# Copyright 2022 Dell Inc. or its subsidiaries. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- - block: - name: Fetch Package info package_facts: manager: auto - name: Verify all packages are installed assert: that: "'{{ item }}' in ansible_facts.packages" success_msg: "{{ install_package_success_msg }}" fail_msg: "{{ install_package_fail_msg }}" when: "'python-docker' not in item" with_items: "{{ common_packages }}" ignore_errors: true - name: Check login_vars is encrypted command: cat {{ login_vars_filename }} changed_when: false register: config_content - name: Validate login file is encypted or not assert: that: "'$ANSIBLE_VAULT;' in config_content.stdout" fail_msg: "{{ login_vars_fail_msg }}" success_msg: "{{ login_vars_success_msg }}" # Installing a required package : JQ - name: Installing jq (JSON Query) package: name: "{{ test_package }}" state: present # Checking if all the required pods are working - name: Get pods info shell: kubectl get pods --all-namespaces register: all_pods_info - name: Check the count of pods set_fact: count: "{{ all_pods_info.stdout_lines|length - 1 }}" - name: Check if all the pods are running assert: that: - "'Running' in all_pods_info.stdout_lines[{{ item }}]" fail_msg: "{{ check_pods_fail_msg }}" success_msg: "{{ check_pods_success_msg }}" with_sequence: start=1 end={{ count }} # Checking if NFS Server is running and Custom ISO is created - name: Get NFS Stat shell: systemctl status nfs-idmapd register: nfstat_info - name: Verify NFS Stat is running assert: that: - "'Active: active (running)' in nfstat_info.stdout" success_msg: "{{ nfs_share_success_msg }}" fail_msg: "{{ nfs_share_fail_msg }}" - name: Check nfs mount point stat: path: "{{ nfs_mount_Path }}" register: nfs_mount_info - name: Verify nfs share is mounted assert: that: - "{{ nfs_mount_info.stat.exists }}" success_msg: "{{ nfs_mount_success_msg }}" fail_msg: "{{ nfs_mount_fail_msg }}" - name: Check Custom ISO stat: path: "{{ check_iso_path }}" register: check_iso_info - name: Verify Custom ISO is created in the NFS repo assert: that: - "{{ check_iso_info.stat.exists }}" success_msg: "{{ check_iso_success_msg }}" fail_msg: "{{ check_iso_fail_msg }}" # Checking if network-config container is running - name: Get Pod info for network-config shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "network-config" and .labels."io.kubernetes.container.name" == "mngmnt-network-container") | "\(.id) \(.metadata.name) \(.state)"' register: network_config_pod_info - name: Get Pod Status for network-config assert: that: - network_config_pod_info.stdout_lines | regex_search( "{{ container_info }}") success_msg: "{{ network_config_pod_success_msg }}" fail_msg: "{{ network_config_pod_fail_msg }}" - name: Get Pod facts shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "network-config" and .labels."io.kubernetes.container.name" == "mngmnt-network-container") | "\(.id)"' register: network_config_pod_fact - name: Parse container id for the pods set_fact: container_id: "{{ network_config_pod_fact.stdout[1:-1] }}" - name: Check dhcpd,xinetd service is running command: crictl exec {{ container_id }} systemctl is-active {{ item }} changed_when: false ignore_errors: yes register: pod_service_check with_items: - dhcpd - xinetd - name: Verify dhcpd, xinetd service is running assert: that: - "'active' in pod_service_check.results[{{ item }}].stdout" - "'inactive' not in pod_service_check.results[{{ item }}].stdout" - "'unknown' not in pod_service_check.results[{{ item }}].stdout" fail_msg: "{{ pod_service_check_fail_msg }}" success_msg: "{{ pod_service_check_success_msg }}" with_sequence: start=0 end={{ pod_service_check.results|length - 1 }} # Checking if cobbler-container is running - name: Get Pod info for cobbler shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "cobbler") | "\(.id) \(.metadata.name) \(.state)"' register: network_config_pod_info - name: Get Pod Status for cobbler assert: that: - network_config_pod_info.stdout_lines | regex_search( "{{ container_info }}") success_msg: "{{ cobbler_pod_success_msg }}" fail_msg: "{{ cobbler_pod_fail_msg }}" - name: Get Pod facts for cobbler shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "cobbler") | "\(.id)"' register: network_config_pod_fact - name: Extract cobbler pod id set_fact: cobbler_id: "{{ network_config_pod_fact.stdout[1:-1] }}" - name: Check tftp,dhcpd,xinetd,cobblerd service is running command: crictl exec {{ cobbler_id }} systemctl is-active {{ item }} changed_when: false ignore_errors: yes register: pod_service_check with_items: - dhcpd - tftp - xinetd - cobblerd - name: Verify tftp,dhcpd,xinetd,cobblerd service is running assert: that: - "'active' in pod_service_check.results[{{ item }}].stdout" - "'inactive' not in pod_service_check.results[{{ item }}].stdout" - "'unknown' not in pod_service_check.results[{{ item }}].stdout" fail_msg: "{{pod_service_check_fail_msg}}" success_msg: "{{pod_service_check_success_msg}}" with_sequence: start=0 end=3 # Checking Cron-Jobs - name: Check crontab list command: crictl exec {{ cobbler_id }} crontab -l changed_when: false register: crontab_list - name: Verify crontab list assert: that: - "'* * * * * /usr/bin/ansible-playbook /root/tftp.yml' in crontab_list.stdout" - "'*/5 * * * * /usr/bin/ansible-playbook /root/inventory_creation.yml' in crontab_list.stdout" fail_msg: "{{cron_jobs_fail_msg}}" success_msg: "{{cron_jobs_success_msg}}" # Checking subnet-manger pod is running and open sm is running # Comment if infiniband is not connected - name: Fetch subnet-manager stats shell: kubectl get pods -n subnet-manager register: sm_manager_info - name: Verify subnet_manager container is running assert: that: - "'Running' in sm_manager_info.stdout_lines[1]" fail_msg: "{{subnet_manager_fail_msg}}" success_msg: "{{subnet_manager_success_msg}}" # Checking awx pod is running - name: Get Pod info for awx shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "awx") | "\(.id) \(.metadata.name) \(.state)"' register: awx_config_pod_info - name: Get Pod Status for awx assert: that: - network_config_pod_info.stdout_lines[{{ item }}] | regex_search( "{{ container_info }}") success_msg: "{{ awx_pod_success_msg }}" fail_msg: "{{ awx_pod_fail_msg }}" ignore_errors: yes with_sequence: start=0 end={{ network_config_pod_info.stdout_lines |length - 1 }} - name: Get pvc stats shell: | kubectl get pvc -n awx -o json |jq '.items[] | "\(.status.phase)"' register: pvc_stats_info - name: Verify if pvc stats is running assert: that: - "'Bound' in pvc_stats_info.stdout" fail_msg: "{{ pvc_stat_fail_msg }}" success_msg: "{{ pvc_stat_success_msg }}" with_sequence: start=0 end={{ pvc_stats_info.stdout_lines |length|int - 1 }} - name: Get svc stats shell: kubectl get svc -n awx awx-service -o json register: svc_stats_info - name: Verify if svc is up and running assert: that: - "'Error from server (NotFound):' not in svc_stats_info.stdout" success_msg: "{{ svc_stat_success_msg }}" fail_msg: "{{ svc_stat_fail_msg }}" - name: Fetch Cluster IP from svc shell: | kubectl get svc -n awx -o json | jq '.items[] | select(.metadata.name == "awx-service") | "\(.spec.clusterIP)"' register: cluster_ip_info - name: Check if connection to svc Cluster IP is enabled uri: url: http://{{ cluster_ip_info.stdout[1:-1] }} follow_redirects: none method: GET ignore_errors: yes register: cluster_ip_conn - name: Verify connection to svc cluster is working assert: that: - cluster_ip_conn.status == 200 success_msg: "{{ svc_conn_success_msg }} : {{ cluster_ip_info.stdout[1:-1] }}" fail_msg: "{{ svc_conn_fail_msg }} : {{ cluster_ip_info.stdout[1:-1] }}" # OMNIA_1.2_Grafana_TC_001 # Validate Grafana k8s Loki pod and namespaces is running or not - name: Get Pod info for Grafana k8s Loki shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "grafana") | "\(.id) \(.metadata.name) \(.state)"' register: grafana_config_pod_info - name: Get Pod Status for Grafana k8s Loki assert: that: - grafana_config_pod_info.stdout_lines[{{ item }}] | regex_search( "{{ container_info }}") success_msg: "{{ grafana_pod_success_msg }}" fail_msg: "{{ grafana_pod_fail_msg }}" ignore_errors: yes with_sequence: start=0 end={{ grafana_config_pod_info.stdout_lines |length - 1 }} # OMNIA_1.2_Grafana_TC_002 # Validate Grafana k8s Loki pvc , svc and cluster IP - name: Get grafana pvc stats shell: | kubectl get pvc -n grafana -o json |jq '.items[] | "\(.status.phase)"' register: grafana_pvc_stats_info - name: Verify if grafana pvc stats is running assert: that: - "'Bound' in grafana_pvc_stats_info.stdout" fail_msg: "{{ grafana_pvc_stat_fail_msg }}" success_msg: "{{ grafana_pvc_stat_success_msg }}" with_sequence: start=0 end={{ grafana_pvc_stats_info.stdout_lines |length|int - 1 }} - name: Get grafana svc stats shell: kubectl get svc -n grafana grafana -o json register: grafana_svc_stats_info - name: Verify if grafana svc is up and running assert: that: - "'Error from server (NotFound):' not in grafana_svc_stats_info.stdout" success_msg: "{{ grafana_svc_stat_success_msg }}" fail_msg: "{{ grafana_svc_stat_fail_msg }}" - name: Get grafana loki svc stats shell: kubectl get svc -n grafana loki -o json register: grafana_loki_svc_stats_info - name: Verify if grafana loki svc is up and running assert: that: - "'Error from server (NotFound):' not in grafana_loki_svc_stats_info.stdout" success_msg: "{{ grafana_loki_svc_stat_success_msg }}" fail_msg: "{{ grafana_loki_svc_stat_fail_msg }}" # OMNIA_1.2_Grafana_TC_003 # Validate Grafana Loki Host IP connection - name: Fetch Grafana Loki Cluster IP from svc shell: | kubectl get svc -n grafana -o json | jq '.items[] | select(.metadata.name == "loki") | "\(.spec.clusterIP)"' register: grafana_loki_cluster_ip_info - name: Check if connection to Grafana Loki svc Cluster IP is enabled command: ping -c1 {{ grafana_loki_cluster_ip_info.stdout[1:-1] }} register: validate_grafana_loki changed_when: false failed_when: false - name: Verify connection to Grafana Loki svc cluster is working assert: that: - "'ping' in validate_grafana_loki.stdout" success_msg: "{{ grafana_svc_conn_success_msg }} : {{ grafana_loki_cluster_ip_info.stdout[1:-1] }}" fail_msg: "{{ grafana_svc_conn_fail_msg }} : {{ grafana_loki_cluster_ip_info.stdout[1:-1] }}" - name: Fetch Grafana Cluster IP from svc shell: | kubectl get svc -n grafana -o json | jq '.items[] | select(.metadata.name == "grafana") | "\(.spec.clusterIP)"' register: grafana_cluster_ip_info - name: Ping the grafana to validate connectivity command: ping -c1 {{ grafana_cluster_ip_info.stdout[1:-1] }} register: validate_grafana changed_when: false failed_when: false - name: Verify connection to Grafana svc cluster is working assert: that: - "'ping' in validate_grafana.stdout" success_msg: "{{ grafana_svc_conn_success_msg }} : {{ grafana_cluster_ip_info.stdout[1:-1] }}" fail_msg: "{{ grafana_svc_conn_fail_msg }} : {{ grafana_cluster_ip_info.stdout[1:-1] }}" # OMNIA_1.2_Grafana_TC_017 # Validate Prometheus pod , pvc , svc and cluster IP - name: Get monitoring Pod info for Prometheus alertmanager shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "monitoring" and .labels."io.kubernetes.container.name" == "alertmanager") | "\(.id) \(.metadata.name) \(.state)"' register: monitoring_alertmanager_pod_info - name: Get monitoring Pod Status for Prometheus alertmanager assert: that: - monitoring_alertmanager_pod_info.stdout_lines | regex_search( "{{ container_info }}") success_msg: "{{ prometheus_alertmanager_pod_success_msg }}" fail_msg: "{{ prometheus_alertmanager_pod_fail_msg }}" - name: Get monitoring Pod info for Prometheus node-exporter shell: | crictl ps -o json | jq '.containers[] | select(.labels."io.kubernetes.pod.namespace" == "monitoring" and .labels."io.kubernetes.container.name" == "node-exporter") | "\(.id) \(.metadata.name) \(.state)"' register: monitoring_node_exporter_pod_info - name: Get monitoring Pod Status for Prometheus node-exporter assert: that: - monitoring_node_exporter_pod_info.stdout_lines | regex_search( "{{ container_info }}") success_msg: "{{ prometheus_node_exporter_pod_success_msg }}" fail_msg: "{{ prometheus_node_exporter_pod_fail_msg }}" - name: Get Prometheus alertmanager svc stats shell: kubectl get svc -n monitoring monitoring-kube-prometheus-alertmanager -o json register: prometheus_alertmanager_svc_stats_info - name: Verify if Prometheus alertmanager is up and running assert: that: - "'Error from server (NotFound):' not in prometheus_alertmanager_svc_stats_info.stdout" success_msg: "{{ prometheus_alertmanager_svc_stat_success_msg }}" fail_msg: "{{ prometheus_alertmanager_svc_stat_fail_msg }}" - name: Get Prometheus node-exporter svc stats shell: kubectl get svc -n monitoring monitoring-prometheus-node-exporter -o json register: prometheus_node_exporter_svc_stats_info - name: Verify if Prometheus node-exporter svc is up and running assert: that: - "'Error from server (NotFound):' not in prometheus_node_exporter_svc_stats_info.stdout" success_msg: "{{ prometheus_node_exporter_svc_stat_success_msg }}" fail_msg: "{{ prometheus_node_exporter_svc_stat_fail_msg }}" - name: Get Prometheus monitoring svc stats shell: kubectl get svc -n monitoring {{ item }} -o json changed_when: false ignore_errors: yes register: monitoring_pod_svc_check with_items: - monitoring-prometheus-node-exporter - monitoring-kube-prometheus-alertmanager - monitoring-kube-prometheus-operator - monitoring-kube-state-metrics - monitoring-kube-prometheus-prometheus # Testcase OMNIA_1.2_AppArmor_TC_001 # Test case to Find out if AppArmor is enabled (returns Y if true) - name: AppArmor is enabled Validation shell: cat /sys/module/apparmor/parameters/enabled register: apparmor_enabled - name: Find out if AppArmor is enabled (returns Y if true) assert: that: - apparmor_enabled.stdout | regex_search( "{{ apparmor_true }}" ) success_msg: "{{ apparmor_enabled_success_msg }}" fail_msg: "{{ apparmor_enabled_fail_msg }}" # Testcase OMNIA_1.2_AppArmor_TC_002 # Test case to List all loaded AppArmor profiles for applications and processes and detail their status (enforced, complain, unconfined): - name: AppArmor is List all loaded AppArmor profiles status shell: aa-status register: apparmor_status - name: Verify the apparmor module shoule be return which all the profiles assert: that: - apparmor_status.stdout | regex_search( "{{ apparmor_module }}" ) success_msg: "{{ apparmor_status_success_msg }}" fail_msg: "{{ apparmor_status_fail_msg }}" # Testcase OMNIA_1.2_AppArmor_TC_003 # Test case to validate available profiles in /extra-profiles/ path - name: AppArmor is available profiles in /extra-profiles/ path shell: ls /usr/share/apparmor/extra-profiles/ | grep 'usr.bin.passwd' register: apparmor_profile - name: Verify the usr.bin.passwd profiles in /extra-profiles/ path assert: that: - apparmor_profile.stdout | regex_search( "{{ apparmor_passwd_profile }}" ) success_msg: "{{ apparmor_profile_success_msg }}" fail_msg: "{{ apparmor_profile_fail_msg }}" # Testcase OMNIA_1.2_AppArmor_TC_004 # Test case to running executables which are currently confined by an AppArmor profile - name: AppArmor is running executables which are currently confined by an AppArmor profile shell: ps auxZ | grep -v '^unconfined' | grep 'nscd' register: apparmor_not_unconfined - name: Verify the not unconfined AppArmor profiles with nscd assert: that: - apparmor_not_unconfined.stdout | regex_search( "{{ apparmor_nscd }}" ) success_msg: "{{ apparmor_not_unconfined_success_msg }}" fail_msg: "{{ apparmor_not_unconfined_fail_msg }}" # Testcase OMNIA_1.2_AppArmor_TC_005 # Test case to processes with tcp or udp ports that do not have AppArmor profiles loaded - name: A Processes with tcp or udp ports that do not have AppArmor profiles loaded shell: aa-unconfined --paranoid | grep '/usr/sbin/auditd' register: apparmor_unconfined - name: Verify the unconfined AppArmor profiles with auditd assert: that: - apparmor_unconfined.stdout | regex_search( "{{ apparmor_auditd }}" ) success_msg: "{{ apparmor_unconfined_success_msg }}" fail_msg: "{{ apparmor_unconfined_fail_msg }}"