navin772 · navin772 · May 25, 2024 · May 23, 2024 · May 23, 2024 · May 23, 2024
diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml
@@ -2,7 +2,7 @@ name: ci-test-ginkgo
 
 on:
   push:
-    branches: [main]
+    branches: [main, lfx-pretask-submission, test-actions]
     paths:
       - "KubeArmor/**"
       - "tests/**"
@@ -11,7 +11,7 @@ on:
       - "pkg/KubeArmorOperator/**"
       - "deployments/helm/**"
   pull_request:
-    branches: [main]
+    branches: [main, lfx-pretask-submission]
     paths:
       - "KubeArmor/**"
       - "tests/**"
@@ -91,6 +91,9 @@ jobs:
           kubectl wait --timeout=1m --for=condition=ready pod -l kubearmor-app=kubearmor-controller -n kubearmor
           kubectl get pods -A
 
+      - name: Add KubeArmor host visibility
+        run: ./.github/workflows/host-visibility.sh    
+
       - name: Test KubeArmor using Ginkgo
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo

diff --git a/.github/workflows/ci-test-systemd.yml b/.github/workflows/ci-test-systemd.yml
@@ -2,14 +2,14 @@ name: ci-test-systemd
 
 on:
   push:
-    branches: [main]
+    branches: [main, test-actions, lfx-pretask-submission]
     paths:
       - "KubeArmor/**"
       - "tests/**"
       - "protobuf/**"
       - ".github/workflows/ci-test-systemd.yml"
   pull_request:
-    branches: [main]
+    branches: [main, lfx-pretask, lfx-pretask-submission]
     paths:
       - "KubeArmor/**"
       - "tests/**"

diff --git a/.github/workflows/host-visibility.sh b/.github/workflows/host-visibility.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# Edit the daemonset to add the -enableKubeArmorHostPolicy=true flag
+# kubectl edit daemonset -n kubearmor <<EOF
+# /args:/a \
+#         - -enableKubeArmorHostPolicy=true
+# EOF
+
+kubectl get daemonset -n kubearmor -o yaml > daemonset.yaml
+sed -i '/args:/a \          - -enableKubeArmorHostPolicy=true' daemonset.yaml
+kubectl apply -f daemonset.yaml
+
+sleep 1m
+
+# Apply annotations to the node
+NODE_NAME=$(kubectl get nodes -o=jsonpath='{.items[0].metadata.name}')
+kubectl annotate node $NODE_NAME "kubearmorvisibility=process,file,network,capabilities"
+kubectl get no -o wide
diff --git a/.github/workflows/install-k3s.sh b/.github/workflows/install-k3s.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2021 Authors of KubeArmor
+# Set the hostname
+# sudo hostnamectl set-hostname kubearmor-dev
 
 echo "RUNTIME="$RUNTIME
 
@@ -15,3 +17,5 @@ if [ "$RUNTIME" == "crio" ]; then
 fi
 
 ./contribution/k3s/install_k3s.sh
+
+kubectl get no -o wide
diff --git a/tests/k8s_env/Makefile b/tests/k8s_env/Makefile
@@ -6,8 +6,8 @@ build:
 	@go mod tidy
 	# run in two steps as syscall suite fails if run at the very end
 	# see - https://github.com/kubearmor/KubeArmor/issues/1269
-	@ginkgo --vv --flake-attempts=10 --timeout=10m syscalls/
-	@ginkgo -r --vv --flake-attempts=10 --timeout=30m --skip-package "syscalls"
+	@ginkgo --vv --flake-attempts=10 --timeout=10m --coverpkg=github.com/kubearmor/KubeArmor/tests/... syscalls/
+	@ginkgo -r --vv --flake-attempts=10 --timeout=30m --coverpkg=github.com/kubearmor/KubeArmor/tests/... --skip-package "syscalls"
 .PHONY: test
 test:
 	@ginkgo -r -v
diff --git a/tests/k8s_env/blockposture/block_test.go b/tests/k8s_env/blockposture/block_test.go
@@ -74,10 +74,10 @@ var _ = Describe("Posture", func() {
 				MatchRegexp("curl.*Could not resolve host: google.com"), true,
 			)
 
-			out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"})
-			Expect(err).To(BeNil())
-			fmt.Printf("---START---\n%s---END---\n", out)
-			Expect(out).To(MatchRegexp("<HTML>((?:.*\r?\n?)*)</HTML>"))
+			AssertCommand(
+				wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"},
+				MatchRegexp("<HTML>((?:.*\r?\n?)*)</HTML>"), true,
+			)
 			// check policy violation alert
 			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
 			Expect(err).To(BeNil())
@@ -101,16 +101,16 @@ var _ = Describe("Posture", func() {
 			Expect(err).To(BeNil())
 
 			//curl needs UDP for DNS resolution
-			sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"})
-			Expect(err).To(BeNil())
-			fmt.Printf("---START---\n%s---END---\n", sout)
-			Expect(sout).To(MatchRegexp("cat.*Permission denied"))
+			AssertCommand(
+				wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"},
+				MatchRegexp("cat.*Permission denied"), true,
+			)
 
 			//test that tcp is whitelisted
-			out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"})
-			Expect(err).To(BeNil())
-			fmt.Printf("---START---\n%s---END---\n", out)
-			Expect(out).To(MatchRegexp("<!DOCTYPE html>((?:.*\r?\n?)*)</html>"))
+			AssertCommand(
+				wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"},
+				MatchRegexp("<!DOCTYPE html>((?:.*\r?\n?)*)</html>"), true,
+			)
 			// check policy violation alert
 			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
 			Expect(err).To(BeNil())

diff --git a/tests/k8s_env/hsp/hsp_suite_test.go b/tests/k8s_env/hsp/hsp_suite_test.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Authors of KubeArmor
+
+package hsp_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHsp(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Hsp Suite")
+}
diff --git a/tests/k8s_env/hsp/hsp_test.go b/tests/k8s_env/hsp/hsp_test.go
@@ -0,0 +1,90 @@
+package hsp
+
+import (
+	"fmt"
+	"time"
+
+	. "github.com/kubearmor/KubeArmor/tests/util"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+var _ = BeforeSuite(func() {
+
+	// delete all HSPs
+	DeleteAllHsp()
+})
+
+var _ = AfterSuite(func() {
+
+	// delete all HSPs
+	DeleteAllHsp()
+})
+
+var _ = Describe("HSP", func() {
+
+	BeforeEach(func() {
+		time.Sleep(1 * time.Second)
+	})
+
+	AfterEach(func() {
+		KarmorLogStop()
+		err := DeleteAllHsp()
+		Expect(err).To(BeNil())
+		// wait for policy deletion
+		time.Sleep(2 * time.Second)
+	})
+
+	Describe("Policy Apply", func() {
+		It("can block access to date command", func() {
+			// Apply the Host Security Policy
+			err := K8sApplyFile("manifests/hsp-kubearmor-dev-proc-path-block.yaml")
+			Expect(err).To(BeNil())
+
+			// Start Kubearmor Logs
+			err = KarmorLogStart("policy", "", "Process", "")
+			Expect(err).To(BeNil())
+
+			// Execute the date command
+			out, err := ExecCommandHost([]string{"bash", "-c", "date"})
+			Expect(err).NotTo(BeNil())
+			fmt.Printf("---START---\n%s---END---\n", out)
+			Expect(out).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-proc-path-block"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+
+			// Execute a command that should not be blocked
+			out, err = ExecCommandHost([]string{"bash", "-c", "ls"})
+			Expect(err).To(BeNil())
+			Expect(out).NotTo(MatchRegexp(".*Permission denied"))
+		})
+
+		It("can block access to /etc/hostname file", func() {
+			// Apply the Host Security Policy
+			err := K8sApplyFile("manifests/hsp-kubearmor-dev-file-path-block.yaml")
+			Expect(err).To(BeNil())
+
+			// Start Kubearmor Logs
+			err = KarmorLogStart("policy", "", "File", "")
+			Expect(err).To(BeNil())
+
+			// Try to access the /etc/hostname file
+			out, err := ExecCommandHost([]string{"bash", "-c", "cat /etc/hostname"})
+			Expect(err).NotTo(BeNil())
+			fmt.Printf("---START---\n%s---END---\n", out)
+			Expect(out).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("hsp-kubearmor-dev-file-path-block"))
+			Expect(alerts[0].Action).To(Equal("Block"))
+		})
+	})
+})
diff --git a/tests/k8s_env/hsp/manifests/hsp-kubearmor-dev-file-path-block.yaml b/tests/k8s_env/hsp/manifests/hsp-kubearmor-dev-file-path-block.yaml
@@ -0,0 +1,19 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-file-path-block
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/os: linux
+  severity: 5
+  file:
+    matchPaths:
+    - path: /etc/hostname
+  action:
+    Block
+
+
+# test
+# $ cat /etc/hostname
+# cat: /etc/hostname: Permission denied
diff --git a/tests/k8s_env/hsp/manifests/hsp-kubearmor-dev-proc-path-block.yaml b/tests/k8s_env/hsp/manifests/hsp-kubearmor-dev-proc-path-block.yaml
@@ -0,0 +1,24 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorHostPolicy
+metadata:
+  name: hsp-kubearmor-dev-proc-path-block
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/os: linux
+  severity: 5
+  process:
+    matchPaths:
+    - path: /bin/date
+    - path: /usr/bin/date
+
+  action:
+    Block
+
+# kubearmor-dev_test_04
+
+# test
+# $ bash -c date
+# bash: 1: date: Permission denied
+# $ bash -c ls
+# ls ...
diff --git a/tests/k8s_env/multicontainer/manifests/non-existent-container-block-ls.yaml b/tests/k8s_env/multicontainer/manifests/non-existent-container-block-ls.yaml
@@ -0,0 +1,17 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: non-existent-container-block-ls
+  namespace: multicontainer
+spec:
+  severity: 5
+  selector:
+    matchLabels:
+      container: multicontainer
+      kubearmor.io/container.name: "[container-1, non-existent-container ]"
+  process:
+    matchPaths:
+    - path: /bin/ls
+      # ls
+  action:
+    Block
diff --git a/tests/k8s_env/multicontainer/multicontainer_test.go b/tests/k8s_env/multicontainer/multicontainer_test.go
@@ -172,6 +172,37 @@ var _ = Describe("Multicontainer", func() {
 			Expect(sout).NotTo(MatchRegexp(".*Permission denied"))
 
 		})
+
+		It("Can enforce on container-1 even if non-existent container is present in array", func() {
+			err := K8sDeploymentCheck("multicontainer-deployment", "multicontainer", 5*time.Minute)
+			Expect(err).To(BeNil())
+
+			err = K8sApply([]string{"manifests/non-existent-container-block-ls.yaml"})
+			Expect(err).To(BeNil())
+
+			err = KarmorLogStart("policy", "multicontainer", "Process", multicontainer)
+			Expect(err).To(BeNil())
+
+			// container-1 should not run ls
+			sout, _, err := K8sExecInPodWithContainer(multicontainer, "multicontainer", "container-1", []string{"bash", "-c", "ls"})
+			Expect(err).To(BeNil())
+			fmt.Printf("---START---\n%s---END---\n", sout)
+			Expect(sout).To(MatchRegexp(".*Permission denied"))
+
+			// check policy violation alert
+			_, alerts, err := KarmorGetLogs(10*time.Second, 1)
+			Expect(err).To(BeNil())
+			Expect(len(alerts)).To(BeNumerically(">=", 1))
+			Expect(alerts[0].PolicyName).To(Equal("non-existent-container-block-ls"))
+			Expect(alerts[0].Severity).To(Equal("5"))
+			Expect(alerts[0].ContainerName).To(Equal("container-1"))
+
+			// container-2 should run ls
+			sout, _, err = K8sExecInPodWithContainer(multicontainer, "multicontainer", "container-2", []string{"bash", "-c", "ls"})
+			Expect(err).To(BeNil())
+			fmt.Printf("---START---\n%s---END---\n", sout)
+			Expect(sout).NotTo(MatchRegexp(".*Permission denied"))
+		})
 	})
 
 })
diff --git a/tests/nonk8s_env/Makefile b/tests/nonk8s_env/Makefile
@@ -4,7 +4,7 @@
 .PHONY: build
 build:
 	@go mod tidy
-	@ginkgo -r --vv --flake-attempts=10 --timeout=30m
+	@ginkgo -r --vv --flake-attempts=10 --timeout=30m --coverpkg=github.com/kubearmor/KubeArmor/tests/...
 
 .PHONY: test
 test:

diff --git a/tests/nonk8s_env/hsp/hsp_suite_test.go b/tests/nonk8s_env/hsp/hsp_suite_test.go
@@ -0,0 +1,16 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2022 Authors of KubeArmor
+
+package hsp_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+)
+
+func TestHsp(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Hsp Suite")
+}