From 0111c0122265ae6e8297c8dc9dcd429f5de52bda Mon Sep 17 00:00:00 2001 From: PrimalPimmy Date: Fri, 16 Feb 2024 04:13:47 +0530 Subject: [PATCH] First iteration of seccomp testing Signed-off-by: PrimalPimmy Fixes Signed-off-by: PrimalPimmy Fixes Signed-off-by: PrimalPimmy Fixes2 Signed-off-by: PrimalPimmy --- .github/workflows/ci-test-seccomp.yml | 96 ++++++++++++++++++++++++ .github/workflows/kube.json | 32 ++++++++ .github/workflows/kubearmor-seccomp.yaml | 0 3 files changed, 128 insertions(+) create mode 100644 .github/workflows/ci-test-seccomp.yml create mode 100644 .github/workflows/kube.json create mode 100644 .github/workflows/kubearmor-seccomp.yaml diff --git a/.github/workflows/ci-test-seccomp.yml b/.github/workflows/ci-test-seccomp.yml new file mode 100644 index 0000000000..2716c9afbf --- /dev/null +++ b/.github/workflows/ci-test-seccomp.yml @@ -0,0 +1,96 @@ +name: ci-test-seccomp + +on: + push: + branches: [main] + paths: + - "KubeArmor/**" + - "tests/**" + - "protobuf/**" + - ".github/workflows/ci-test-seccomp.yml" + - "pkg/KubeArmorOperator/**" + - "deployments/helm/**" + pull_request: + branches: [main] + paths: + - "KubeArmor/**" + - "tests/**" + - "protobuf/**" + - ".github/workflows/ci-test-seccomp.yml" + - "pkg/KubeArmorOperator/**" + - "deployments/helm/**" + +# Declare default permissions as read only. +permissions: read-all + +jobs: + build: + name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }} + runs-on: ${{ matrix.os }} + env: + RUNTIME: ${{ matrix.runtime }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-20.04] + runtime: ["docker", "containerd", "crio"] + steps: + - uses: actions/checkout@v3 + with: + submodules: true + + - uses: actions/setup-go@v3 + with: + go-version: "v1.20" + + - name: Install the latest LLVM toolchain + run: ./.github/workflows/install-llvm.sh + + - name: Compile libbpf + run: ./.github/workflows/install-libbpf.sh + + - name: Setup a Kubernetes environment + run: ./.github/workflows/install-k3s.sh + + - name: Generate KubeArmor artifacts + run: | + sudo cp ./.github/workflows/kube.json /var/lib/kubelet/seccomp/profiles/kube.json + kubectl apply -f ./.github/workflows/kubearmor-seccomp.yaml + + - name: Test KubeArmor using Ginkgo + run: | + go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo + make + working-directory: ./tests/k8s_env + timeout-minutes: 30 + + - name: Get karmor sysdump + if: ${{ failure() }} + run: | + kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor + curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin + mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump + + - name: Archive log artifacts + if: ${{ failure() }} + uses: actions/upload-artifact@v3 + with: + name: kubearmor.logs + path: | + /tmp/kubearmor/ + /tmp/kubearmor.* + + - name: Measure code coverage + if: ${{ always() }} + run: | + go install github.com/modocache/gover@latest + gover + go tool cover -func=gover.coverprofile + working-directory: KubeArmor + env: + GOPATH: /home/runner/go + + - uses: codecov/codecov-action@v3 + if: ${{ always() }} + with: + files: ./KubeArmor/gover.coverprofile diff --git a/.github/workflows/kube.json b/.github/workflows/kube.json new file mode 100644 index 0000000000..b9dd060260 --- /dev/null +++ b/.github/workflows/kube.json @@ -0,0 +1,32 @@ +{ + "architectures": [ + "SCMP_ARCH_X86_64" + ], + "defaultAction": "SCMP_ACT_ERRNO", + "syscalls": [ + { + "action": "SCMP_ACT_ALLOW", + "names": [ + "close", + "bpf", + "nanosleep", + "write", + "tgkill", + "sched_yield", + "ioctl", + "rt_sigprocmask", + "munmap", + "open", + "epoll_pwait", + "read", + "readlinkat", + "getpid", + "futex", + "epoll_wait", + "kill", + "rt_sigreturn", + "mmap" + ] + } + ] + } \ No newline at end of file diff --git a/.github/workflows/kubearmor-seccomp.yaml b/.github/workflows/kubearmor-seccomp.yaml new file mode 100644 index 0000000000..e69de29bb2