From 559945a3562f05e03f287c29d2bd001cadb627dc Mon Sep 17 00:00:00 2001 From: abhashsolanki18 Date: Sat, 9 Nov 2024 12:55:41 +0530 Subject: [PATCH 1/3] assert command Signed-off-by: abhashsolanki18 --- tests/k8s_env/visibility/visibility_test.go | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/tests/k8s_env/visibility/visibility_test.go b/tests/k8s_env/visibility/visibility_test.go index b26ebac49c..29fe63d2e6 100644 --- a/tests/k8s_env/visibility/visibility_test.go +++ b/tests/k8s_env/visibility/visibility_test.go @@ -60,9 +60,8 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + // Use Assert command + util.AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -89,9 +88,8 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + // Use Assert command + util.AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -115,9 +113,9 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + // Use Assert command + util.AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) + // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) From f4f90bb2712b2c73a1014a395533d0312280eef4 Mon Sep 17 00:00:00 2001 From: abhashsolanki18 Date: Sun, 10 Nov 2024 10:30:36 +0530 Subject: [PATCH 2/3] added Assert command Signed-off-by: abhashsolanki18 --- tests/k8s_env/blockposture/block_test.go | 26 +- tests/k8s_env/ksp/ksp_test.go | 111 ++++---- tests/k8s_env/smoke/smoke_test.go | 139 +++++----- tests/k8s_env/syscalls/syscalls_test.go | 277 +++++++++++++------- tests/k8s_env/throttling/throttling_test.go | 26 +- 5 files changed, 333 insertions(+), 246 deletions(-) diff --git a/tests/k8s_env/blockposture/block_test.go b/tests/k8s_env/blockposture/block_test.go index 5e3bc6b1ff..2beeda80f5 100644 --- a/tests/k8s_env/blockposture/block_test.go +++ b/tests/k8s_env/blockposture/block_test.go @@ -73,11 +73,10 @@ var _ = Describe("Posture", func() { wp, "wordpress-mysql", []string{"bash", "-c", "curl google.com"}, MatchRegexp("curl.*Could not resolve host: google.com"), true, ) - - out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", out) - Expect(out).To(MatchRegexp("((?:.*\r?\n?)*)")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, + MatchRegexp("((?:.*\r?\n?)*)"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -101,16 +100,15 @@ var _ = Describe("Posture", func() { Expect(err).To(BeNil()) //curl needs UDP for DNS resolution - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("cat.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, + MatchRegexp("cat.*Permission denied"), false + ) //test that tcp is whitelisted - out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", out) - Expect(out).To(MatchRegexp("((?:.*\r?\n?)*)")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"}, + MatchRegexp("((?:.*\r?\n?)*)"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 37d48b5218..6562e8f080 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -84,9 +84,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("all", "nginx", "", pods.Items[0].Name) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(pods.Items[0].Name, "nginx", []string{"ls"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + AssertCommand( + pods.Items[0].Name, "nginx", []string{"ls"}, + MatchRegexp(".*"), false + ) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -110,12 +111,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "ping -c 1 127.0.0.1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("PING.*127.0.0.1")) - + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"}, + MatchRegexp("PING.*127.0.0.1"), false + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-net-icmp", Severity: "8", @@ -220,11 +219,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "arping -c 1 127.0.0.1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("ARPING 127.0.0.1")) + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "arping -c 1 127.0.0.1"}, + MatchRegexp("ARPING 127.0.0.1"), false + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-net-raw", @@ -396,10 +394,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Process", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "sleep 1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "sleep 1"}, + MatchRegexp(""), false + ) expect := protobuf.Alert{ PolicyName: "ksp-group-2-audit-proc-path", @@ -603,11 +601,10 @@ var _ = Describe("Ksp", func() { AssertCommand(ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"}, MatchRegexp("hello.*Permission denied"), true, ) - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "/home/user1/hello"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("hello.*Permission denied")) + AssertCommand( + ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"}, + MatchRegexp("hello.*Permission denied"), false + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-3-block-proc-path-owner", @@ -908,10 +905,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "touch /home/user1/new1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "touch /home/user1/new1"}, + MatchRegexp(".*"), false + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-file-access-owner-readonly", @@ -1488,10 +1485,11 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"}, + MatchRegexp(".*"), false + ) + // Expect(sout).To(ContainSubstring("secret file user1")) expectLog := protobuf.Log{ @@ -1605,10 +1603,10 @@ var _ = Describe("Ksp", func() { // Test 3: write operation on the file by the owner should also be allowed // No need for AssertCommand here since there is nothing to match - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub3, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"}, + MatchRegexp(".*"), false + ) }) @@ -1667,11 +1665,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -r /secret.txt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("s")) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, + MatchRegexp("s"), false + ) expectLog = protobuf.Log{ Resource: "secret.txt", @@ -1705,10 +1702,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -w /credentials/password"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -w /credentials/password"}, + MatchRegexp(".*"), false + ) expect := protobuf.Alert{ PolicyName: "DefaultPosture", @@ -1724,10 +1721,10 @@ var _ = Describe("Ksp", func() { // Test 3: reading some other file should be denied as not allowed by the policy - sout, _, err = K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -r /secret.txt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, + MatchRegexp(".*"), false + ) expect = protobuf.Alert{ PolicyName: "DefaultPosture", @@ -1806,10 +1803,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "touch /dev/shm/new"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "touch /dev/shm/new"}, + MatchRegexp(".*"), false + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-4-audit-file-path-readonly", @@ -1982,11 +1979,11 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "cat /credentials/password"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("password file")) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "cat /credentials/password"}, + ContainSubstring("password file"), false + ) + }) }) diff --git a/tests/k8s_env/smoke/smoke_test.go b/tests/k8s_env/smoke/smoke_test.go index f3aee3f410..fd8a720ca3 100644 --- a/tests/k8s_env/smoke/smoke_test.go +++ b/tests/k8s_env/smoke/smoke_test.go @@ -66,11 +66,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "apt"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "apt"}, + MatchRegexp("apt.*Permission denied"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -91,12 +90,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /var/www/html/wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("wp-config.php.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /var/www/html/wp-config.php"}, + MatchRegexp("wp-config.php.*Permission denied"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -119,12 +116,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("wp-config.php.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, + MatchRegexp("wp-config.php.*Permission denied"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -146,13 +141,11 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("token.*Permission denied")) - + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, + MatchRegexp("token.*Permission denied"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -174,11 +167,10 @@ var _ = Describe("Smoke", func() { time.Sleep(5 * time.Second) // trigger policy violation alert - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "head /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("token.*Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "head /run/secrets/kubernetes.io/serviceaccount/token"}, + MatchRegexp("token.*Permission denied"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -189,20 +181,22 @@ var _ = Describe("Smoke", func() { Expect(alerts[0].Severity).To(Equal("7")) // trigger normal operations permitted by policy - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/passwd"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, + Not(ContainSubstring("Permission denied")), false + ) + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, + Not(ContainSubstring("Permission denied")), false + ) + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "head /etc/passwd"}, + Not(ContainSubstring("Permission denied")), false + ) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "head /etc/passwd"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) // check for no policy violation alert _, alerts, err = KarmorGetLogs(3*time.Second, 1) @@ -223,10 +217,10 @@ var _ = Describe("Smoke", func() { time.Sleep(5 * time.Second) fname := fmt.Sprintf("/var/lib/mysql/%s", RandString(12)) - sout, _, err := K8sExecInPod(sql, "wordpress-mysql", - []string{"bash", "-c", fmt.Sprintf("touch %s", fname)}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("touch %s", fname)}, + BeEmpty(), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -236,9 +230,11 @@ var _ = Describe("Smoke", func() { Expect(alerts[0].PolicyName).To(Equal("ksp-mysql-audit-dir")) Expect(alerts[0].Severity).To(Equal("5")) - _, _, err = K8sExecInPod(sql, "wordpress-mysql", - []string{"bash", "-c", fmt.Sprintf("rm %s", fname)}) - Expect(err).To(BeNil()) + AssertCommand( + sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("rm %s", fname)}, + BeEmpty(), false + ) + }) It("can enforce multiple rules targeting same pod", func() { @@ -251,17 +247,16 @@ var _ = Describe("Smoke", func() { Expect(err).To(BeNil()) // trigger policy violation alert - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/passwd"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("/etc/passwd.*Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, + MatchRegexp("/etc/passwd.*Permission denied"), false + ) + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/shadow"}, + MatchRegexp("/etc/shadow.*Permission denied"), false + ) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/shadow"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("/etc/shadow.*Permission denied")) }) It("can block write access and only allow read access to mounted files", func() { @@ -276,11 +271,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "touch /dev/shm/new"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "touch /dev/shm/new"}, + ContainSubstring("Permission denied"), false + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -302,10 +296,11 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "curl 142.250.193.46"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, + ContainSubstring("http://www.google.com/"), false + ) + // tcp action Expect(sout).To(ContainSubstring("http://www.google.com/")) @@ -316,12 +311,10 @@ var _ = Describe("Smoke", func() { Expect(len(alerts)).To(Equal(0)) // tcp + udp + raw action - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "curl google.com"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("http://www.google.com/")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl google.com"}, + ContainSubstring("http://www.google.com/"), false + ) // check alert _, alerts, err = KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) diff --git a/tests/k8s_env/syscalls/syscalls_test.go b/tests/k8s_env/syscalls/syscalls_test.go index 0a94c691d9..76624f0b19 100644 --- a/tests/k8s_env/syscalls/syscalls_test.go +++ b/tests/k8s_env/syscalls/syscalls_test.go @@ -58,10 +58,14 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false + ) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, + MatchRegexp(".*"), false + ) // check policy alert expect := protobuf.Alert{ @@ -86,13 +90,19 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, + MatchRegexp(".*"), false + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false + ) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /dummy"}, + MatchRegexp(".*"), false + ) // check policy alert expect := protobuf.Alert{ @@ -117,16 +127,25 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "mkdir -p /foo/bar"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mkdir -p /foo/bar"}, + MatchRegexp(".*"), false + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /foo/bar/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /foo/bar/unlink"}, + MatchRegexp(".*"), false + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/foo/bar/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/foo/bar/unlink /dummy"}, + MatchRegexp(".*"), false + ) // check policy alert expect := protobuf.Alert{ @@ -151,13 +170,20 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /unlink"}, + MatchRegexp(".*"), false + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/unlink /dummy"}, + MatchRegexp(".*"), false + ) // check policy alert expect := protobuf.Alert{ @@ -185,10 +211,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false + ) // check policy alert expect := protobuf.Alert{ @@ -213,10 +244,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, + MatchRegexp(".*"), false + ) // check policy alert expect := protobuf.Alert{ @@ -237,17 +273,24 @@ var _ = Describe("Syscalls", func() { err := K8sApply([]string{"manifests/matchpaths/unlink-dir-recursive-fromsource-path.yaml"}) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, + MatchRegexp(".*"), false + ) // Start Kubearmor Logs err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -272,10 +315,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -296,17 +344,24 @@ var _ = Describe("Syscalls", func() { err := K8sApply([]string{"manifests/matchpaths/unlink-dir-recursive-fromsource-dir.yaml"}) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, + MatchRegexp(".*"), false, + ) // Start Kubearmor Logs err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -334,10 +389,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -363,10 +423,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -392,10 +457,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -421,10 +491,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -452,10 +527,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -481,10 +561,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -510,10 +595,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -539,10 +629,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -567,12 +662,15 @@ var _ = Describe("Syscalls", func() { Expect(err).To(BeNil()) // execute mount inside the pod - sout, _, err := K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "mkdir /mnt/test"}) - Expect(err).To(BeNil()) - sout, _, err = K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "mount /home /mnt/test"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mkdir /mnt/test"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mount /home /mnt/test"}, + MatchRegexp(".*"), false, + ) fmt.Printf("OUTPUT: %s\n", sout) expect := protobuf.Alert{ @@ -596,9 +694,10 @@ var _ = Describe("Syscalls", func() { Expect(err).To(BeNil()) // execute umount inside the pod - sout, _, err := K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "umount /mnt"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "umount /mnt"}, + MatchRegexp(".*"), false, + ) fmt.Printf("OUTPUT: %s\n", sout) expect := protobuf.Alert{ diff --git a/tests/k8s_env/throttling/throttling_test.go b/tests/k8s_env/throttling/throttling_test.go index bfacaa17d1..6c2374a7eb 100644 --- a/tests/k8s_env/throttling/throttling_test.go +++ b/tests/k8s_env/throttling/throttling_test.go @@ -73,13 +73,13 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt; count=$((count + 1)); done;"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) - + AssertCommand( + wp, + "wordpress-mysql", + []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt; count=$((count + 1)); done;"}, + MatchRegexp("apt.*Permission denied"), + false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -93,12 +93,12 @@ var _ = Describe("Smoke", func() { Expect(err).To(BeNil()) // check for throttling, alerts should not be genrated - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "apt update"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) - + AssertCommand(wp, + "wordpress-mysql", + []string{"bash", "-c", "apt update"}, + MatchRegexp("apt.*Permission denied"), + false + ) _, alerts, err = KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) fmt.Printf("throttling alert :%v\n", alerts) From 11d97cc93f418cc3abfe5a201c7d52964ed71326 Mon Sep 17 00:00:00 2001 From: abhashsolanki18 Date: Mon, 11 Nov 2024 21:24:28 +0530 Subject: [PATCH 3/3] added AssertCommand Signed-off-by: abhashsolanki18 --- tests/k8s_env/blockposture/block_test.go | 6 ++-- tests/k8s_env/ksp/ksp_test.go | 26 ++++++++-------- tests/k8s_env/smoke/smoke_test.go | 30 +++++++++--------- tests/k8s_env/syscalls/syscalls_test.go | 34 ++++++++++----------- tests/k8s_env/throttling/throttling_test.go | 2 +- tests/k8s_env/visibility/visibility_test.go | 6 ++-- 6 files changed, 52 insertions(+), 52 deletions(-) diff --git a/tests/k8s_env/blockposture/block_test.go b/tests/k8s_env/blockposture/block_test.go index 2beeda80f5..a220a51fdc 100644 --- a/tests/k8s_env/blockposture/block_test.go +++ b/tests/k8s_env/blockposture/block_test.go @@ -75,7 +75,7 @@ var _ = Describe("Posture", func() { ) AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, - MatchRegexp("((?:.*\r?\n?)*)"), false + MatchRegexp("((?:.*\r?\n?)*)"), false, ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -102,12 +102,12 @@ var _ = Describe("Posture", func() { //curl needs UDP for DNS resolution AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, - MatchRegexp("cat.*Permission denied"), false + MatchRegexp("cat.*Permission denied"), false, ) //test that tcp is whitelisted AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"}, - MatchRegexp("((?:.*\r?\n?)*)"), false + MatchRegexp("((?:.*\r?\n?)*)"), false, ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 6562e8f080..ce36e2916e 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -86,7 +86,7 @@ var _ = Describe("Ksp", func() { AssertCommand( pods.Items[0].Name, "nginx", []string{"ls"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // check audit logs @@ -113,7 +113,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"}, - MatchRegexp("PING.*127.0.0.1"), false + MatchRegexp("PING.*127.0.0.1"), false, ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-net-icmp", @@ -221,7 +221,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub1, "multiubuntu", []string{"bash", "-c", "arping -c 1 127.0.0.1"}, - MatchRegexp("ARPING 127.0.0.1"), false + MatchRegexp("ARPING 127.0.0.1"), false, ) expect := protobuf.Alert{ @@ -396,7 +396,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub4, "multiubuntu", []string{"bash", "-c", "sleep 1"}, - MatchRegexp(""), false + MatchRegexp(""), false, ) expect := protobuf.Alert{ @@ -603,7 +603,7 @@ var _ = Describe("Ksp", func() { ) AssertCommand( ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"}, - MatchRegexp("hello.*Permission denied"), false + MatchRegexp("hello.*Permission denied"), false, ) expect := protobuf.Alert{ @@ -907,7 +907,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub1, "multiubuntu", []string{"bash", "-c", "touch /home/user1/new1"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) expect := protobuf.Alert{ @@ -1487,7 +1487,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub4, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // Expect(sout).To(ContainSubstring("secret file user1")) @@ -1605,7 +1605,7 @@ var _ = Describe("Ksp", func() { // No need for AssertCommand here since there is nothing to match AssertCommand( ub3, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) }) @@ -1667,7 +1667,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, - MatchRegexp("s"), false + MatchRegexp("s"), false, ) expectLog = protobuf.Log{ @@ -1704,7 +1704,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -w /credentials/password"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) expect := protobuf.Alert{ @@ -1723,7 +1723,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) expect = protobuf.Alert{ @@ -1805,7 +1805,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub4, "multiubuntu", []string{"bash", "-c", "touch /dev/shm/new"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) expect := protobuf.Alert{ @@ -1981,7 +1981,7 @@ var _ = Describe("Ksp", func() { AssertCommand( ub4, "multiubuntu", []string{"bash", "-c", "cat /credentials/password"}, - ContainSubstring("password file"), false + ContainSubstring("password file"), false, ) }) diff --git a/tests/k8s_env/smoke/smoke_test.go b/tests/k8s_env/smoke/smoke_test.go index fd8a720ca3..d70b282d3a 100644 --- a/tests/k8s_env/smoke/smoke_test.go +++ b/tests/k8s_env/smoke/smoke_test.go @@ -68,7 +68,7 @@ var _ = Describe("Smoke", func() { AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "apt"}, - MatchRegexp("apt.*Permission denied"), false + MatchRegexp("apt.*Permission denied"), false, ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -92,7 +92,7 @@ var _ = Describe("Smoke", func() { AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat /var/www/html/wp-config.php"}, - MatchRegexp("wp-config.php.*Permission denied"), false + MatchRegexp("wp-config.php.*Permission denied"), false, ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -118,7 +118,7 @@ var _ = Describe("Smoke", func() { AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, - MatchRegexp("wp-config.php.*Permission denied"), false + MatchRegexp("wp-config.php.*Permission denied"), false, ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -144,7 +144,7 @@ var _ = Describe("Smoke", func() { AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, - MatchRegexp("token.*Permission denied"), false + MatchRegexp("token.*Permission denied"), false, ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -169,7 +169,7 @@ var _ = Describe("Smoke", func() { // trigger policy violation alert AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "head /run/secrets/kubernetes.io/serviceaccount/token"}, - MatchRegexp("token.*Permission denied"), false + MatchRegexp("token.*Permission denied"), false, ) // check policy violation alert @@ -184,17 +184,17 @@ var _ = Describe("Smoke", func() { AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, - Not(ContainSubstring("Permission denied")), false + Not(ContainSubstring("Permission denied")), false, ) AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, - Not(ContainSubstring("Permission denied")), false + Not(ContainSubstring("Permission denied")), false, ) AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "head /etc/passwd"}, - Not(ContainSubstring("Permission denied")), false + Not(ContainSubstring("Permission denied")), false, ) @@ -219,7 +219,7 @@ var _ = Describe("Smoke", func() { fname := fmt.Sprintf("/var/lib/mysql/%s", RandString(12)) AssertCommand( sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("touch %s", fname)}, - BeEmpty(), false + BeEmpty(), false, ) // check policy violation alert @@ -232,7 +232,7 @@ var _ = Describe("Smoke", func() { AssertCommand( sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("rm %s", fname)}, - BeEmpty(), false + BeEmpty(), false, ) }) @@ -249,12 +249,12 @@ var _ = Describe("Smoke", func() { // trigger policy violation alert AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, - MatchRegexp("/etc/passwd.*Permission denied"), false + MatchRegexp("/etc/passwd.*Permission denied"), false, ) AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/shadow"}, - MatchRegexp("/etc/shadow.*Permission denied"), false + MatchRegexp("/etc/shadow.*Permission denied"), false, ) }) @@ -273,7 +273,7 @@ var _ = Describe("Smoke", func() { AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "touch /dev/shm/new"}, - ContainSubstring("Permission denied"), false + ContainSubstring("Permission denied"), false, ) // check policy violation alert @@ -298,7 +298,7 @@ var _ = Describe("Smoke", func() { AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, - ContainSubstring("http://www.google.com/"), false + ContainSubstring("http://www.google.com/"), false, ) // tcp action @@ -313,7 +313,7 @@ var _ = Describe("Smoke", func() { // tcp + udp + raw action AssertCommand( wp, "wordpress-mysql", []string{"bash", "-c", "curl google.com"}, - ContainSubstring("http://www.google.com/"), false + ContainSubstring("http://www.google.com/"), false, ) // check alert _, alerts, err = KarmorGetLogs(5*time.Second, 1) diff --git a/tests/k8s_env/syscalls/syscalls_test.go b/tests/k8s_env/syscalls/syscalls_test.go index 76624f0b19..7090bf54eb 100644 --- a/tests/k8s_env/syscalls/syscalls_test.go +++ b/tests/k8s_env/syscalls/syscalls_test.go @@ -60,11 +60,11 @@ var _ = Describe("Syscalls", func() { AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // check policy alert @@ -92,16 +92,16 @@ var _ = Describe("Syscalls", func() { AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // check policy alert @@ -129,22 +129,22 @@ var _ = Describe("Syscalls", func() { AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "mkdir -p /foo/bar"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /foo/bar/unlink"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "/foo/bar/unlink /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // check policy alert @@ -172,17 +172,17 @@ var _ = Describe("Syscalls", func() { AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /unlink"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "/unlink /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // check policy alert @@ -213,12 +213,12 @@ var _ = Describe("Syscalls", func() { AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // check policy alert @@ -246,12 +246,12 @@ var _ = Describe("Syscalls", func() { AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // check policy alert @@ -275,7 +275,7 @@ var _ = Describe("Syscalls", func() { AssertCommand( ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, - MatchRegexp(".*"), false + MatchRegexp(".*"), false, ) // Start Kubearmor Logs diff --git a/tests/k8s_env/throttling/throttling_test.go b/tests/k8s_env/throttling/throttling_test.go index 6c2374a7eb..b746a7b456 100644 --- a/tests/k8s_env/throttling/throttling_test.go +++ b/tests/k8s_env/throttling/throttling_test.go @@ -97,7 +97,7 @@ var _ = Describe("Smoke", func() { "wordpress-mysql", []string{"bash", "-c", "apt update"}, MatchRegexp("apt.*Permission denied"), - false + false, ) _, alerts, err = KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) diff --git a/tests/k8s_env/visibility/visibility_test.go b/tests/k8s_env/visibility/visibility_test.go index 29fe63d2e6..9f59a0bb9f 100644 --- a/tests/k8s_env/visibility/visibility_test.go +++ b/tests/k8s_env/visibility/visibility_test.go @@ -61,7 +61,7 @@ var _ = Describe("Visibility", func() { Expect(err).To(BeNil()) // Use Assert command - util.AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -89,7 +89,7 @@ var _ = Describe("Visibility", func() { Expect(err).To(BeNil()) // Use Assert command - util.AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -114,7 +114,7 @@ var _ = Describe("Visibility", func() { Expect(err).To(BeNil()) // Use Assert command - util.AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) // check audit logs