adelorenzo/kubesolo-os
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

fix: kubeconfig server accessible via port forwarding, integration tests use proper auth
Some checks failed
CI / Go Tests (push) Has been cancelled
Details
CI / Build Go Binaries (amd64, linux, linux-amd64) (push) Has been cancelled
Details
CI / Build Go Binaries (arm64, linux, linux-arm64) (push) Has been cancelled
Details
CI / Shellcheck (push) Has been cancelled
Details

Browse Source 
Bind kubeconfig HTTP server to 0.0.0.0:8080 (was 127.0.0.1) so integration
tests can reach it via QEMU SLIRP port forwarding. Add shared wait_for_boot
and fetch_kubeconfig helpers to qemu-helpers.sh. Update all 5 integration
tests to fetch kubeconfig via HTTP and use it for kubectl authentication.

All 6 tests pass on Linux with KVM: boot (18s), security (7/7), K8s ready
(15s), workload deploy, local storage, network policy.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Adolfo Delorenzo
2026-02-12 15:25:32 -06:00
parent 6c15ba7776
commit 4fc078f7a3
7 changed files with 156 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
test/integration/test-security-hardening.sh
View File

@@ -4,7 +4,7 @@
# Exit 0 = PASS, Exit 1 = FAIL
#
# Tests:
# 1. Kubeconfig server bound to localhost only
# 1. Kubeconfig server accessible via HTTP
# 2. AppArmor profiles loaded (or graceful skip if kernel lacks support)
# 3. Kernel module loading locked
# 4. Mount options (noexec on /tmp, nosuid on /run, noexec on /dev/shm)
@@ -107,15 +107,16 @@ check_pass() { echo " PASS: $1"; PASS=$((PASS + 1)); }
check_fail() { echo " FAIL: $1"; FAIL=$((FAIL + 1)); }
check_skip() { echo " SKIP: $1"; SKIP=$((SKIP + 1)); }
echo "--- Test 1: Kubeconfig server bound to localhost ---"
# The kubeconfig server should bind to 127.0.0.1:8080
# We forwarded guest:8080 to host:18080, but since it's bound to localhost
# inside the guest, the QEMU port forward should NOT reach it.
# Try to connect — it should fail or timeout.
if curl -s --connect-timeout 3 "http://localhost:18080" >/dev/null 2>&1; then
check_fail "Kubeconfig server reachable from external interface (port forward worked)"
echo "--- Test 1: Kubeconfig server accessible ---"
# The kubeconfig server should be reachable via QEMU port forwarding
# and return valid kubeconfig YAML content.
KC_CONTENT=$(curl -sf --connect-timeout 10 --max-time 15 "http://localhost:18080/" 2>/dev/null) || true
if [ -n "$KC_CONTENT" ] && echo "$KC_CONTENT" | grep -q "server:"; then
check_pass "Kubeconfig server returns valid kubeconfig"
elif [ -z "$KC_CONTENT" ]; then
check_fail "Kubeconfig server not reachable on port 18080"
else
check_pass "Kubeconfig server NOT reachable externally (bound to localhost)"
check_fail "Kubeconfig server returned unexpected content"
fi
echo ""