconds
[2018-10-16T11:44:40.698+0000] ./netassert: 1 tests expected
parallel: Error: Cannot write to /home/centos/.parallel/ignored_vars.
==============================================================================================================================================================================================================================================
[2018-10-16T11:44:41.192+0000] ./netassert: No results found in /tmp/tmp.C6742Vl7Wj (1s)
still being worked on?
Thanks
From the README I see that you can specify negative assertions individually using a minus sign:
test-frontend:
test-microservice: 80
test-database: -80
Is there a means of doing something along the lines of:
test-frontend:
test-microservice: 80
and having it fail if anything else is accessible?
Typically I'll know which other services a given service should be able to access, but I don't want to have to try and enumerate all the other possible endpoints that it shouldn't be able to access.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.