feat(core): handle sctp protocol and all protocols with raw socket and add protocol:all network rule #1652
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci-test-controllers | |
| on: | |
| pull_request: | |
| branches: | |
| - "main" | |
| paths: | |
| - "pkg/**" | |
| - ".github/workflows/ci-test-controllers.yml" | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| kubearmor-controller-test: | |
| name: Build and Test KubeArmorController Using Ginkgo | |
| runs-on: ubuntu-20.04 | |
| timeout-minutes: 30 | |
| env: | |
| RUNTIME: "containerd" | |
| steps: | |
| - uses: actions/checkout@v3 | |
| with: | |
| submodules: true | |
| - uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'KubeArmor/go.mod' | |
| - name: Check what paths were updated | |
| uses: dorny/paths-filter@v2 | |
| id: filter | |
| with: | |
| filters: | | |
| kubearmor: | |
| - "KubeArmor/**" | |
| - "protobuf/**" | |
| controller: | |
| - 'pkg/KubeArmorController/**' | |
| - name: Setup a Kubernetes environment | |
| run: ./.github/workflows/install-k3s.sh | |
| - name: Install the latest LLVM toolchain | |
| if: steps.filter.outputs.kubearmor == 'true' | |
| run: ./.github/workflows/install-llvm.sh | |
| - name: Compile libbpf | |
| if: steps.filter.outputs.kubearmor == 'true' | |
| run: ./.github/workflows/install-libbpf.sh | |
| - name: Generate KubeArmor artifacts | |
| if: steps.filter.outputs.kubearmor == 'true' | |
| run: GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh | |
| - name: Build KubeArmorController | |
| run: make -C pkg/KubeArmorController/ docker-build TAG=latest | |
| - name: Build Kubearmor-Operator | |
| working-directory: pkg/KubeArmorOperator | |
| run: | | |
| make docker-build | |
| - name: Install KubeArmor Latest and KubeArmorController using Helm | |
| run: | | |
| # save images | |
| docker save kubearmor/kubearmor-controller:latest | sudo k3s ctr images import - | |
| docker save kubearmor/kubearmor-operator:latest | sudo k3s ctr images import - | |
| docker save kubearmor/kubearmor-snitch:latest | sudo k3s ctr images import - | |
| helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace --set kubearmorOperator.image.tag=latest | |
| kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator | |
| kubectl get pods -A | |
| # create kubearmorconfig | |
| if [[ ${{ steps.filter.outputs.kubearmor }} == 'true' ]]; then | |
| docker save kubearmor/kubearmor:latest | sudo k3s ctr images import - | |
| docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import - | |
| kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml --dry-run=client -o json | \ | |
| jq '.spec.kubearmorControllerImage.imagePullPolicy = "Never"' | \ | |
| kubectl apply -f - | |
| else | |
| # use latest kubearmor if no changes in kubearmor or protobuf dir | |
| kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml --dry-run=client -o json | \ | |
| jq '.spec.kubearmorControllerImage.imagePullPolicy = "Never" | .spec.kubearmorImage.imagePullPolicy = "Always" | .spec.kubearmorInitImage.imagePullPolicy = "Always"' | \ | |
| kubectl apply -f - | |
| fi | |
| kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test | |
| timeout 7m bash -c -- ' | |
| while true; do | |
| all_running=true | |
| echo "Checking pod status..." | |
| for pod_status in $(kubectl get pod -n kubearmor -l kubearmor-app,kubearmor-app!=kubearmor-snitch --output=jsonpath="{.items[*].status.phase}" 2>/dev/null); do | |
| if [ "$pod_status" != "Running" ]; then | |
| all_running=false | |
| echo "Waiting for pods to be Running..." | |
| break | |
| fi | |
| done | |
| if $all_running; then | |
| echo "All pods are Running." | |
| break | |
| fi | |
| if kubectl get pod -n kubearmor -l kubearmor-app,kubearmor-app!=kubearmor-snitch | grep CrashLoopBackOff; then | |
| echo "Error: Pod in CrashLoopBackOff state" | |
| exit 1 | |
| fi | |
| sleep 1 | |
| done | |
| ' | |
| - name: Test KubeArmor using Ginkgo | |
| run: | | |
| go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo | |
| ginkgo --vv --flake-attempts=10 --timeout=10m smoke/ | |
| working-directory: ./tests/k8s_env | |
| timeout-minutes: 30 | |
| - name: Get karmor sysdump | |
| if: ${{ failure() }} | |
| run: | | |
| kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor | |
| curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin | |
| mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump | |
| - name: Archive log artifacts | |
| if: ${{ failure() }} | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: kubearmor.logs | |
| path: | | |
| /tmp/kubearmor/ | |
| /tmp/kubearmor.* |