From 53247aba1566a039e466a804ff5085475075e1da Mon Sep 17 00:00:00 2001 From: Navin Chandra Date: Thu, 29 Aug 2024 18:31:12 +0000 Subject: [PATCH 1/4] Add HSP test suite for non-k8s mode Signed-off-by: Navin Chandra --- tests/nonk8s_env/hsp/hsp_suite_test.go | 16 + tests/nonk8s_env/hsp/hsp_test.go | 304 ++++++++++++++++++ ...bearmor-dev-file-dir-allow-fromSource.yaml | 29 ++ ...bearmor-dev-file-dir-block-fromSource.yaml | 28 ++ ...earmor-dev-file-path-allow-fromSource.yaml | 28 ++ .../hsp-kubearmor-dev-file-path-audit.yaml | 25 ++ ...earmor-dev-file-path-block-fromSource.yaml | 28 ++ .../hsp-kubearmor-dev-file-path-block.yaml | 23 ++ ...earmor-dev-proc-path-allow-fromSource.yaml | 31 ++ ...earmor-dev-proc-path-block-fromSource.yaml | 31 ++ .../hsp-kubearmor-dev-proc-path-block.yaml | 23 ++ .../hsp/res/hsp-kubearmor-dev-udp-block.yaml | 25 ++ tests/util/kartutil.go | 15 + 13 files changed, 606 insertions(+) create mode 100644 tests/nonk8s_env/hsp/hsp_suite_test.go create mode 100644 tests/nonk8s_env/hsp/hsp_test.go create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml create mode 100644 tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml diff --git a/tests/nonk8s_env/hsp/hsp_suite_test.go b/tests/nonk8s_env/hsp/hsp_suite_test.go new file mode 100644 index 0000000000..3b8f09a392 --- /dev/null +++ b/tests/nonk8s_env/hsp/hsp_suite_test.go @@ -0,0 +1,16 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 Authors of KubeArmor + +package hsp_test + +import ( + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func TestHsp(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Hsp Suite") +} diff --git a/tests/nonk8s_env/hsp/hsp_test.go b/tests/nonk8s_env/hsp/hsp_test.go new file mode 100644 index 0000000000..cc01fadb20 --- /dev/null +++ b/tests/nonk8s_env/hsp/hsp_test.go @@ -0,0 +1,304 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 Authors of KubeArmor + +package hsp + +import ( + "os" + "time" + + . "github.com/kubearmor/KubeArmor/tests/util" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +var _ = Describe("Non-k8s HSP tests", func() { + + AfterEach(func() { + KarmorLogStop() + }) + + BeforeEach(func() { + // Set the environment variable + os.Setenv("KUBEARMOR_SERVICE", ":32767") + }) + + Describe("HSP file path block", func() { + + It("can block access to /etc/hostname on the host", func() { + + policyPath := "res/hsp-kubearmor-dev-file-path-block.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // Access the /etc/hostname file + out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/hostname"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + + }) + }) + + Describe("HSP Process path block", func() { + + It("can block execution of diff command in host", func() { + + policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "Process", "") + Expect(err).To(BeNil()) + + // call the diff command + out, err := ExecCommandHost([]string{"bash", "-c", "diff --help"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + }) + }) + + Describe("HSP dir block from source", func() { + + It("can allow access to everything except /etc/default/* from head", func() { + + policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // call the head command + out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"}) + Expect(err).To(BeNil()) + Expect(out).NotTo(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically("==", 0)) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + }) + + It("can block access to /etc/default/* from head", func() { + + policyPath := "res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // call the head command + out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/default/useradd"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-dir-block-fromsource")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + }) + }) + + Describe("HSP file audit", func() { + + It("can audit access to /etc/passwd", func() { + + policyPath := "res/hsp-kubearmor-dev-file-path-audit.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // try to access the /etc/passwd file + out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/passwd"}) + Expect(err).To(BeNil()) + Expect(out).ToNot(MatchRegexp(".*Permission denied")) + + // check audit alerts + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-audit")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Audit")) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + }) + }) + + Describe("HSP path block from source", func() { + + It("It can block access to /etc/hostname from head", func() { + + policyPath := "res/hsp-kubearmor-dev-file-path-block-fromSource.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // try to access the /etc/hostname file from head + out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block-fromsource")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + }) + }) + + // Describe("HSP Process path block from source", func() { + + // It("can block date command from bash", func() { + + // policyPath := "res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml" + // err := SendPolicy("ADDED", policyPath) + // Expect(err).To(BeNil()) + + // // Start the karmor logs + // err = KarmorLogStart("policy", "", "Process", "") + // Expect(err).To(BeNil()) + + // // call the date command from bash + // out, err := ExecCommandHost([]string{"bash", "-c", "date"}) + // Expect(err).To(BeNil()) + // Expect(out).To(MatchRegexp(".*Permission denied")) + + // // // execute ls command from bash + // // out2, err := ExecCommandHost([]string{"bash", "-c", "ls"}) + // // Expect(err).To(BeNil()) + // // Expect(out2).NotTo(MatchRegexp(".*Permission denied")) + + // // check policy violation alert + // _, alerts, err := KarmorGetLogs(5*time.Second, 1) + // Expect(err).To(BeNil()) + // Expect(len(alerts)).To(BeNumerically(">=", 1)) + // Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block-fromsource")) + // Expect(alerts[0].Severity).To(Equal("5")) + // Expect(alerts[0].Action).To(Equal("Block")) + + // // delete the policy + // err = SendPolicy("DELETED", policyPath) + // Expect(err).To(BeNil()) + // }) + // }) + + Describe("HSP Process path block", func() { + + It("can block diff command", func() { + + policyPath := "res/hsp-kubearmor-dev-proc-path-block.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "Process", "") + Expect(err).To(BeNil()) + + // run diff command + out, err := ExecCommandHost([]string{"bash", "-c", "diff"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + }) + }) + + Describe("HSP Network path block", func() { + + It("can block access to UDP protocol from curl", func() { + + policyPath := "res/hsp-kubearmor-dev-udp-block.yaml" + err := SendPolicy("ADDED", policyPath) + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "Network", "") + Expect(err).To(BeNil()) + + // run diff command + out, err := ExecCommandHost([]string{"bash", "-c", "curl google.com"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Could not resolve host: google.com")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-udp-block-curl")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + + // delete the policy + err = SendPolicy("DELETED", policyPath) + Expect(err).To(BeNil()) + }) + }) +}) diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml new file mode 100644 index 0000000000..00a133c4aa --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml @@ -0,0 +1,29 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-dir-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchDirectories: + - dir: /etc/default/ + recursive: true + fromSource: + - path: /usr/bin/head + action: + Allow + +# kubearmor-dev_test_08 + +# test +# $ head /etc/default/useradd +# Default values for useradd(8) ... +# $ head /etc/hostname +# head: /etc/hostname: Permission denied + +# expectation +# /usr/bin/head can only access /etc/default/* +# /usr/bin/head cannot access any others \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml new file mode 100644 index 0000000000..d92be29a6d --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-dir-block-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchDirectories: + - dir: /etc/default/ + fromSource: + - path: /usr/bin/head + action: + Block + +# kubearmor-dev_test_09 + +# test +# $ head /etc/default/useradd +# head: useradd: Permission denied +# $ head /etc/hostname +# kubearmor-dev + +# expectation +# /usr/bin/head cannot access /etc/default/* +# /usr/bin/head can access any others \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml new file mode 100644 index 0000000000..59c10830ad --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/hostname + fromSource: + - path: /usr/bin/head + action: + Allow + +# kubearmor-dev_test_07 + +# test +# $ head /etc/hostname +# kubearmor-dev +# $ head /etc/hosts +# head: /etc/hosts: Permission denied + +# expectation +# /usr/bin/head can only access /etc/hostname +# /usr/bin/head cannot access any others \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml new file mode 100644 index 0000000000..e545f7bd42 --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml @@ -0,0 +1,25 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-audit +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/passwd + action: + Audit + +# kubearmor-dev_test_02 + +# test +# $ cat /etc/passwd +# ... +# $ head /etc/passwd +# ... + +# expectation +# anyone can access /etc/passwd, but the access would be audited \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml new file mode 100644 index 0000000000..d405d896de --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-block-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/hostname + fromSource: + - path: /usr/bin/head + action: + Block + +# kubearmor-dev_test_06 + +# test +# $ head /etc/hostname +# head: cannot open '/etc/hostname' for reading: Permission denied +# $ head /etc/hosts +# ... + +# expectation +# /usr/bin/head cannot access /etc/hostname +# /usr/bin/head can access any others \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml new file mode 100644 index 0000000000..323e014505 --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-block +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/hostname + action: + Block + +# kubearmor-dev_test_03 + +# test +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied + +# expectation +# anyone cannot access /etc/hostname \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml new file mode 100644 index 0000000000..42270ff8ab --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml @@ -0,0 +1,31 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-proc-path-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + process: + matchPaths: + - path: /bin/date + fromSource: + - path: /bin/bash # ubuntu # ubuntu also uses /usr/bin/bash + - path: /usr/bin/date + fromSource: + - path: /usr/bin/bash # centos + action: + Allow + +# kubearmor-dev_test_05 + +# test +# $ bash -c date +# ... +# $ bash -c ls +# bash: /usr/bin/ls: Permission denied + +# expectation +# (/usr)/bin/bash can only execute (/usr)/bin/date +# (/usr)/bin/bash cannot execute any others \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml new file mode 100644 index 0000000000..e6e1482fb2 --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml @@ -0,0 +1,31 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-proc-path-block-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + process: + matchPaths: + - path: /bin/date + fromSource: + - path: /bin/bash + - path: /usr/bin/date + fromSource: + - path: /usr/bin/bash + action: + Block + +# kubearmor-dev_test_04 + +# test +# (/home/vagrant/selinux-test/) $ bash -c date +# bash: 1: date: Permission denied +# (/home/vagrant/selinux-test/) $ bash -c ls +# ls ... + +# expectation +# (/usr)/bin/bash cannot execute (/usr)/bin/date +# (/usr)/bin/bash can execute any others \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml new file mode 100644 index 0000000000..6c2ca56407 --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-proc-path-block +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + process: + matchPaths: + - path: /usr/bin/diff + action: + Block + +# kubearmor-dev_test_01 + +# test +# $ diff --help +# -bash: /usr/bin/diff: Permission denied + +# expectation +# anyone cannot execute /usr/bin/diff \ No newline at end of file diff --git a/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml new file mode 100644 index 0000000000..6076b2adef --- /dev/null +++ b/tests/nonk8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml @@ -0,0 +1,25 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-udp-block-curl +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + network: + matchProtocols: + - protocol: udp + fromSource: + - path: /usr/bin/curl + action: + Block + + +# curl google.com +# curl: (6) Could not resolve host: google.com + +# curl 142.250.194.142 +# ... content + +# resolving google.com requires udp protocol \ No newline at end of file diff --git a/tests/util/kartutil.go b/tests/util/kartutil.go index 345fef4646..fadc608891 100644 --- a/tests/util/kartutil.go +++ b/tests/util/kartutil.go @@ -708,3 +708,18 @@ func ContainerInfo() (*pb.ProbeResponse, error) { } return resp, nil } + +// ExecCommandHost function executes command on the host +func ExecCommandHost(command []string) (string, error) { + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + cmd := exec.CommandContext(ctx, command[0], command[1:]...) + output, err := cmd.CombinedOutput() + + if err != nil { + return string(output), err + } + + return string(output), nil +} From ea723f0636efbfc473a62641f36f1f52c15cf299 Mon Sep 17 00:00:00 2001 From: Navin Chandra Date: Thu, 29 Aug 2024 18:31:47 +0000 Subject: [PATCH 2/4] Calculate coverage for systemd Signed-off-by: Navin Chandra --- .github/workflows/ci-merge-coverage.yaml | 22 +++++--- .github/workflows/ci-test-systemd.yml | 68 ++++++++++++++++++++++-- 2 files changed, 81 insertions(+), 9 deletions(-) diff --git a/.github/workflows/ci-merge-coverage.yaml b/.github/workflows/ci-merge-coverage.yaml index d26d37bd4e..a9bba2181f 100644 --- a/.github/workflows/ci-merge-coverage.yaml +++ b/.github/workflows/ci-merge-coverage.yaml @@ -2,7 +2,7 @@ name: ci-merge-coverage on: workflow_run: - workflows: [ci-test-ginkgo] + workflows: [ci-test-ginkgo, ci-test-systemd] types: - completed @@ -12,10 +12,14 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: + - uses: actions/checkout@v3 + with: + submodules: true + - name: Check if all required workflows completed successfully id: check-workflows run: | - workflows=("ci-test-ginkgo") + workflows=("ci-test-ginkgo" "ci-test-systemd") all_completed=true commit_sha=$(git rev-parse HEAD) @@ -43,10 +47,6 @@ jobs: fi env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - uses: actions/checkout@v3 - with: - submodules: true - uses: actions/setup-go@v5 with: @@ -62,6 +62,16 @@ jobs: name_is_regexp: true search_artifacts: true + - name: Download systemd coverage files from ci-test-systemd + if: ${{ env.ci-test-systemd_status == 'success' }} + uses: dawidd6/action-download-artifact@v6 + with: + workflow: ci-test-systemd.yml + name: coverage.* + path: KubeArmor/ + name_is_regexp: true + search_artifacts: true + - uses: codecov/codecov-action@v4 with: token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/ci-test-systemd.yml b/.github/workflows/ci-test-systemd.yml index f9a9595b3b..059c3d7ee8 100644 --- a/.github/workflows/ci-test-systemd.yml +++ b/.github/workflows/ci-test-systemd.yml @@ -22,7 +22,11 @@ permissions: read-all jobs: build: name: Test KubeArmor in Systemd Mode - runs-on: ubuntu-20.04 + runs-on: ${{ matrix.os }} + strategy: + matrix: + os: [ubuntu-latest, bpflsm] + timeout-minutes: 60 steps: - uses: actions/checkout@v3 with: @@ -44,6 +48,14 @@ jobs: install-only: true version: v1.25.0 + - name: Install protoc-gen-go + if: ${{ matrix.os == 'bpflsm' }} + run: | + go install google.golang.org/protobuf/cmd/protoc-gen-go@latest + go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@latest + env: + GOPATH: /home/vagrant/go + - name: Build Systemd Release run: make local-release working-directory: KubeArmor @@ -52,6 +64,21 @@ jobs: run: sudo apt install -y ./dist/kubearmor*amd64.deb working-directory: KubeArmor + - name: Compile test binary + run: go test -covermode=atomic -coverpkg=./... -c . -o kubearmor-test + working-directory: KubeArmor + + - name: Replace with test binary + run: | + sudo mkdir -p /coverage + sudo rm /opt/kubearmor/kubearmor + sudo cp kubearmor-test /opt/kubearmor/ + ls -l /opt/kubearmor/ + sudo sed -i 's|ExecStart=/opt/kubearmor/kubearmor|ExecStart=/opt/kubearmor/kubearmor-test -test.coverprofile=/coverage/coverage_systemd.out|' /lib/systemd/system/kubearmor.service + sudo systemctl daemon-reload + sudo systemctl restart kubearmor.service + working-directory: KubeArmor + - name: Check journalctl run: sudo journalctl -u kubearmor --no-pager @@ -61,5 +88,40 @@ jobs: make working-directory: ./tests/nonk8s_env timeout-minutes: 30 - - + + - name: Kill kubearmor process and copy coverage file + run: | + sudo systemctl stop kubearmor + sleep 15 + for i in {1..24}; do + if [ -f /coverage/coverage_systemd.out ]; then + sudo cp /coverage/coverage_systemd.out coverage_systemd_${{ matrix.os }}.out + break + fi + sleep 5 + done + working-directory: KubeArmor + + - name: Measure code coverage + if: ${{ always() }} + run: | + ls -l + go tool cover -func coverage_systemd_${{ matrix.os }}.out + working-directory: KubeArmor + env: + GOPATH: ${{ matrix.os == 'bpflsm' && '/home/vagrant/go' || '/home/runner/go' }} + + - name: Save coverage file + if: ${{ always() }} + uses: actions/upload-artifact@v4 + with: + name: coverage-systemd-${{ matrix.os }} + path: KubeArmor/coverage_systemd_${{ matrix.os }}.out + + - name: Run cleanup + if: ${{ always() && matrix.os == 'bpflsm' }} + run: | + sudo systemctl disable kubearmor.service + sudo rm -rf /opt/kubearmor/ + sudo apt-get --purge remove -y kubearmor + sudo systemctl daemon-reload From 6d2d2de629cb6e028a1ebc0b3c7026c16baa3d06 Mon Sep 17 00:00:00 2001 From: Navin Chandra <98466550+navin772@users.noreply.github.com> Date: Wed, 18 Sep 2024 11:15:39 +0530 Subject: [PATCH 3/4] use v4 actions checkout Signed-off-by: Navin Chandra Co-authored-by: Barun Acharya --- .github/workflows/ci-merge-coverage.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci-merge-coverage.yaml b/.github/workflows/ci-merge-coverage.yaml index a9bba2181f..eb0048b3f8 100644 --- a/.github/workflows/ci-merge-coverage.yaml +++ b/.github/workflows/ci-merge-coverage.yaml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 60 steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 with: submodules: true From 36227561d590a4c60432808c8d0024ab6e48ff3d Mon Sep 17 00:00:00 2001 From: Navin Chandra <98466550+navin772@users.noreply.github.com> Date: Fri, 18 Oct 2024 11:14:23 +0530 Subject: [PATCH 4/4] declare default permissions as read only Signed-off-by: Navin Chandra --- .github/workflows/ci-merge-coverage.yaml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci-merge-coverage.yaml b/.github/workflows/ci-merge-coverage.yaml index eb0048b3f8..bceb08d8d6 100644 --- a/.github/workflows/ci-merge-coverage.yaml +++ b/.github/workflows/ci-merge-coverage.yaml @@ -6,6 +6,9 @@ on: types: - completed +# Declare default permissions as read only. +permissions: read-all + jobs: merge-coverage-files: name: Download and merge files @@ -74,4 +77,4 @@ jobs: - uses: codecov/codecov-action@v4 with: - token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file + token: ${{ secrets.CODECOV_TOKEN }}