diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-seccomp.yml similarity index 66% rename from .github/workflows/ci-test-ginkgo.yml rename to .github/workflows/ci-test-seccomp.yml index 64bbbc85ce..97950eb1c7 100644 --- a/.github/workflows/ci-test-ginkgo.yml +++ b/.github/workflows/ci-test-seccomp.yml @@ -1,4 +1,4 @@ -name: ci-test-ginkgo +name: ci-test-seccomp on: push: @@ -7,7 +7,7 @@ on: - "KubeArmor/**" - "tests/**" - "protobuf/**" - - ".github/workflows/ci-test-ginkgo.yml" + - ".github/workflows/ci-test-seccomp.yml" - "pkg/KubeArmorOperator/**" - "deployments/helm/**" pull_request: @@ -16,7 +16,7 @@ on: - "KubeArmor/**" - "tests/**" - "protobuf/**" - - ".github/workflows/ci-test-ginkgo.yml" + - ".github/workflows/ci-test-seccomp.yml" - "pkg/KubeArmorOperator/**" - "deployments/helm/**" @@ -54,42 +54,22 @@ jobs: - name: Generate KubeArmor artifacts run: | - GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh - - - name: Build Kubearmor-Operator - working-directory: pkg/KubeArmorOperator - run: | - make docker-build - - - name: deploy pre existing pod - run: | - kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml - sleep 60 - kubectl get pods -A - - - name: Run KubeArmor - run: | - if [ ${{ matrix.runtime }} == "containerd" ]; then - docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import - - docker save kubearmor/kubearmor:latest | sudo k3s ctr images import - - docker save kubearmor/kubearmor-operator:latest | sudo k3s ctr images import - - docker save kubearmor/kubearmor-snitch:latest | sudo k3s ctr images import - - else - if [ ${{ matrix.runtime }} == "crio" ]; then - sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest - sudo podman pull docker-daemon:kubearmor/kubearmor:latest - sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest - sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest - fi - fi - helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace + grep CONFIG_SECCOMP= /boot/config-$(uname -r) + sudo mkdir /var/lib/kubelet/seccomp + sudo mkdir /var/lib/kubelet/seccomp/profiles + sudo cp ./.github/workflows/kube.json /var/lib/kubelet/seccomp/profiles/kube.json + sudo cat /var/lib/kubelet/seccomp/profiles/kube.json + helm repo add kubearmor https://kubearmor.github.io/charts + helm repo update kubearmor + helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor --create-namespace kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator kubectl get pods -A kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test + sleep 20 kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor kubectl get pods -A - + kubectl patch ds $(kubectl get ds -n kubearmor --no-headers=true --output=custom-columns=NAME:.metadata.name) --namespace kubearmor --patch '{"spec": {"template": {"spec": {"containers": [{"name": "kubearmor", "securityContext": {"seccompProfile": {"type": "Localhost", "localhostProfile": "profiles/kube.json"}}}]}}}}' - name: Test KubeArmor using Ginkgo run: | go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo @@ -103,6 +83,7 @@ jobs: kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump + cat /var/log/syslog | grep 'kubearmor' >> karmorsyslog.txt - name: Archive log artifacts if: ${{ failure() }} diff --git a/.github/workflows/ci-test-ubi-image.yml b/.github/workflows/ci-test-ubi-image.yml index dcd87911f7..f407d44ec0 100644 --- a/.github/workflows/ci-test-ubi-image.yml +++ b/.github/workflows/ci-test-ubi-image.yml @@ -51,28 +51,34 @@ jobs: - name: Setup a Kubernetes environment run: ./.github/workflows/install-k3s.sh - - name: Generate KubeArmor artifacts - run: | - GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh + # - name: Generate KubeArmor artifacts + # run: | + # GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh - - name: Build Kubearmor-Operator - working-directory: pkg/KubeArmorOperator - run: | - make docker-build + # - name: Build Kubearmor-Operator + # working-directory: pkg/KubeArmorOperator + # run: | + # make docker-build - name: Run KubeArmor run: | - sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest - sudo podman pull docker-daemon:kubearmor/kubearmor-ubi:latest - sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest - sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest - helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace - kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator - kubectl get pods -A - kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml - kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test - kubectl wait --timeout=5m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor - kubectl get pods -A + grep CONFIG_SECCOMP= /boot/config-$(uname -r) + sudo mkdir /var/lib/kubelet/seccomp + sudo mkdir /var/lib/kubelet/seccomp/profiles + sudo cp ./.github/workflows/kube.json /var/lib/kubelet/seccomp/profiles/kube.json + sudo cat /var/lib/kubelet/seccomp/profiles/kube.json + helm repo add kubearmor https://kubearmor.github.io/charts + helm repo update kubearmor + helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor --create-namespace + kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator + kubectl get pods -A + kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml + kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test + sleep 20 + kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor + kubectl get pods -A + kubectl patch ds $(kubectl get ds -n kubearmor --no-headers=true --output=custom-columns=NAME:.metadata.name) --namespace kubearmor --patch '{"spec": {"template": {"spec": {"containers": [{"name": "kubearmor", "securityContext": {"seccompProfile": {"type": "Localhost", "localhostProfile": "profiles/kube.json"}}}]}}}}' + - name: Test KubeArmor using Ginkgo run: | diff --git a/.github/workflows/kube.json b/.github/workflows/kube.json new file mode 100644 index 0000000000..9c3237cc0f --- /dev/null +++ b/.github/workflows/kube.json @@ -0,0 +1,108 @@ +{ + "defaultAction": "SCMP_ACT_ERRNO", + "architectures": [ + "SCMP_ARCH_X86_64", + "SCMP_ARCH_X86", + "SCMP_ARCH_X32" + ], + "syscalls": [ + { + "names": [ + "getsockopt", + "epoll_ctl", + "capget", + "fstat", + "mmap", + "fstatfs", + "bpf", + "utimensat", + "memfd_create", + "prlimit64", + "open", + "getgid", + "dup2", + "sigaltstack", + "clone", + "stat", + "read", + "newfstatat", + "setgroups", + "sched_getaffinity", + "wait4", + "munmap", + "accept4", + "mprotect", + "futex", + "prctl", + "gettid", + "getsockname", + "exit_group", + "rt_sigaction", + "readlinkat", + "getcwd", + "execve", + "madvise", + "dup", + "fcntl", + "close", + "write", + "setuid", + "ioctl", + "readv", + "writev", + "uname", + "nanosleep", + "socket", + "bind", + "capset", + "getrlimit", + "epoll_create1", + "pread64", + "eventfd2", + "dup3", + "brk", + "getuid", + "pipe", + "chdir", + "statfs", + "unlinkat", + "kill", + "rt_sigreturn", + "geteuid", + "getrandom", + "getpgid", + "openat", + "setgid", + "getpid", + "tgkill", + "fsync", + "faccessat2", + "sched_yield", + "getpeername", + "setsockopt", + "rt_sigprocmask", + "connect", + "perf_event_open", + "access", + "getdents64", + "epoll_wait", + "fork", + "rename", + "set_tid_address", + "getppid", + "pipe2", + "epoll_pwait", + "waitid", + "arch_prctl", + "listen", + "lseek", + "getegid", + "mkdirat", + "sendfile", + "mount", + "vfork" + ], + "action": "SCMP_ACT_ALLOW" + } + ] +} \ No newline at end of file diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml index e7c37652a0..9f94ed260c 100644 --- a/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml +++ b/pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml @@ -16,10 +16,10 @@ spec: defaultVisibility: process,file,network,capabilities kubearmorImage: image: kubearmor/kubearmor:latest - imagePullPolicy: Never + imagePullPolicy: Always kubearmorInitImage: image: kubearmor/kubearmor-init:latest - imagePullPolicy: Never + imagePullPolicy: Always kubearmorRelayImage: image: kubearmor/kubearmor-relay-server:latest imagePullPolicy: Always diff --git a/tests/k8s_env/Makefile b/tests/k8s_env/Makefile index ef96bc28e4..fd6ea66a1f 100644 --- a/tests/k8s_env/Makefile +++ b/tests/k8s_env/Makefile @@ -5,7 +5,6 @@ build: @go mod tidy # run in two steps as syscall suite fails if run at the very end - # see - https://github.com/kubearmor/KubeArmor/issues/1269 @ginkgo --vv --flake-attempts=10 --timeout=10m syscalls/ @ginkgo -r --vv --flake-attempts=10 --timeout=30m --skip-package "syscalls" .PHONY: test