2022-11-10 11:3525:4710,669 440 - xtesting.ci.run_tests - INFO - Deployment description:
+-------------------------+----------------------------------------------------------+
| ENV VAR | VALUE |
+-------------------------+----------------------------------------------------------+
| CI_LOOP | daily |
| DEBUG | false |
| DEPLOY_SCENARIO | k8-nosdn-nofeature-noha |
| INSTALLER_TYPE | unknown |
| BUILD_TAG | |
| NODE_NAME | |
| TEST_DB_URL | http://testresults.opnfv.org/test/api/v1/results |
| TEST_DB_EXT_URL | |
| S3_ENDPOINT_URL | |
| S3_DST_URL | |
| HTTP_DST_URL | |
+-------------------------+----------------------------------------------------------+
2022-11-10 11:3525:4710,685 456 - xtesting.ci.run_tests - INFO - Loading test case 'kube_bench_nodemaster'...
2022-11-10 11:3525:4710,991 913 - xtesting.ci.run_tests - INFO - Running test case 'kube_bench_nodemaster'...
2022-11-10 11:3525:5418,758 894 - functest_kubernetes.security.security - ERROR - Ensure that the proxy kubeconfig etcd pod specification file permissions are set to 644 or more restrictive (Scored)
Run the below command (based on the file location on your system) on the each worker master node.
For example,
chmod 644 /etc/kubernetes/manifests/proxyetcd.confyaml
2022-11-10 11:3525:5418,759 895 - functest_kubernetes.security.security - ERROR - Ensure that the proxy kubeconfig etcd pod specification file ownership is set to root:root (Scored)
Run the below command (based on the file location on your system) on the each worker master node.
For example,
chown root:root /etc/kubernetes/manifests/proxyetcd.confyaml
2022-11-10 11:3525:5418,759 895 - functest_kubernetes.security.security - ERROR - Ensure that the --read-only-port argument is set to 0 etcd data directory permissions are set to 700 or more restrictive (Scored)
If using a Kubelet config file, edit the file to set readOnlyPort to 0.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--read-only-port=0
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above). For example,
chmod 700 /var/lib/etcd
2022-11-10 11:3525:5418,759 895 - functest_kubernetes.security.security - ERROR - Ensure that the --protect-kernel-defaults argument etcd data directory ownership is set to true etcd:etcd (Scored)
If using a Kubelet config file, edit the file to set protectKernelDefaults: true.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service on each worker node and
set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable.
--protect-kernel-defaults=true
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service On the etcd server node, get the etcd data directory, passed as an argument --data-dir,
from the below command:
ps -ef | grep etcd
Run the below command (based on the etcd data directory found above).
For example, chown etcd:etcd /var/lib/etcd
2022-11-10 11:3525:5418,759 895 - functest_kubernetes.security.security - ERROR - Ensure that the --tls-cert-file and --tls-private-key-file arguments are set as appropriate RotateKubeletServerCertificate argument is set to true (Scored)
If using a Kubelet config file, edit the file to set tlsCertFile to the location
of the certificate file to use to identify this Kubelet, and tlsPrivateKeyFile
to the location of the corresponding private key file.
If using command line arguments, edit the kubelet service file
/etc/systemd/system/kubelet.service on each worker node and
set the below parameters in KUBELET_CERTIFICATE_ARGS variable.
--tls-cert-file=<path/to/tls-certificate-file>
--tls-private-key-file=<path/to/tls-key-file>
Based on your system, restart the kubelet service. For example:
systemctl daemon-reload
systemctl restart kubelet.service Edit the Controller Manager pod specification file /etc/kubernetes/manifests/kube-controller-manager.yaml
on the master node and set the --feature-gates parameter to include RotateKubeletServerCertificate=true.
--feature-gates=RotateKubeletServerCertificate=true
2022-11-10 11:3525:5418,760 897 - functest_kubernetes.security.security - WARNING - Targets:
+-------------------+-----------------+-----------------------------------------+--------------+--------------+--------------+
| NODE_TYPE | VERSION | TEST_DESC | PASS | FAIL | WARN |
+-------------------+-----------------+-----------------------------------------+--------------+--------------+--------------+
| node master | 1.5 | Worker Master Node Configuration Files | 12 | 4 | 5 |
| master | 7 1.5 | API Server | 31 | 2 0 | 1 4 |
| node master | 1.5 | Controller Manager | 6 Kubelet | 1 | 0 |
| master | 8 1.5 | Scheduler 3 | 2 | 0 | 0 |
+-------------------+-----------------+-----------------------------------------+--------------+--------------+--------------+
2022-11-10 11:3525:5418,760 897 - xtesting.ci.run_tests - INFO - Test result: +-------------------------+------------------+------------------+----------------+
| TEST CASE | PROJECT | DURATION | RESULT |
+-------------------------+------------------+------------------+----------------+
| kube_bench_node | functest | 00:06 | PASS |
+---+------------------+----+------------+
| TEST CASE | PROJECT | DURATION | RESULT |
+------+------------------+---+-------------+ 2022-11-10 11:35:54,816 - xtesting.ci.run_tests - INFO - Execution exit value: Result.EX_OK 4
opnfv/functest-kubernetes-benchmarking
4.1
bash-5.1# run_tests -t xrally_kubernetes_full
2022-11-10 11:36:23,102 - xtesting.ci.run_tests - INFO - Deployment description:
+-+------------------+----------------+
| kube_bench_master | functest | 00:07 | PASS |
+---------------------------+------------------+--------------+
| ENV VAR | VALUE |
----+----------------+
2022-11-10 11:25:18,955 - xtesting.ci.run_tests - INFO - Execution exit value: Result.EX_OK
|