From b7f91315f50c2100c8f2554859116b04db796164 Mon Sep 17 00:00:00 2001 From: Navin Chandra Date: Sat, 31 Aug 2024 18:36:48 +0000 Subject: [PATCH 1/3] Enable host policy via kubectl patch in CI Signed-off-by: Navin Chandra --- .github/workflows/ci-test-ginkgo.yml | 3 +++ .github/workflows/cleanup.sh | 14 +++++++++++--- .github/workflows/host-visibility.sh | 19 +++++++++++++++++++ tests/util/kartutil.go | 15 +++++++++++++++ 4 files changed, 48 insertions(+), 3 deletions(-) create mode 100755 .github/workflows/host-visibility.sh diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml index 6b1752963b..3f3b6cd53a 100644 --- a/.github/workflows/ci-test-ginkgo.yml +++ b/.github/workflows/ci-test-ginkgo.yml @@ -159,6 +159,9 @@ jobs: ]' sleep 15 + + - name: Add KubeArmor host visibility + run: ./.github/workflows/host-visibility.sh - name: Get KubeArmor POD info run: | diff --git a/.github/workflows/cleanup.sh b/.github/workflows/cleanup.sh index 3c539903a7..783a56f6e0 100755 --- a/.github/workflows/cleanup.sh +++ b/.github/workflows/cleanup.sh @@ -1,14 +1,22 @@ #!/bin/bash # SPDX-License-Identifier: Apache-2.0 -# Copyright 2021 Authors of KubeArmor +# Copyright 2024 Authors of KubeArmor # Cleanup function cleanup() { echo "Performing cleanup..." - /usr/local/bin/k3s-killall.sh + if [ -f /usr/local/bin/k3s-killall.sh ]; then + /usr/local/bin/k3s-killall.sh + else + echo "/usr/local/bin/k3s-killall.sh not found. Skipping..." + fi - /usr/local/bin/k3s-uninstall.sh + if [ -f /usr/local/bin/k3s-uninstall.sh ]; then + /usr/local/bin/k3s-uninstall.sh + else + echo "/usr/local/bin/k3s-uninstall.sh not found. Skipping..." + fi docker system prune -a -f diff --git a/.github/workflows/host-visibility.sh b/.github/workflows/host-visibility.sh new file mode 100755 index 0000000000..c272a1180d --- /dev/null +++ b/.github/workflows/host-visibility.sh @@ -0,0 +1,19 @@ +#!/bin/bash +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2024 Authors of KubeArmor + +DAEMONSET_NAME=$(kubectl get daemonset -n kubearmor -o jsonpath='{.items[0].metadata.name}') + +kubectl patch daemonset $DAEMONSET_NAME -n kubearmor --type='json' -p='[ + { + "op": "add", + "path": "/spec/template/spec/containers/0/args/-", + "value": "-enableKubeArmorHostPolicy" + } + ]' + +sleep 16 + +# Apply annotations to the node +NODE_NAME=$(kubectl get nodes -o=jsonpath='{.items[0].metadata.name}') +kubectl annotate node $NODE_NAME "kubearmorvisibility=process,file,network,capabilities" diff --git a/tests/util/kartutil.go b/tests/util/kartutil.go index 345fef4646..fadc608891 100644 --- a/tests/util/kartutil.go +++ b/tests/util/kartutil.go @@ -708,3 +708,18 @@ func ContainerInfo() (*pb.ProbeResponse, error) { } return resp, nil } + +// ExecCommandHost function executes command on the host +func ExecCommandHost(command []string) (string, error) { + ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second) + defer cancel() + + cmd := exec.CommandContext(ctx, command[0], command[1:]...) + output, err := cmd.CombinedOutput() + + if err != nil { + return string(output), err + } + + return string(output), nil +} From e9725a20a54b7f193e9fef28b4ece891df75f063 Mon Sep 17 00:00:00 2001 From: Navin Chandra Date: Sat, 31 Aug 2024 18:37:36 +0000 Subject: [PATCH 2/3] Add k8s env HSP test suite Signed-off-by: Navin Chandra --- tests/k8s_env/hsp/hsp_suite_test.go | 16 ++ tests/k8s_env/hsp/hsp_test.go | 258 ++++++++++++++++++ ...bearmor-dev-file-dir-allow-fromSource.yaml | 29 ++ ...bearmor-dev-file-dir-block-fromSource.yaml | 28 ++ ...earmor-dev-file-path-allow-fromSource.yaml | 28 ++ .../hsp-kubearmor-dev-file-path-audit.yaml | 25 ++ ...earmor-dev-file-path-block-fromSource.yaml | 28 ++ .../hsp-kubearmor-dev-file-path-block.yaml | 23 ++ ...earmor-dev-proc-path-allow-fromSource.yaml | 31 +++ ...earmor-dev-proc-path-block-fromSource.yaml | 31 +++ .../hsp-kubearmor-dev-proc-path-block.yaml | 23 ++ .../hsp/res/hsp-kubearmor-dev-udp-block.yaml | 25 ++ 12 files changed, 545 insertions(+) create mode 100644 tests/k8s_env/hsp/hsp_suite_test.go create mode 100644 tests/k8s_env/hsp/hsp_test.go create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml create mode 100644 tests/k8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml diff --git a/tests/k8s_env/hsp/hsp_suite_test.go b/tests/k8s_env/hsp/hsp_suite_test.go new file mode 100644 index 0000000000..3b8f09a392 --- /dev/null +++ b/tests/k8s_env/hsp/hsp_suite_test.go @@ -0,0 +1,16 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 Authors of KubeArmor + +package hsp_test + +import ( + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func TestHsp(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Hsp Suite") +} diff --git a/tests/k8s_env/hsp/hsp_test.go b/tests/k8s_env/hsp/hsp_test.go new file mode 100644 index 0000000000..91a1d0b6cf --- /dev/null +++ b/tests/k8s_env/hsp/hsp_test.go @@ -0,0 +1,258 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 Authors of KubeArmor + +package hsp + +import ( + "time" + + . "github.com/kubearmor/KubeArmor/tests/util" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +var _ = Describe("Non-k8s HSP tests", func() { + + AfterEach(func() { + KarmorLogStop() + err := DeleteAllHsp() + Expect(err).To(BeNil()) + }) + + Describe("HSP file path block", func() { + + It("can block access to /etc/hostname on the host", func() { + + err := K8sApplyFile("res/hsp-kubearmor-dev-file-path-block.yaml") + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // Access the /etc/hostname file + out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/hostname"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + + }) + }) + + Describe("HSP Process path block", func() { + + It("can block execution of diff command in host", func() { + + err := K8sApplyFile("res/hsp-kubearmor-dev-proc-path-block.yaml") + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "Process", "") + Expect(err).To(BeNil()) + + // call the diff command + out, err := ExecCommandHost([]string{"bash", "-c", "diff --help"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + }) + }) + + Describe("HSP dir block from source", func() { + + It("can allow access to everything except /etc/default/* from head", func() { + + err := K8sApplyFile("res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml") + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // call the head command + out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"}) + Expect(err).To(BeNil()) + Expect(out).NotTo(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically("==", 0)) + }) + + It("can block access to /etc/default/* from head", func() { + + err := K8sApplyFile("res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml") + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // call the head command + out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/default/useradd"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-dir-block-fromsource")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + }) + }) + + // Describe("HSP file audit", func() { + + // It("can audit access to /etc/passwd", func() { + + // err := K8sApplyFile("res/hsp-kubearmor-dev-file-path-audit.yaml") + // Expect(err).To(BeNil()) + + // // Start the karmor logs + // err = KarmorLogStart("policy", "", "File", "") + // Expect(err).To(BeNil()) + + // // try to access the /etc/passwd file + // out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/passwd"}) + // Expect(err).To(BeNil()) + // Expect(out).ToNot(MatchRegexp(".*Permission denied")) // should not block - ToNot match the regex + + // // check audit alerts + // _, alerts, err := KarmorGetLogs(5*time.Second, 1) + // Expect(err).To(BeNil()) + // Expect(len(alerts)).To(BeNumerically(">=", 1)) // Not generatting alerts on audit policy k8s hsp + // Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-audit")) + // Expect(alerts[0].Severity).To(Equal("5")) + // Expect(alerts[0].Action).To(Equal("Audit")) + // }) + // }) + + Describe("HSP path block from source", func() { + + It("It can block access to /etc/hostname from head", func() { + + err := K8sApplyFile("res/hsp-kubearmor-dev-file-path-block-fromSource.yaml") + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "File", "") + Expect(err).To(BeNil()) + + // try to access the /etc/hostname file from head + out, err := ExecCommandHost([]string{"bash", "-c", "head /etc/hostname"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block-fromsource")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + }) + }) + + // Describe("HSP Process path block from source", func() { + + // FIt("can block date command from bash", func() { + + // err := K8sApplyFile("res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml") + // Expect(err).To(BeNil()) + + // // Start the karmor logs + // err = KarmorLogStart("policy", "", "Process", "") + // Expect(err).To(BeNil()) + + // out, _ := ExecCommandHost([]string{"which", "bash"}) + // fmt.Println("Using bash at:", out) + + // // call the date command from bash + // out, err = ExecCommandHost([]string{"bash", "-c", "date"}) + // Expect(err).NotTo(BeNil()) + // Expect(out).To(MatchRegexp(".*Permission denied")) + + // // execute ls command from bash + // out2, err := ExecCommandHost([]string{"bash", "-c", "ls"}) + // Expect(err).To(BeNil()) + // Expect(out2).NotTo(MatchRegexp(".*Permission denied")) + + // // check policy violation alert + // _, alerts, err := KarmorGetLogs(5*time.Second, 1) + // Expect(err).To(BeNil()) + // Expect(len(alerts)).To(BeNumerically(">=", 1)) + // Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block-fromsource")) + // Expect(alerts[0].Severity).To(Equal("5")) + // Expect(alerts[0].Action).To(Equal("Block")) + // }) + // }) + + Describe("HSP Process path block", func() { + + It("can block diff command", func() { + + err := K8sApplyFile("res/hsp-kubearmor-dev-proc-path-block.yaml") + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "Process", "") + Expect(err).To(BeNil()) + + // run diff command + out, err := ExecCommandHost([]string{"bash", "-c", "diff"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + }) + }) + + Describe("HSP Network path block", func() { + + It("can block access to UDP protocol from curl", func() { + + err := K8sApplyFile("res/hsp-kubearmor-dev-udp-block.yaml") + Expect(err).To(BeNil()) + + // Start the karmor logs + err = KarmorLogStart("policy", "", "Network", "") + Expect(err).To(BeNil()) + + // run diff command + out, err := ExecCommandHost([]string{"bash", "-c", "curl google.com"}) + Expect(err).NotTo(BeNil()) + Expect(out).To(MatchRegexp(".*Could not resolve host: google.com")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-udp-block-curl")) + Expect(alerts[0].Severity).To(Equal("5")) + Expect(alerts[0].Action).To(Equal("Block")) + }) + }) +}) diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml new file mode 100644 index 0000000000..00a133c4aa --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-allow-fromSource.yaml @@ -0,0 +1,29 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-dir-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchDirectories: + - dir: /etc/default/ + recursive: true + fromSource: + - path: /usr/bin/head + action: + Allow + +# kubearmor-dev_test_08 + +# test +# $ head /etc/default/useradd +# Default values for useradd(8) ... +# $ head /etc/hostname +# head: /etc/hostname: Permission denied + +# expectation +# /usr/bin/head can only access /etc/default/* +# /usr/bin/head cannot access any others \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml new file mode 100644 index 0000000000..d92be29a6d --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-dir-block-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-dir-block-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchDirectories: + - dir: /etc/default/ + fromSource: + - path: /usr/bin/head + action: + Block + +# kubearmor-dev_test_09 + +# test +# $ head /etc/default/useradd +# head: useradd: Permission denied +# $ head /etc/hostname +# kubearmor-dev + +# expectation +# /usr/bin/head cannot access /etc/default/* +# /usr/bin/head can access any others \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml new file mode 100644 index 0000000000..59c10830ad --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-allow-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/hostname + fromSource: + - path: /usr/bin/head + action: + Allow + +# kubearmor-dev_test_07 + +# test +# $ head /etc/hostname +# kubearmor-dev +# $ head /etc/hosts +# head: /etc/hosts: Permission denied + +# expectation +# /usr/bin/head can only access /etc/hostname +# /usr/bin/head cannot access any others \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml new file mode 100644 index 0000000000..e545f7bd42 --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-audit.yaml @@ -0,0 +1,25 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-audit +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/passwd + action: + Audit + +# kubearmor-dev_test_02 + +# test +# $ cat /etc/passwd +# ... +# $ head /etc/passwd +# ... + +# expectation +# anyone can access /etc/passwd, but the access would be audited \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml new file mode 100644 index 0000000000..d405d896de --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block-fromSource.yaml @@ -0,0 +1,28 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-block-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/hostname + fromSource: + - path: /usr/bin/head + action: + Block + +# kubearmor-dev_test_06 + +# test +# $ head /etc/hostname +# head: cannot open '/etc/hostname' for reading: Permission denied +# $ head /etc/hosts +# ... + +# expectation +# /usr/bin/head cannot access /etc/hostname +# /usr/bin/head can access any others \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml new file mode 100644 index 0000000000..323e014505 --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-file-path-block.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-file-path-block +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + file: + matchPaths: + - path: /etc/hostname + action: + Block + +# kubearmor-dev_test_03 + +# test +# $ cat /etc/hostname +# cat: /etc/hostname: Permission denied + +# expectation +# anyone cannot access /etc/hostname \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml new file mode 100644 index 0000000000..42270ff8ab --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-allow-fromSource.yaml @@ -0,0 +1,31 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-proc-path-allow-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + process: + matchPaths: + - path: /bin/date + fromSource: + - path: /bin/bash # ubuntu # ubuntu also uses /usr/bin/bash + - path: /usr/bin/date + fromSource: + - path: /usr/bin/bash # centos + action: + Allow + +# kubearmor-dev_test_05 + +# test +# $ bash -c date +# ... +# $ bash -c ls +# bash: /usr/bin/ls: Permission denied + +# expectation +# (/usr)/bin/bash can only execute (/usr)/bin/date +# (/usr)/bin/bash cannot execute any others \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml new file mode 100644 index 0000000000..7f9165c4d2 --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block-fromSource.yaml @@ -0,0 +1,31 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-proc-path-block-fromsource +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + process: + matchPaths: + - path: /bin/date + fromSource: + - path: /bin/bash # ubuntu + - path: /usr/bin/date + fromSource: + - path: /usr/bin/bash # centos + action: + Block + +# kubearmor-dev_test_04 + +# test +# (/home/vagrant/selinux-test/) $ bash -c date +# bash: 1: date: Permission denied +# (/home/vagrant/selinux-test/) $ bash -c ls +# ls ... + +# expectation +# (/usr)/bin/bash cannot execute (/usr)/bin/date +# (/usr)/bin/bash can execute any others \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml new file mode 100644 index 0000000000..6c2ca56407 --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-proc-path-block.yaml @@ -0,0 +1,23 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-proc-path-block +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + process: + matchPaths: + - path: /usr/bin/diff + action: + Block + +# kubearmor-dev_test_01 + +# test +# $ diff --help +# -bash: /usr/bin/diff: Permission denied + +# expectation +# anyone cannot execute /usr/bin/diff \ No newline at end of file diff --git a/tests/k8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml new file mode 100644 index 0000000000..6076b2adef --- /dev/null +++ b/tests/k8s_env/hsp/res/hsp-kubearmor-dev-udp-block.yaml @@ -0,0 +1,25 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorHostPolicy +metadata: + name: hsp-kubearmor-dev-udp-block-curl +spec: + nodeSelector: + matchLabels: + kubearmor.io/hostname: "*" + severity: 5 + network: + matchProtocols: + - protocol: udp + fromSource: + - path: /usr/bin/curl + action: + Block + + +# curl google.com +# curl: (6) Could not resolve host: google.com + +# curl 142.250.194.142 +# ... content + +# resolving google.com requires udp protocol \ No newline at end of file From 3d355989ee9368efdbfbe969f5a531ece9675bae Mon Sep 17 00:00:00 2001 From: Navin Chandra Date: Sat, 31 Aug 2024 19:21:09 +0000 Subject: [PATCH 3/3] Enable host visibility in `ci-test-ubi.yml` Signed-off-by: Navin Chandra --- .github/workflows/ci-test-ginkgo.yml | 2 +- .github/workflows/ci-test-ubi-image.yml | 3 +++ tests/k8s_env/hsp/hsp_test.go | 2 +- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml index 3f3b6cd53a..270b762fd4 100644 --- a/.github/workflows/ci-test-ginkgo.yml +++ b/.github/workflows/ci-test-ginkgo.yml @@ -160,7 +160,7 @@ jobs: sleep 15 - - name: Add KubeArmor host visibility + - name: Enable KubeArmor host visibility run: ./.github/workflows/host-visibility.sh - name: Get KubeArmor POD info diff --git a/.github/workflows/ci-test-ubi-image.yml b/.github/workflows/ci-test-ubi-image.yml index a1ea9594b2..f4b5b566c6 100644 --- a/.github/workflows/ci-test-ubi-image.yml +++ b/.github/workflows/ci-test-ubi-image.yml @@ -108,6 +108,9 @@ jobs: - name: Operator may take upto 10 sec to enable TLS, Sleep for 15Sec run: | sleep 15 + + - name: Enable KubeArmor host visibility + run: ./.github/workflows/host-visibility.sh - name: Test KubeArmor using Ginkgo run: | diff --git a/tests/k8s_env/hsp/hsp_test.go b/tests/k8s_env/hsp/hsp_test.go index 91a1d0b6cf..9141281049 100644 --- a/tests/k8s_env/hsp/hsp_test.go +++ b/tests/k8s_env/hsp/hsp_test.go @@ -11,7 +11,7 @@ import ( . "github.com/onsi/gomega" ) -var _ = Describe("Non-k8s HSP tests", func() { +var _ = Describe("k8s HSP tests", func() { AfterEach(func() { KarmorLogStop()