Testing Guide

Testing Guide

There are two ways to check the functionalities of KubeArmor: 1) testing KubeArmor manually and 2) using the testing framework.

0. Make sure that the annotation controller is installed on the cluster (Applicable for Steps 1 and 2)

  • To install the controller from KubeArmor docker repository to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make deploy
  • To install the controller (local version) to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make docker-build deploy

1. Test KubeArmor manually

1.1. Run 'kubectl proxy' in background

$ kubectl proxy &

1.2. Compile KubeArmor

$ cd KubeArmor/KubeArmor
~/KubeArmor/KubeArmor$ make clean && make

1.3. Run KubeArmor

~/KubeArmor/KubeArmor$ sudo -E ./kubearmor -gRPC=[gRPC port number]
-logPath=[log file path]

1.4. Apply security policies into Kubernetes

Beforehand, check if the KubeArmorPolicy and KubeArmorHostPolicy CRDs are already applied.
$ kubectl explain KubeArmorPolicy
If they are still not applied, do so.
$ kubectl apply -f ~/KubeArmor/deployments/CRD/
Now you can apply specific policies.
$ kubectl apply -f [policy file]
You can refer to security policies defined for example microservices in examples.

1.5. Trigger policy violations to generate alerts

$ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command]

1.6. Check generated alerts

  • Watch alerts using karmor cli tool
    $ karmor log [flags]
    --gRPC string gRPC server information
    --help help for log
    --json Flag to print alerts and logs in the JSON format
    --logFilter string What kinds of alerts and logs to receive, {policy|system|all} (default "policy")
    --logPath string Output location for alerts and logs, {path|stdout|none} (default "stdout")
    --msgPath string Output location for messages, {path|stdout|none} (default "none")
    Note that you will see alerts and logs generated right after karmor runs logs; thus, we recommend to run the above command in other terminal to see logs live.

2. Test KubeArmor using the auto-testing framework

2.1. Prepare microservices and test scenarios

The auto-testing framework operates based on two things: microservices and test scenarios for each microservice.
  • Microservices
    Create a directory for a microservice in microservices
    $ cd KubeArmor/tests/microservices
    ~/KubeArmor/tests/microservices$ mkdir [microservice name]
    Then, create YAML files for the microservice
    $ cd KubeArmor/tests/microservices/[microservice name]
    ~/KubeArmor/tests/microservices/[microservice name]$ ...
    As an example, we created 'multiubuntu' in microservices and defined 'multiubuntu-deployment.yaml' in multiubuntu.
  • Test scenarios
    Create a directory whose name is like '[microservice name]_[scenario name]' in scenarios
    $ cd KubeArmor/tests/scenarios
    ~/KubeArmor/tests/scenarios$ mkdir [microservice name]_[scenario name]
    Then, define a YAML file for a test policy in the directory
    ~/KubeArmor/tests/scenarios$ cd [microservice name]_[scenario name]
    .../[microservice name]_[scenario name]$ vi [policy name].yaml
    Create cmd files whose names are like 'cmd#'
    .../[microservice name]_[scenario name]$ vi cmd1 / cmd2 / ...
    Here is a template for a cmd file.
    source: [pod name]
    cmd: [command to trigger a policy violation]
    result: [expected result], { passed | failed }
    operation: [operation], { Process | File | Network }
    condition: [matching string]
    action: [action in a policy] { Allow | Audit | Block }
    This is a cmd example of a test scenario.
    source: ubuntu-1-deployment
    cmd: sleep 1
    result: failed
    operation: Process
    condition: sleep
    action: Block
    You can refer to predefined testcases in scenarios.

2.2. Test KubeArmor

  • The case that KubeArmor is directly running in a host
    Compile KubeArmor
    $ cd KubeArmor/KubeArmor
    ~/KubeArmor/KubeArmor$ make clean && make
    Run the auto-testing framework
    $ cd KubeArmor/tests
    ~/KubeArmor/tests$ ./test-scenarios-local.sh
    Check the test report
    ~/KubeArmor/tests$ cat /tmp/kubearmor.test
  • The case that KubeArmor is running as a daemonset in Kubernetes
    Run the testing framework
    $ cd KubeArmor/tests
    ~/KubeArmor/tests$ ./test-scenarios-in-runtime.sh
    Check the test report
    ~/KubeArmor/tests$ cat /tmp/kubearmor.test