Quality Assurance¶
When you have created your Compliant Kubernetes cluster it can be wise to run some checks to ensure that it works as expected. This document details some snippets that you can follow in order to ensure some functionality of the cluster.
Customer API and Harbor access¶
Pre-requisites¶
- You've got Docker installed.
- You've exported
CK8S_CONFIG_PATH
in your shell. - You've set
baseDomain
in your shell to what's used in your cluster. - Your current working directory is the
compliantkubernets-apps
repository. - You've installed the
kubectl
pluginkubelogin
. See instructions on how to install it.
Create and set user kubeconfig¶
./bin/ck8s user-kubeconfig
sops -d -i --config ${CK8S_CONFIG_PATH}/.sops.yaml ${CK8S_CONFIG_PATH}/user/kubeconfig.yaml
export KUBECONFIG=${CK8S_CONFIG_PATH}/user/kubeconfig.yaml
kubectl
command, e.g. kubectl get pods
Your browser will be opened and you'll be asked to login through Dex.
Login to Harbor GUI and create 'test' project¶
- Go to
https://harbor.${baseDomain}
, and login though OIDC. - Create project 'test'.
- Click on your user in the top right corner and select User profile.
- Copy CLI secret.
Push image to Harbor and scan it¶
- Pull Nginx from dockerhub
docker pull nginx
. - Login to the Harbor registry
docker login https://harbor.${baseDomain}
Enter your Harbor username and the copied CLI secret. - Prepare Nginx image for pushing to Harbor registry
docker tag nginx harbor.${baseDomain}/test/nginx
- Push image to Harbor
docker push harbor.${baseDomain}/test/nginx
- Enter 'test' project in the Harbor GUI, select the newly pushed image and scan it.
Create secret for pulling images from harbor¶
kubectl create secret generic regcred \
--from-file=.dockerconfigjson=${HOME}/.docker/config.json \
--type=kubernetes.io/dockerconfigjson
kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "regcred"}]}'
Test pulling from Harbor and start privileged and unprivileged pods¶
kubectl run --image nginxinc/nginx-unprivileged nginx-unprivileged
kubectl run --image harbor.${baseDomain}/test/nginx nginx-privileged
# You should see that both pods and that nginx-unprivileged eventually becomes running while nginx-privileged does not.
kubectl get pods
# Check events from the nginx-privileged.
kubectl describe pod nginx-privileged
# You should see 'Error: container has runAsNonRoot and image will run as root'.
Cleanup of created Kubernetes resources¶
kubectl delete pod --all
kubectl delete secret regcred