Skip to content

Commit

Permalink
fix 2
Browse files Browse the repository at this point in the history 
Signed-off-by: Prateek Nandle <[email protected]>
  • Loading branch information
@Prateeknandle
Prateeknandle committed Apr 30, 2024
1 parent 31753cc commit d9eb6a5
Show file tree
Hide file tree
Showing 5 changed files with 352 additions and 69 deletions.
138 changes: 69 additions & 69 deletions tests/k8s_env/smoke/smoke_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -331,73 +331,73 @@ var _ = Describe("Smoke", func() {
Expect(alerts[0].Result).To(Equal("Passed"))
})
})
Describe("Alert Throttling", func() {

It("enabled with new throttling conditions", func() {
// enable throttling and change throttling condition using configmap
cm := NewDefaultConfigMapData()
cm.AlertThrottling = "true"
cm.MaxAlertPerSec = "2"
cm.ThrottleSec = "500"
cm.Visibility = "process,network"
err := cm.CreateKAConfigMap() // will create a configMap with new throttling condition
Expect(err).To(BeNil())

// Apply policy
err = K8sApplyFile("res/ksp-wordpress-block-process.yaml")
Expect(err).To(BeNil())

// Start Kubearmor Logs
err = KarmorLogStart("all", "wordpress-mysql", "AlertThreshold", wp)
Expect(err).To(BeNil())

// wait for policy creation
time.Sleep(5 * time.Second)

sout, _, err := K8sExecInPod(wp, "wordpress-mysql",
[]string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt update; count=$((count + 1)); done;"})
Expect(err).To(BeNil())
fmt.Printf("OUTPUT: %s\n", sout)
Expect(sout).To(MatchRegexp("apt.*Permission denied"))

// check policy violation alert
_, alerts, err := KarmorGetLogs(5*time.Second, 1)
Expect(err).To(BeNil())
fmt.Printf("throttling alert :%v\n", alerts)
Expect(alerts[0].Type).To(Equal("SystemEvent"))
Expect(alerts[0].Operation).To(Equal("AlertThreshold"))
Expect(alerts[0].MaxAlertsPerSec).To(Equal(2))
Expect(alerts[0].DroppingAlertsInterval).To(Equal(500))

// should get an throttling alert
// check policy violation alert

// target := protobuf.Alert{
// NamespaceName: "wordpress-mysql",
// Operation: "AlertThreshold",
// Type: "SystemEvent",
// MaxAlertsPerSec: 2,
// DroppingAlertsInterval: 360,
// }

// res, err := KarmorGetTargetAlert(5*time.Second, &target)
// Expect(err).To(BeNil())
// Expect(res.Found).To(BeTrue())

// _, alerts, err := KarmorGetLogs(5*time.Second, 1)
// Expect(err).To(BeNil())
// Expect(len(alerts)).To(BeNumerically("==", 3))

// check for throttling, alerts should not be genrated
// sout, _, err = K8sExecInPod(wp, "wordpress-mysql",
// []string{"bash", "-c", "apt update"})
// Expect(err).To(BeNil())
// fmt.Printf("---START---\n%s---END---\n", sout)
// Expect(sout).To(MatchRegexp("apt.*Permission denied"))

// _, alerts, err = KarmorGetLogs(5*time.Second, 1)
// Expect(err).To(BeNil())
// Expect(len(alerts)).To(BeNumerically("==", 0))
})
})
// Describe("Alert Throttling", func() {

// It("enabled with new throttling conditions", func() {
// // enable throttling and change throttling condition using configmap
// cm := NewDefaultConfigMapData()
// cm.AlertThrottling = "true"
// cm.MaxAlertPerSec = "2"
// cm.ThrottleSec = "500"
// cm.Visibility = "process,network"
// err := cm.CreateKAConfigMap() // will create a configMap with new throttling condition
// Expect(err).To(BeNil())

// // Apply policy
// err = K8sApplyFile("res/ksp-wordpress-block-process.yaml")
// Expect(err).To(BeNil())

// // Start Kubearmor Logs
// err = KarmorLogStart("all", "wordpress-mysql", "AlertThreshold", wp)
// Expect(err).To(BeNil())

// // wait for policy creation
// time.Sleep(5 * time.Second)

// sout, _, err := K8sExecInPod(wp, "wordpress-mysql",
// []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt update; count=$((count + 1)); done;"})
// Expect(err).To(BeNil())
// fmt.Printf("OUTPUT: %s\n", sout)
// Expect(sout).To(MatchRegexp("apt.*Permission denied"))

// // check policy violation alert
// _, alerts, err := KarmorGetLogs(5*time.Second, 1)
// Expect(err).To(BeNil())
// fmt.Printf("throttling alert :%v\n", alerts)
// Expect(alerts[0].Type).To(Equal("SystemEvent"))
// Expect(alerts[0].Operation).To(Equal("AlertThreshold"))
// Expect(alerts[0].MaxAlertsPerSec).To(Equal(2))
// Expect(alerts[0].DroppingAlertsInterval).To(Equal(500))

// // should get an throttling alert
// // check policy violation alert

// // target := protobuf.Alert{
// // NamespaceName: "wordpress-mysql",
// // Operation: "AlertThreshold",
// // Type: "SystemEvent",
// // MaxAlertsPerSec: 2,
// // DroppingAlertsInterval: 360,
// // }

// // res, err := KarmorGetTargetAlert(5*time.Second, &target)
// // Expect(err).To(BeNil())
// // Expect(res.Found).To(BeTrue())

// // _, alerts, err := KarmorGetLogs(5*time.Second, 1)
// // Expect(err).To(BeNil())
// // Expect(len(alerts)).To(BeNumerically("==", 3))

// // check for throttling, alerts should not be genrated
// // sout, _, err = K8sExecInPod(wp, "wordpress-mysql",
// // []string{"bash", "-c", "apt update"})
// // Expect(err).To(BeNil())
// // fmt.Printf("---START---\n%s---END---\n", sout)
// // Expect(sout).To(MatchRegexp("apt.*Permission denied"))

// // _, alerts, err = KarmorGetLogs(5*time.Second, 1)
// // Expect(err).To(BeNil())
// // Expect(len(alerts)).To(BeNumerically("==", 0))
// })
// })
})
20 changes: 20 additions & 0 deletions tests/k8s_env/throttling/res/ksp-wordpress-block-process.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-wordpress-block-process
namespace: wordpress-mysql
spec:
severity: 3
selector:
matchLabels:
app: wordpress
process:
matchPaths:
- path: /usr/bin/apt
- path: /usr/bin/apt-get

# apt update
# apt-get update

action:
Block
100 changes: 100 additions & 0 deletions tests/k8s_env/throttling/res/wordpress-mysql-deployment.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
apiVersion: v1
kind: Namespace
metadata:
name: wordpress-mysql
---
apiVersion: v1
kind: Service
metadata:
name: wordpress
namespace: wordpress-mysql
labels:
app: wordpress
spec:
selector:
app: wordpress
type: NodePort
ports:
- port: 80
targetPort: 80
nodePort: 30080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wordpress
namespace: wordpress-mysql
labels:
app: wordpress
spec:
replicas: 1
selector:
matchLabels:
app: wordpress
template:
metadata:
labels:
app: wordpress
# annotations:
# kubearmor-policy: enabled
# container.apparmor.security.beta.kubernetes.io/wordpress: localhost/kubearmor-wordpress-mysql-wordpress
spec:
containers:
- name: wordpress
image: wordpress:4.8-apache
env:
- name: WORDPRESS_DB_HOST
value: mysql
- name: WORDPRESS_DB_PASSWORD
value: root-password
securityContext:
allowPrivilegeEscalation: true
capabilities:
add: ["NET_RAW"]
ports:
- name: wordpress
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: mysql
namespace: wordpress-mysql
labels:
app: mysql
spec:
selector:
app: mysql
ports:
- port: 3306
targetPort: 3306
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mysql
namespace: wordpress-mysql
labels:
app: mysql
spec:
replicas: 1
selector:
matchLabels:
app: mysql
template:
metadata:
labels:
app: mysql
# annotations:
# kubearmor-policy: enabled
# container.apparmor.security.beta.kubernetes.io/mysql: localhost/kubearmor-wordpress-mysql-mysql
spec:
containers:
- name: mysql
image: mysql:5.6
env:
- name: MYSQL_ROOT_PASSWORD
value: root-password
ports:
- name: mysql
containerPort: 3306
13 changes: 13 additions & 0 deletions tests/k8s_env/throttling/throttling_suite_test.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package throttling_test

import (
"testing"

. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
)

func TestThrottling(t *testing.T) {
RegisterFailHandler(Fail)
RunSpecs(t, "Throttling Suite")
}
Loading

0 comments on commit d9eb6a5

Please sign in to comment.