Merge branch 'non-k8s-hsp-test' into main

navin772 · Jul 30, 2024 · 4e6a0c3 · 4e6a0c3
2 parents c479a8e + d431319
commit 4e6a0c3
Show file tree

Hide file tree

Showing 45 changed files with 1,946 additions and 34 deletions.
diff --git a/.github/workflows/ci-coverage.yaml b/.github/workflows/ci-coverage.yaml
diff --git a/.github/workflows/ci-test-docker.yaml b/.github/workflows/ci-test-docker.yaml
@@ -0,0 +1,74 @@
+name: ci-test-docker
+
+on:
+  push:
+    branches: [main, non-k8s-hsp-test]
+    paths:
+      - "KubeArmor/**"
+      - ".github/workflows/ci-test-docker.yaml"
+      - "!STABLE-RELEASE"
+      - "tests/nonk8s_env/**"
+
+jobs:
+  build-and-run:
+    name: Build KubeArmor artifacts and run tests / ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest]
+    timeout-minutes: 60
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - uses: actions/setup-go@v5
+        with:
+          go-version-file: 'KubeArmor/go.mod'
+
+      - name: Install the latest LLVM toolchain
+        run: ./.github/workflows/install-llvm.sh
+
+      - name: Compile libbpf
+        run: ./.github/workflows/install-libbpf.sh
+
+      - name: Generate KubeArmor artifacts
+        run: |
+          GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh
+
+      # - name: Run KubeArmor init container
+      #   run: |
+      #     docker run --name kubearmor-init -v /tmp/:/opt/kubearmor/BPF kubearmor/kubearmor-init
+
+      # - name: Run KubeArmor container
+      #   run: |
+      #     docker run -d --name kubearmor --privileged --pid host -p 32767:32767 \
+      #     -v /tmp/:/opt/kubearmor/BPF \
+      #     -v /sys/fs/bpf:/sys/fs/bpf \
+      #     -v /sys/kernel/security:/sys/kernel/security \
+      #     -v /sys/kernel/debug:/sys/kernel/debug \
+      #     -v /var/run/docker.sock:/var/run/docker.sock \
+      #     -v /var/lib/docker:/var/lib/docker \
+      #     -v /etc/apparmor.d:/etc/apparmor.d \
+      #     kubearmor/kubearmor -k8s=false -enableKubeArmorHostPolicy
+
+      - name: Run KubeArmor with docker-compose
+        run: |
+          docker-compose -f docker-compose.yaml up -d
+
+      - name: Test KubeArmor using Ginkgo
+        run: |
+          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
+          make
+        working-directory: ./tests/nonk8s_env
+        timeout-minutes: 30
+
+      - name: Archive log artifacts
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kubearmor.logs
+          path: |
+            /tmp/kubearmor/
+            /tmp/kubearmor.*
diff --git a/.github/workflows/ci-test-ginkgo.yml b/.github/workflows/ci-test-ginkgo.yml
@@ -2,7 +2,7 @@ name: ci-test-ginkgo
 
 on:
   push:
-    branches: [main]
+    branches: [main, non-k8s-hsp-test]
     paths:
       - "KubeArmor/**"
       - "tests/**"
@@ -95,6 +95,9 @@ jobs:
           kubectl wait --timeout=1m --for=condition=ready pod -l kubearmor-app=kubearmor-controller -n kubearmor
           kubectl get pods -A
 
+      - name: Add KubeArmor host visibility
+        run: ./.github/workflows/host-visibility.sh    
+
       - name: Test KubeArmor using Ginkgo
         run: |
           go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
@@ -131,4 +134,4 @@ jobs:
       - uses: codecov/codecov-action@v3
         if: ${{ always() }}
         with:
-          files: ./KubeArmor/gover.coverprofile
+          files: ./KubeArmor/gover.coverprofile
diff --git a/.github/workflows/ci-test-systemd.yml b/.github/workflows/ci-test-systemd.yml
@@ -2,7 +2,7 @@ name: ci-test-systemd
 
 on:
   push:
-    branches: [main]
+    branches: [main, non-k8s-hsp-test]
     paths:
       - "KubeArmor/**"
       - "tests/**"

diff --git a/.github/workflows/host-visibility.sh b/.github/workflows/host-visibility.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+DAEMONSET_NAME=$(kubectl get daemonset -n kubearmor -o jsonpath='{.items[0].metadata.name}')
+
+kubectl patch daemonset $DAEMONSET_NAME -n kubearmor --type='json' -p='[
+            {
+              "op": "add",
+              "path": "/spec/template/spec/containers/0/args/-",
+              "value": "-enableKubeArmorHostPolicy"
+            }
+          ]'
+
+sleep 16
+
+# Apply annotations to the node
+NODE_NAME=$(kubectl get nodes -o=jsonpath='{.items[0].metadata.name}')
+kubectl annotate node $NODE_NAME "kubearmorvisibility=process,file,network,capabilities"
+kubectl get no -o wide
diff --git a/.github/workflows/install-k3s.sh b/.github/workflows/install-k3s.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 # SPDX-License-Identifier: Apache-2.0
 # Copyright 2021 Authors of KubeArmor
+# Set the hostname
+# sudo hostnamectl set-hostname kubearmor-dev
 
 echo "RUNTIME="$RUNTIME
 
@@ -15,3 +17,5 @@ if [ "$RUNTIME" == "crio" ]; then
 fi
 
 ./contribution/k3s/install_k3s.sh
+
+kubectl get no -o wide
diff --git a/Dockerfile b/Dockerfile
@@ -38,6 +38,12 @@ COPY ./KubeArmor/BPF .
 
 RUN make
 
+### Builder test
+
+FROM builder as builder-test
+WORKDIR /usr/src/KubeArmor/KubeArmor
+RUN go test -covermode=atomic -coverpkg=./... -c . -o kubearmor-test
+
 ### Make executable image
 
 FROM alpine:3.20 as kubearmor
@@ -53,6 +59,11 @@ COPY --from=builder /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/template
 
 ENTRYPOINT ["/KubeArmor/kubearmor"]
 
+FROM kubearmor as kubearmor-test
+COPY --from=builder-test /usr/src/KubeArmor/KubeArmor/kubearmor-test /KubeArmor/kubearmor-test
+
+ENTRYPOINT ["/KubeArmor/kubearmor-test"]
+
 ### TODO ###
 
 ### build apparmor_parser binary

diff --git a/KubeArmor/build/build_kubearmor.sh b/KubeArmor/build/build_kubearmor.sh
@@ -44,6 +44,35 @@ echo "[INFO] Removed existing $REPO images"
 unset LABEL
 [[ "$GITHUB_SHA" != "" ]] && LABEL="--label github_sha=$GITHUB_SHA"
 
+# set the $IS_COVERAGE env var to 'true' to build the kubearmor-test image for coverage calculation
+if [[ "$IS_COVERAGE" == "true" ]]; then
+    REPO="kubearmor/kubearmor-test"
+
+    # build a kubearmor-test image
+    DTAG="-t $REPO:$VERSION"
+    echo "[INFO] Building $DTAG"
+    cd $ARMOR_HOME/..; docker build $DTAG -f Dockerfile --target kubearmor-test . $LABEL
+
+    if [ $? != 0 ]; then
+        echo "[FAILED] Failed to build $REPO:$VERSION"
+        exit 1
+    fi
+    echo "[PASSED] Built $REPO:$VERSION"
+
+    # build a kubearmor-test-init image
+    DTAGINI="-t $REPO-init:$VERSION"
+    echo "[INFO] Building $DTAGINI"
+    cd $ARMOR_HOME/..; docker build $DTAGINI -f Dockerfile.init --build-arg VERSION=$VERSION --target kubearmor-init . $LABEL
+
+    if [ $? != 0 ]; then
+        echo "[FAILED] Failed to build $REPO-init:$VERSION"
+        exit 1
+    fi
+    echo "[PASSED] Built $REPO-init:$VERSION"
+
+    exit 0
+fi
+
 # build a kubearmor image
 DTAG="-t $REPO:$VERSION"
 echo "[INFO] Building $DTAG"

diff --git a/KubeArmor/main_test.go b/KubeArmor/main_test.go
@@ -5,18 +5,19 @@ package main
 
 import (
 	"flag"
+	"fmt"
 	"os"
 	"strconv"
 	"testing"
 )
 
 var clusterPtr, gRPCPtr, logPathPtr *string
-var enableKubeArmorPolicyPtr, enableKubeArmorHostPolicyPtr, enableKubeArmorVMPtr, coverageTestPtr *bool
+var enableKubeArmorPolicyPtr, enableKubeArmorHostPolicyPtr, enableKubeArmorVMPtr, coverageTestPtr, enableK8sEnv, tlsEnabled *bool
 var defaultFilePosturePtr, defaultCapabilitiesPosturePtr, defaultNetworkPosturePtr, hostDefaultCapabilitiesPosturePtr, hostDefaultNetworkPosturePtr, hostDefaultFilePosturePtr *string
 
 func init() {
 	// options (string)
-	clusterPtr = flag.String("cluster", "", "cluster name")
+	clusterPtr = flag.String("cluster", "default", "cluster name")
 
 	// options (string)
 	gRPCPtr = flag.String("gRPC", "32767", "gRPC port number")
@@ -36,27 +37,34 @@ func init() {
 	enableKubeArmorHostPolicyPtr = flag.Bool("enableKubeArmorHostPolicy", true, "enabling KubeArmorHostPolicy")
 	enableKubeArmorVMPtr = flag.Bool("enableKubeArmorVm", false, "enabling KubeArmorVM")
 
+	enableK8sEnv = flag.Bool("k8s", true, "is k8s env?")
+	tlsEnabled = flag.Bool("tlsEnabled", false, "enable tls for secure connection?")
+
 	// options (boolean)
-	coverageTestPtr = flag.Bool("coverageTest", true, "enabling CoverageTest")
+	coverageTestPtr = flag.Bool("coverageTest", false, "enabling CoverageTest")
 }
 
 // TestMain - test to drive external testing coverage
 func TestMain(t *testing.T) {
 	// Reset Test Flags before executing main
 	flag.CommandLine = flag.NewFlagSet(os.Args[0], flag.ExitOnError)
 
-	// Set os args to set flags in main
-	os.Args = []string{"cmd", "--cluster", *clusterPtr, "--gRPC", *gRPCPtr, "--logPath", *logPathPtr,
-		"--defaultFilePosture", *defaultFilePosturePtr,
-		"--defaultNetworkPosture", *defaultNetworkPosturePtr,
-		"--defaultCapabilitiesPosture", *defaultCapabilitiesPosturePtr,
-		"--hostDefaultFilePosture", *hostDefaultFilePosturePtr,
-		"--hostDefaultNetworkPosture", *hostDefaultNetworkPosturePtr,
-		"--hostDefaultCapabilitiesPosture", *hostDefaultCapabilitiesPosturePtr,
-		"--enableKubeArmorPolicy", strconv.FormatBool(*enableKubeArmorPolicyPtr),
-		"--enableKubeArmorHostPolicy", strconv.FormatBool(*enableKubeArmorHostPolicyPtr),
-		"--enableKubeArmorVm", strconv.FormatBool(*enableKubeArmorVMPtr),
-		"--coverageTest", strconv.FormatBool(*coverageTestPtr)}
+	os.Args = []string{
+		fmt.Sprintf("-cluster=%s", *clusterPtr),
+		fmt.Sprintf("-gRPC=%s", *gRPCPtr),
+		fmt.Sprintf("-logPath=%s", *logPathPtr),
+		fmt.Sprintf("-defaultFilePosture=%s", *defaultFilePosturePtr),
+		fmt.Sprintf("-defaultNetworkPosture=%s", *defaultNetworkPosturePtr),
+		fmt.Sprintf("-defaultCapabilitiesPosture=%s", *defaultCapabilitiesPosturePtr),
+		fmt.Sprintf("-hostDefaultFilePosture=%s", *hostDefaultFilePosturePtr),
+		fmt.Sprintf("-hostDefaultNetworkPosture=%s", *hostDefaultNetworkPosturePtr),
+		fmt.Sprintf("-hostDefaultCapabilitiesPosture=%s", *hostDefaultCapabilitiesPosturePtr),
+		fmt.Sprintf("-k8s=%s", strconv.FormatBool(*enableK8sEnv)),
+		fmt.Sprintf("-enableKubeArmorPolicy=%s", strconv.FormatBool(*enableKubeArmorPolicyPtr)),
+		fmt.Sprintf("-enableKubeArmorHostPolicy=%s", strconv.FormatBool(*enableKubeArmorHostPolicyPtr)),
+		fmt.Sprintf("-coverageTest=%s", strconv.FormatBool(*coverageTestPtr)),
+		fmt.Sprintf("-tlsEnabled=%s", strconv.FormatBool(*tlsEnabled)),
+	}
 
 	t.Log("[INFO] Executed KubeArmor")
 	main()

diff --git a/codecov.yml b/codecov.yml
@@ -0,0 +1,27 @@
+coverage:
+  status:
+    project:
+      default:
+        target: auto
+        threshold: 5%
+        base: auto
+
+ignore:
+  - "KubeArmor/enforcer/SELinuxEnforcer.go"
+  - "KubeArmor/enforcer/SELinuxEnforcer_test.go"
+  - "KubeArmor/enforcer/SELinuxHostProfile.go"
+  - "KubeArmor/kvmAgent"
+  - "KubeArmor/state"
+
+comment:
+  layout: "reach, diff, flags, files"
+  behavior: default
+  require_changes: true
+
+parsers:
+  gcov:
+    branch_detection:
+      conditional: yes
+      loop: yes
+      method: no
+      macro: no
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -0,0 +1,24 @@
+services:
+  kubearmor-init:
+    image: kubearmor/kubearmor-init:stable
+    volumes:
+      - /tmp/:/opt/kubearmor/BPF
+
+  kubearmor:
+    image: kubearmor/kubearmor:latest
+    depends_on:
+      kubearmor-init:
+        condition: service_completed_successfully
+    privileged: true
+    command: ["-k8s=false", "-enableKubeArmorHostPolicy"]
+    pid: "host"
+    ports:
+      - "32767:32767"
+    volumes:
+      - /tmp/:/opt/kubearmor/BPF
+      - /sys/fs/bpf:/sys/fs/bpf
+      - /sys/kernel/security:/sys/kernel/security
+      - /sys/kernel/debug:/sys/kernel/debug
+      - /var/run/docker.sock:/var/run/docker.sock
+      - /var/lib/docker:/var/lib/docker
+      - /etc/apparmor.d:/etc/apparmor.d
diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-coverage.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-coverage.yaml
@@ -0,0 +1,30 @@
+apiVersion: operator.kubearmor.com/v1
+kind: KubeArmorConfig
+metadata:
+  labels:
+    app.kubernetes.io/name: kubearmorconfig
+    app.kubernetes.io/instance: kubearmorconfig-sample
+    app.kubernetes.io/part-of: kubearmoroperator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: kubearmoroperator
+  name: kubearmorconfig-test
+  namespace: kubearmor
+spec:
+  defaultCapabilitiesPosture: block
+  defaultFilePosture: block
+  defaultNetworkPosture: block
+  defaultVisibility: process,file,network,capabilities
+  seccompEnabled: false
+  kubearmorImage:
+    image: kubearmor/kubearmor-test:latest
+    imagePullPolicy: Never
+  kubearmorInitImage:
+    image: kubearmor/kubearmor-test-init:latest
+    imagePullPolicy: Never
+  kubearmorRelayImage:
+    image: kubearmor/kubearmor-relay-server:latest
+    imagePullPolicy: Always
+  kubearmorControllerImage:
+    image: kubearmor/kubearmor-controller:latest
+    imagePullPolicy: Always
+
diff --git a/tests/go.sum b/tests/go.sum
@@ -251,7 +251,6 @@ github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
-github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=

diff --git a/tests/k8s_env/Makefile b/tests/k8s_env/Makefile
@@ -7,7 +7,7 @@ build:
 	# run in two steps as syscall suite fails if run at the very end
 	# see - https://github.com/kubearmor/KubeArmor/issues/1269
 	@ginkgo --vv --flake-attempts=10 --timeout=10m syscalls/
-	@ginkgo -r --vv --flake-attempts=10 --timeout=30m --skip-package "syscalls"
+	@ginkgo -r --vv --flake-attempts=10 --timeout=30m --skip-package "syscalls" 
 .PHONY: test
 test:
 	@ginkgo -r -v