Testing Guide
There are two ways to check the functionalities of KubeArmor: 1) testing KubeArmor manually and 2) using the testing framework.
- To install the controller from KubeArmor docker repository to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make deploy
- To install the controller (local version) to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make docker-build deploy
$ kubectl proxy &
$ cd KubeArmor/KubeArmor
~/KubeArmor/KubeArmor$ make clean && make
~/KubeArmor/KubeArmor$ sudo -E ./kubearmor -gRPC=[gRPC port number]
-logPath=[log file path]
-enableKubeArmorPolicy=[true|false]
-enableKubeArmorHostPolicy=[true|false]
Beforehand, check if the KubeArmorPolicy and KubeArmorHostPolicy CRDs are already applied.
$ kubectl explain KubeArmorPolicy
If they are still not applied, do so.
$ kubectl apply -f ~/KubeArmor/deployments/CRD/
Now you can apply specific policies.
$ kubectl apply -f [policy file]
$ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command]
- $ karmor log [flags]flags:--gRPC string gRPC server information--help help for log--json Flag to print alerts and logs in the JSON format--logFilter string What kinds of alerts and logs to receive, {policy|system|all} (default "policy")--logPath string Output location for alerts and logs, {path|stdout|none} (default "stdout")--msgPath string Output location for messages, {path|stdout|none} (default "none")Note that you will see alerts and logs generated right after
karmor
runs logs; thus, we recommend to run the above command in other terminal to see logs live.
The auto-testing framework operates based on two things: microservices and test scenarios for each microservice.
- Microservices$ cd KubeArmor/tests/microservices~/KubeArmor/tests/microservices$ mkdir [microservice name]Then, create YAML files for the microservice$ cd KubeArmor/tests/microservices/[microservice name]~/KubeArmor/tests/microservices/[microservice name]$ ...As an example, we created 'multiubuntu' in microservices and defined 'multiubuntu-deployment.yaml' in multiubuntu.
- Test scenarios$ cd KubeArmor/tests/scenarios~/KubeArmor/tests/scenarios$ mkdir [microservice name]_[scenario name]Then, define a YAML file for a test policy in the directory~/KubeArmor/tests/scenarios$ cd [microservice name]_[scenario name].../[microservice name]_[scenario name]$ vi [policy name].yamlCreate cmd files whose names are like 'cmd#'.../[microservice name]_[scenario name]$ vi cmd1 / cmd2 / ...Here is a template for a cmd file.source: [pod name]cmd: [command to trigger a policy violation]result: [expected result], { passed | failed }---operation: [operation], { Process | File | Network }condition: [matching string]action: [action in a policy] { Allow | Audit | Block }This is a cmd example of a test scenario.source: ubuntu-1-deploymentcmd: sleep 1result: failed---operation: Processcondition: sleepaction: Block
- The case that KubeArmor is directly running in a hostCompile KubeArmor$ cd KubeArmor/KubeArmor~/KubeArmor/KubeArmor$ make clean && makeRun the auto-testing framework$ cd KubeArmor/tests~/KubeArmor/tests$ ./test-scenarios-local.shCheck the test report~/KubeArmor/tests$ cat /tmp/kubearmor.test
- The case that KubeArmor is running as a daemonset in KubernetesRun the testing framework$ cd KubeArmor/tests~/KubeArmor/tests$ ./test-scenarios-in-runtime.shCheck the test report~/KubeArmor/tests$ cat /tmp/kubearmor.test
Last modified 10mo ago