From df1dcc1793371cee6a6c7dbd962dc4644095474c Mon Sep 17 00:00:00 2001 From: rksharma95 Date: Tue, 12 Nov 2024 17:08:21 +0530 Subject: [PATCH] add a test case for protocol:all handling Signed-off-by: rksharma95 --- tests/k8s_env/ksp/ksp_test.go | 26 +++++++++++++++++++ .../ksp-ubuntu-1-block-net-all.yaml | 15 +++++++++++ 2 files changed, 41 insertions(+) create mode 100644 tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 37d48b5218..21fe2aa200 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -266,6 +266,32 @@ var _ = Describe("Ksp", func() { }) + It("it can block all network traffic", func() { + + // Apply Policy + err := K8sApplyFile("multiubuntu/ksp-ubuntu-1-block-net-all.yaml") + Expect(err).To(BeNil()) + + // Start KubeArmor Logs + err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) + Expect(err).To(BeNil()) + AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "arping -c 1 127.0.0.1"}, + MatchRegexp("arping.*Permission denied"), true, + ) + + expect := protobuf.Alert{ + PolicyName: "ksp-ubuntu-1-block-net-all", + Severity: "8", + Action: "Block", + Result: "Permission denied", + } + + res, err := KarmorGetTargetAlert(5*time.Second, &expect) + Expect(err).To(BeNil()) + Expect(res.Found).To(BeTrue()) + + }) + }) Describe("Apply Capabilities Policy", func() { diff --git a/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml new file mode 100644 index 0000000000..8f64a1e628 --- /dev/null +++ b/tests/k8s_env/ksp/multiubuntu/ksp-ubuntu-1-block-net-all.yaml @@ -0,0 +1,15 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-ubuntu-1-block-net-all + namespace: multiubuntu +spec: + severity: 8 + selector: + matchLabels: + container: ubuntu-1 + network: + matchProtocols: + - protocol: all + action: + Block \ No newline at end of file