61 lines
2.5 KiB
Bash
61 lines
2.5 KiB
Bash
echo -e "\033[35mhang on...\033[0m\t\t this task evaluation needs about a minute to complete"
|
|
|
|
|
|
##preparing test Pod without a label whihch should not get access
|
|
kubectl delete pod labgrade -n access &>/dev/null
|
|
sleep 5
|
|
kubectl run labgrade -n access --image=busybox -- sleep 3600 &>/dev/null
|
|
sleep 5
|
|
|
|
if kubectl exec -n access labgrade -- wget --spider --timeout=1 lab156web.restricted.svc.cluster.local &>/dev/null
|
|
then
|
|
echo -e "\033[31m[FAIL]\033[0m\t\t testpod is getting access, which means the networkpolicy is not correct"
|
|
else
|
|
echo -e "\033[32m[OK]\033[0m\t\t testpod is not getting access, good!"
|
|
SCORE=$(( SCORE + 10 ))
|
|
fi
|
|
TOTAL=$(( TOTAL + 10 ))
|
|
|
|
###testing if a networkpolicy was found
|
|
#do we have a networkpolicy on the namespace restricted?
|
|
if kubectl get netpol lab156pol -n restricted &>/dev/null
|
|
then
|
|
echo -e "\033[32m[OK]\033[0m\t\t found a NetworkPolicy on the Namespace restricted"
|
|
SCORE=$(( SCORE + 4 ))
|
|
else
|
|
echo -e "\033[31m[FAIL]\033[0m\t\t NetworkPolicy not found on the Namespace restricted"
|
|
fi
|
|
TOTAL=$(( TOTAL + 4 ))
|
|
|
|
#do we have a namespaceselector that allows incoming traffic from ns access
|
|
if kubectl get netpol -n restricted -o yaml | grep -A3 namespaceSelector | grep 'kubernetes.io/metadata.name: access' &>/dev/null
|
|
then
|
|
echo -e "\033[32m[OK]\033[0m\t\t namespaceSelector is set correctly in the NetworkPolicy"
|
|
SCORE=$(( SCORE + 8 ))
|
|
else
|
|
echo -e "\033[31m[FAIL]\033[0m\t\t namespaceSelector is not set correctly in the NetworkPolicy"
|
|
fi
|
|
TOTAL=$(( TOTAL + 8 ))
|
|
|
|
#do we have a podselector that allows incoming traffic from pods that have label access=true
|
|
if kubectl get netpol -n restricted -o yaml | grep -A3 podSelector | grep 'access: "true"' &>/dev/null
|
|
then
|
|
echo -e "\033[32m[OK]\033[0m\t\t podSelector is set correctly in the NetworkPolicy"
|
|
SCORE=$(( SCORE + 8 ))
|
|
else
|
|
echo -e "\033[31m[FAIL]\033[0m\t\t podSelector is not set correctly in the NetworkPolicy"
|
|
fi
|
|
TOTAL=$(( TOTAL + 8 ))
|
|
|
|
##setting the label so that the testpod is getting access
|
|
kubectl label -n access pod labgrade access="true"
|
|
|
|
if kubectl exec -n access labgrade -- wget --spider --timeout=1 lab156web.restricted.svc.cluster.local &>/dev/null
|
|
then
|
|
echo -e "\033[32m[OK]\033[0m\t\t previous revision of deploy updated was using nginx:latest"
|
|
SCORE=$(( SCORE + 10 ))
|
|
else
|
|
echo -e "\033[31m[FAIL]\033[0m\t\t previous revision of deploy updated not found or not using nginx:latest"
|
|
fi
|
|
TOTAL=$(( TOTAL + 10 ))
|