Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SECCOMP testing(DO NOT MERGE) #1633

Closed
wants to merge 3 commits into from
Closed

SECCOMP testing(DO NOT MERGE) #1633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
660d28c
First iteration of seccomp testing
PrimalPimmy Feb 15, 2024
72efff0
syscall added back
PrimalPimmy Feb 22, 2024
f620b48
updated kube.json
PrimalPimmy Feb 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 14 additions & 33 deletions .github/workflows/ci-test-ginkgo.yml → .github/workflows/ci-test-seccomp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: ci-test-ginkgo
name: ci-test-seccomp

on:
push:
Expand All @@ -7,7 +7,7 @@ on:
- "KubeArmor/**"
- "tests/**"
- "protobuf/**"
- ".github/workflows/ci-test-ginkgo.yml"
- ".github/workflows/ci-test-seccomp.yml"
- "pkg/KubeArmorOperator/**"
- "deployments/helm/**"
pull_request:
Expand All @@ -16,7 +16,7 @@ on:
- "KubeArmor/**"
- "tests/**"
- "protobuf/**"
- ".github/workflows/ci-test-ginkgo.yml"
- ".github/workflows/ci-test-seccomp.yml"
- "pkg/KubeArmorOperator/**"
- "deployments/helm/**"

Expand Down Expand Up @@ -54,42 +54,22 @@ jobs:

- name: Generate KubeArmor artifacts
run: |
GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh

- name: Build Kubearmor-Operator
working-directory: pkg/KubeArmorOperator
run: |
make docker-build

- name: deploy pre existing pod
run: |
kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml
sleep 60
kubectl get pods -A

- name: Run KubeArmor
run: |
if [ ${{ matrix.runtime }} == "containerd" ]; then
docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import -
docker save kubearmor/kubearmor:latest | sudo k3s ctr images import -
docker save kubearmor/kubearmor-operator:latest | sudo k3s ctr images import -
docker save kubearmor/kubearmor-snitch:latest | sudo k3s ctr images import -
else
if [ ${{ matrix.runtime }} == "crio" ]; then
sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
sudo podman pull docker-daemon:kubearmor/kubearmor:latest
sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest
sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest
fi
fi
helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace
grep CONFIG_SECCOMP= /boot/config-$(uname -r)
sudo mkdir /var/lib/kubelet/seccomp
sudo mkdir /var/lib/kubelet/seccomp/profiles
sudo cp ./.github/workflows/kube.json /var/lib/kubelet/seccomp/profiles/kube.json
sudo cat /var/lib/kubelet/seccomp/profiles/kube.json
helm repo add kubearmor https://kubearmor.github.io/charts
helm repo update kubearmor
helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor --create-namespace
kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
kubectl get pods -A
kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
sleep 20
kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor
kubectl get pods -A

kubectl patch ds $(kubectl get ds -n kubearmor --no-headers=true --output=custom-columns=NAME:.metadata.name) --namespace kubearmor --patch '{"spec": {"template": {"spec": {"containers": [{"name": "kubearmor", "securityContext": {"seccompProfile": {"type": "Localhost", "localhostProfile": "profiles/kube.json"}}}]}}}}'
- name: Test KubeArmor using Ginkgo
run: |
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
Expand All @@ -103,6 +83,7 @@ jobs:
kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor
curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump
cat /var/log/syslog | grep 'kubearmor' >> karmorsyslog.txt

- name: Archive log artifacts
if: ${{ failure() }}
Expand Down
42 changes: 24 additions & 18 deletions .github/workflows/ci-test-ubi-image.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,28 +51,34 @@ jobs:
- name: Setup a Kubernetes environment
run: ./.github/workflows/install-k3s.sh

- name: Generate KubeArmor artifacts
run: |
GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh
# - name: Generate KubeArmor artifacts
# run: |
# GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh

- name: Build Kubearmor-Operator
working-directory: pkg/KubeArmorOperator
run: |
make docker-build
# - name: Build Kubearmor-Operator
# working-directory: pkg/KubeArmorOperator
# run: |
# make docker-build

- name: Run KubeArmor
run: |
sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
sudo podman pull docker-daemon:kubearmor/kubearmor-ubi:latest
sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest
sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest
helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace
kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
kubectl get pods -A
kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml
kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
kubectl wait --timeout=5m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor
kubectl get pods -A
grep CONFIG_SECCOMP= /boot/config-$(uname -r)
sudo mkdir /var/lib/kubelet/seccomp
sudo mkdir /var/lib/kubelet/seccomp/profiles
sudo cp ./.github/workflows/kube.json /var/lib/kubelet/seccomp/profiles/kube.json
sudo cat /var/lib/kubelet/seccomp/profiles/kube.json
helm repo add kubearmor https://kubearmor.github.io/charts
helm repo update kubearmor
helm upgrade --install kubearmor-operator kubearmor/kubearmor-operator -n kubearmor --create-namespace
kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
kubectl get pods -A
kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
sleep 20
kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor
kubectl get pods -A
kubectl patch ds $(kubectl get ds -n kubearmor --no-headers=true --output=custom-columns=NAME:.metadata.name) --namespace kubearmor --patch '{"spec": {"template": {"spec": {"containers": [{"name": "kubearmor", "securityContext": {"seccompProfile": {"type": "Localhost", "localhostProfile": "profiles/kube.json"}}}]}}}}'


- name: Test KubeArmor using Ginkgo
run: |
Expand Down
108 changes: 108 additions & 0 deletions .github/workflows/kube.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"getsockopt",
"epoll_ctl",
"capget",
"fstat",
"mmap",
"fstatfs",
"bpf",
"utimensat",
"memfd_create",
"prlimit64",
"open",
"getgid",
"dup2",
"sigaltstack",
"clone",
"stat",
"read",
"newfstatat",
"setgroups",
"sched_getaffinity",
"wait4",
"munmap",
"accept4",
"mprotect",
"futex",
"prctl",
"gettid",
"getsockname",
"exit_group",
"rt_sigaction",
"readlinkat",
"getcwd",
"execve",
"madvise",
"dup",
"fcntl",
"close",
"write",
"setuid",
"ioctl",
"readv",
"writev",
"uname",
"nanosleep",
"socket",
"bind",
"capset",
"getrlimit",
"epoll_create1",
"pread64",
"eventfd2",
"dup3",
"brk",
"getuid",
"pipe",
"chdir",
"statfs",
"unlinkat",
"kill",
"rt_sigreturn",
"geteuid",
"getrandom",
"getpgid",
"openat",
"setgid",
"getpid",
"tgkill",
"fsync",
"faccessat2",
"sched_yield",
"getpeername",
"setsockopt",
"rt_sigprocmask",
"connect",
"perf_event_open",
"access",
"getdents64",
"epoll_wait",
"fork",
"rename",
"set_tid_address",
"getppid",
"pipe2",
"epoll_pwait",
"waitid",
"arch_prctl",
"listen",
"lseek",
"getegid",
"mkdirat",
"sendfile",
"mount",
"vfork"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
4 changes: 2 additions & 2 deletions pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,10 @@ spec:
defaultVisibility: process,file,network,capabilities
kubearmorImage:
image: kubearmor/kubearmor:latest
imagePullPolicy: Never
imagePullPolicy: Always
kubearmorInitImage:
image: kubearmor/kubearmor-init:latest
imagePullPolicy: Never
imagePullPolicy: Always
kubearmorRelayImage:
image: kubearmor/kubearmor-relay-server:latest
imagePullPolicy: Always
Expand Down
1 change: 0 additions & 1 deletion tests/k8s_env/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,6 @@
build:
@go mod tidy
# run in two steps as syscall suite fails if run at the very end
# see - https://github.com/kubearmor/KubeArmor/issues/1269
@ginkgo --vv --flake-attempts=10 --timeout=10m syscalls/
@ginkgo -r --vv --flake-attempts=10 --timeout=30m --skip-package "syscalls"
.PHONY: test
Expand Down
Loading