KubeArmor
  • KubeArmor
  • Quick Links
    • Getting Started
    • Support Matrix
    • Differentiation
    • VM/Bare-Metal Deployment
  • Use-Cases
    • Harden Infrastructure
    • Least Permissive Access
    • Application Behavior
    • Advanced
  • Documentation
    • KubeArmor Events
    • Control Telemetry/Visibility
    • Security Posture
    • Policy Spec for Containers
    • Policy Examples for Containers
    • Cluster Policy Spec for Containers
    • Cluster Policy Examples for Containers
    • Policy Spec for Nodes/VMs
    • Policy Examples for Nodes/VMs
    • FAQs
  • Contribution
    • Contribution Guide
    • Development Guide
    • Testing Guide
Powered by GitBook
On this page
  • Testing Guide
  • 0. Make sure Kubernetes cluster is running
  • 0.1. Firstly Run 'kubectl proxy' in background
  • 0.2. Now run KubeArmor
  • 1. Test KubeArmor manually
  • 1.1. Run 'kubectl proxy' in background
  • 1.2. Compile KubeArmor
  • 1.3. Run KubeArmor
  • 1.4. Apply security policies into Kubernetes
  • 1.5. Trigger policy violations to generate alerts
  • 1.6. Check generated alerts
  • 2. Test KubeArmor using the auto-testing framework

Was this helpful?

Edit on GitHub
Export as PDF
  1. Contribution

Testing Guide

PreviousDevelopment Guide

Last updated 1 month ago

Was this helpful?

Testing Guide

There are two ways to check the functionalities of KubeArmor: 1) testing KubeArmor manually and 2) using the testing framework.

0. Make sure Kubernetes cluster is running

Although there are many ways to run a Kubernetes cluster (like minikube or kind), it will not work with locally developed KubeArmor. KubeArmor needs to be on the same node as where the Kubernetes nodes exist. If you try to do this it will not identify your node since minikube and kind use virtualized nodes. You would either need to build your images and deploy them into these clusters or you can simply use k3s or kubeadm for development purposes. If you are new to these terms then the easiest way to do this is by following this guide:

0.1. Firstly Run 'kubectl proxy' in background

$ kubectl proxy &

0.2. Now run KubeArmor

~/KubeArmor/KubeArmor$ make run

1. Test KubeArmor manually

1.1. Run 'kubectl proxy' in background

$ kubectl proxy &

1.2. Compile KubeArmor

$ cd KubeArmor/KubeArmor
~/KubeArmor/KubeArmor$ make clean && make

1.3. Run KubeArmor

~/KubeArmor/KubeArmor$ sudo -E ./kubearmor -gRPC=[gRPC port number]
                                           -logPath=[log file path]
                                           -enableKubeArmorPolicy=[true|false]
                                           -enableKubeArmorHostPolicy=[true|false]

1.4. Apply security policies into Kubernetes

Beforehand, check if the KubeArmorPolicy and KubeArmorHostPolicy CRDs are already applied.

$ kubectl explain KubeArmorPolicy

If they are still not applied, do so.

$ kubectl apply -f ~/KubeArmor/deployments/CRD/

Now you can apply specific policies.

$ kubectl apply -f [policy file]

1.5. Trigger policy violations to generate alerts

$ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command]

1.6. Check generated alerts

  • $ karmor log [flags]

    flags:

    --gRPC string        gRPC server information
    --help               help for log
    --json               Flag to print alerts and logs in the JSON format
    --logFilter string   What kinds of alerts and logs to receive, {policy|system|all} (default "policy")
    --logPath string     Output location for alerts and logs, {path|stdout|none} (default "stdout")
    --msgPath string     Output location for messages, {path|stdout|none} (default "none")

    Note that you will see alerts and logs generated right after karmor runs logs; thus, we recommend to run the above command in other terminal to see logs live.

2. Test KubeArmor using the auto-testing framework

  • The case that KubeArmor is directly running in a host

    Compile KubeArmor

    $ cd KubeArmor/KubeArmor
    ~/KubeArmor/KubeArmor$ make clean && make

    Run the auto-testing framework

    $ cd KubeArmor/tests
    ~/KubeArmor/tests$ ./test-scenarios-local.sh

    Check the test report

    ~/KubeArmor/tests$ cat /tmp/kubearmor.test
  • The case that KubeArmor is running as a daemonset in Kubernetes

    Run the testing framework

    $ cd KubeArmor/tests
    ~/KubeArmor/tests$ ./test-scenarios-in-runtime.sh

    Check the test report

    ~/KubeArmor/tests$ cat /tmp/kubearmor.test
  • To run a specific suit of tests move to the directory of test and run

    ~/KubeArmor/tests/test_directory$ ginkgo --focus "Suit_Name"

You can refer to security policies defined for example microservices in .

Watch alerts using cli tool

K3s installation guide
examples
karmor