From d9eb6a5d5fb72347eacee3247f5ab0b7ced8e1d8 Mon Sep 17 00:00:00 2001 From: Prateek Nandle Date: Tue, 30 Apr 2024 22:10:46 +0530 Subject: [PATCH] fix 2 Signed-off-by: Prateek Nandle --- tests/k8s_env/smoke/smoke_test.go | 138 ++++++++-------- .../res/ksp-wordpress-block-process.yaml | 20 +++ .../res/wordpress-mysql-deployment.yaml | 100 ++++++++++++ .../throttling/throttling_suite_test.go | 13 ++ tests/k8s_env/throttling/throttling_test.go | 150 ++++++++++++++++++ 5 files changed, 352 insertions(+), 69 deletions(-) create mode 100644 tests/k8s_env/throttling/res/ksp-wordpress-block-process.yaml create mode 100644 tests/k8s_env/throttling/res/wordpress-mysql-deployment.yaml create mode 100644 tests/k8s_env/throttling/throttling_suite_test.go create mode 100644 tests/k8s_env/throttling/throttling_test.go diff --git a/tests/k8s_env/smoke/smoke_test.go b/tests/k8s_env/smoke/smoke_test.go index f3ec184437..db8d4ed723 100644 --- a/tests/k8s_env/smoke/smoke_test.go +++ b/tests/k8s_env/smoke/smoke_test.go @@ -331,73 +331,73 @@ var _ = Describe("Smoke", func() { Expect(alerts[0].Result).To(Equal("Passed")) }) }) - Describe("Alert Throttling", func() { - - It("enabled with new throttling conditions", func() { - // enable throttling and change throttling condition using configmap - cm := NewDefaultConfigMapData() - cm.AlertThrottling = "true" - cm.MaxAlertPerSec = "2" - cm.ThrottleSec = "500" - cm.Visibility = "process,network" - err := cm.CreateKAConfigMap() // will create a configMap with new throttling condition - Expect(err).To(BeNil()) - - // Apply policy - err = K8sApplyFile("res/ksp-wordpress-block-process.yaml") - Expect(err).To(BeNil()) - - // Start Kubearmor Logs - err = KarmorLogStart("all", "wordpress-mysql", "AlertThreshold", wp) - Expect(err).To(BeNil()) - - // wait for policy creation - time.Sleep(5 * time.Second) - - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt update; count=$((count + 1)); done;"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) - - // check policy violation alert - _, alerts, err := KarmorGetLogs(5*time.Second, 1) - Expect(err).To(BeNil()) - fmt.Printf("throttling alert :%v\n", alerts) - Expect(alerts[0].Type).To(Equal("SystemEvent")) - Expect(alerts[0].Operation).To(Equal("AlertThreshold")) - Expect(alerts[0].MaxAlertsPerSec).To(Equal(2)) - Expect(alerts[0].DroppingAlertsInterval).To(Equal(500)) - - // should get an throttling alert - // check policy violation alert - - // target := protobuf.Alert{ - // NamespaceName: "wordpress-mysql", - // Operation: "AlertThreshold", - // Type: "SystemEvent", - // MaxAlertsPerSec: 2, - // DroppingAlertsInterval: 360, - // } - - // res, err := KarmorGetTargetAlert(5*time.Second, &target) - // Expect(err).To(BeNil()) - // Expect(res.Found).To(BeTrue()) - - // _, alerts, err := KarmorGetLogs(5*time.Second, 1) - // Expect(err).To(BeNil()) - // Expect(len(alerts)).To(BeNumerically("==", 3)) - - // check for throttling, alerts should not be genrated - // sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - // []string{"bash", "-c", "apt update"}) - // Expect(err).To(BeNil()) - // fmt.Printf("---START---\n%s---END---\n", sout) - // Expect(sout).To(MatchRegexp("apt.*Permission denied")) - - // _, alerts, err = KarmorGetLogs(5*time.Second, 1) - // Expect(err).To(BeNil()) - // Expect(len(alerts)).To(BeNumerically("==", 0)) - }) - }) + // Describe("Alert Throttling", func() { + + // It("enabled with new throttling conditions", func() { + // // enable throttling and change throttling condition using configmap + // cm := NewDefaultConfigMapData() + // cm.AlertThrottling = "true" + // cm.MaxAlertPerSec = "2" + // cm.ThrottleSec = "500" + // cm.Visibility = "process,network" + // err := cm.CreateKAConfigMap() // will create a configMap with new throttling condition + // Expect(err).To(BeNil()) + + // // Apply policy + // err = K8sApplyFile("res/ksp-wordpress-block-process.yaml") + // Expect(err).To(BeNil()) + + // // Start Kubearmor Logs + // err = KarmorLogStart("all", "wordpress-mysql", "AlertThreshold", wp) + // Expect(err).To(BeNil()) + + // // wait for policy creation + // time.Sleep(5 * time.Second) + + // sout, _, err := K8sExecInPod(wp, "wordpress-mysql", + // []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt update; count=$((count + 1)); done;"}) + // Expect(err).To(BeNil()) + // fmt.Printf("OUTPUT: %s\n", sout) + // Expect(sout).To(MatchRegexp("apt.*Permission denied")) + + // // check policy violation alert + // _, alerts, err := KarmorGetLogs(5*time.Second, 1) + // Expect(err).To(BeNil()) + // fmt.Printf("throttling alert :%v\n", alerts) + // Expect(alerts[0].Type).To(Equal("SystemEvent")) + // Expect(alerts[0].Operation).To(Equal("AlertThreshold")) + // Expect(alerts[0].MaxAlertsPerSec).To(Equal(2)) + // Expect(alerts[0].DroppingAlertsInterval).To(Equal(500)) + + // // should get an throttling alert + // // check policy violation alert + + // // target := protobuf.Alert{ + // // NamespaceName: "wordpress-mysql", + // // Operation: "AlertThreshold", + // // Type: "SystemEvent", + // // MaxAlertsPerSec: 2, + // // DroppingAlertsInterval: 360, + // // } + + // // res, err := KarmorGetTargetAlert(5*time.Second, &target) + // // Expect(err).To(BeNil()) + // // Expect(res.Found).To(BeTrue()) + + // // _, alerts, err := KarmorGetLogs(5*time.Second, 1) + // // Expect(err).To(BeNil()) + // // Expect(len(alerts)).To(BeNumerically("==", 3)) + + // // check for throttling, alerts should not be genrated + // // sout, _, err = K8sExecInPod(wp, "wordpress-mysql", + // // []string{"bash", "-c", "apt update"}) + // // Expect(err).To(BeNil()) + // // fmt.Printf("---START---\n%s---END---\n", sout) + // // Expect(sout).To(MatchRegexp("apt.*Permission denied")) + + // // _, alerts, err = KarmorGetLogs(5*time.Second, 1) + // // Expect(err).To(BeNil()) + // // Expect(len(alerts)).To(BeNumerically("==", 0)) + // }) + // }) }) diff --git a/tests/k8s_env/throttling/res/ksp-wordpress-block-process.yaml b/tests/k8s_env/throttling/res/ksp-wordpress-block-process.yaml new file mode 100644 index 0000000000..f51892fa83 --- /dev/null +++ b/tests/k8s_env/throttling/res/ksp-wordpress-block-process.yaml @@ -0,0 +1,20 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + name: ksp-wordpress-block-process + namespace: wordpress-mysql +spec: + severity: 3 + selector: + matchLabels: + app: wordpress + process: + matchPaths: + - path: /usr/bin/apt + - path: /usr/bin/apt-get + + # apt update + # apt-get update + + action: + Block diff --git a/tests/k8s_env/throttling/res/wordpress-mysql-deployment.yaml b/tests/k8s_env/throttling/res/wordpress-mysql-deployment.yaml new file mode 100644 index 0000000000..7dea05439e --- /dev/null +++ b/tests/k8s_env/throttling/res/wordpress-mysql-deployment.yaml @@ -0,0 +1,100 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wordpress-mysql +--- +apiVersion: v1 +kind: Service +metadata: + name: wordpress + namespace: wordpress-mysql + labels: + app: wordpress +spec: + selector: + app: wordpress + type: NodePort + ports: + - port: 80 + targetPort: 80 + nodePort: 30080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wordpress + namespace: wordpress-mysql + labels: + app: wordpress +spec: + replicas: 1 + selector: + matchLabels: + app: wordpress + template: + metadata: + labels: + app: wordpress + # annotations: + # kubearmor-policy: enabled + # container.apparmor.security.beta.kubernetes.io/wordpress: localhost/kubearmor-wordpress-mysql-wordpress + spec: + containers: + - name: wordpress + image: wordpress:4.8-apache + env: + - name: WORDPRESS_DB_HOST + value: mysql + - name: WORDPRESS_DB_PASSWORD + value: root-password + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: ["NET_RAW"] + ports: + - name: wordpress + containerPort: 80 +--- +apiVersion: v1 +kind: Service +metadata: + name: mysql + namespace: wordpress-mysql + labels: + app: mysql +spec: + selector: + app: mysql + ports: + - port: 3306 + targetPort: 3306 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mysql + namespace: wordpress-mysql + labels: + app: mysql +spec: + replicas: 1 + selector: + matchLabels: + app: mysql + template: + metadata: + labels: + app: mysql + # annotations: + # kubearmor-policy: enabled + # container.apparmor.security.beta.kubernetes.io/mysql: localhost/kubearmor-wordpress-mysql-mysql + spec: + containers: + - name: mysql + image: mysql:5.6 + env: + - name: MYSQL_ROOT_PASSWORD + value: root-password + ports: + - name: mysql + containerPort: 3306 diff --git a/tests/k8s_env/throttling/throttling_suite_test.go b/tests/k8s_env/throttling/throttling_suite_test.go new file mode 100644 index 0000000000..0e48ea576f --- /dev/null +++ b/tests/k8s_env/throttling/throttling_suite_test.go @@ -0,0 +1,13 @@ +package throttling_test + +import ( + "testing" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func TestThrottling(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Throttling Suite") +} diff --git a/tests/k8s_env/throttling/throttling_test.go b/tests/k8s_env/throttling/throttling_test.go new file mode 100644 index 0000000000..c38d3ad04e --- /dev/null +++ b/tests/k8s_env/throttling/throttling_test.go @@ -0,0 +1,150 @@ +// SPDX-License-Identifier: Apache-2.0 +// Copyright 2024 Authors of KubeArmor + +package throttling + +import ( + "fmt" + "time" + + . "github.com/kubearmor/KubeArmor/tests/util" + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +var _ = BeforeSuite(func() { + // install wordpress-mysql app + err := K8sApply([]string{"res/wordpress-mysql-deployment.yaml"}) + Expect(err).To(BeNil()) + + // delete all KSPs + err = DeleteAllKsp() + Expect(err).To(BeNil()) +}) + +var _ = AfterSuite(func() { + // Delete wordpress-mysql app + err := K8sDelete([]string{"res/wordpress-mysql-deployment.yaml"}) + Expect(err).To(BeNil()) + DeleteKAConfigMap() +}) + +func getWpsqlPod(name string, ant string) string { + pods, err := K8sGetPods(name, "wordpress-mysql", []string{ant}, 60) + Expect(err).To(BeNil()) + Expect(len(pods)).To(Equal(1)) + return pods[0] +} + +var _ = Describe("Smoke", func() { + var wp string + + BeforeEach(func() { + wp = getWpsqlPod("wordpress-", "kubearmor-policy: enabled") + }) + + AfterEach(func() { + KarmorLogStop() + err := DeleteAllKsp() + Expect(err).To(BeNil()) + // wait for policy deletion + time.Sleep(5 * time.Second) + }) + + Describe("Policy Apply", func() { + It("can block execution of pkg mgmt tools such as apt, apt-get", func() { + // Apply policy + err := K8sApplyFile("res/ksp-wordpress-block-process.yaml") + Expect(err).To(BeNil()) + + // Start Kubearmor Logs + err = KarmorLogStart("policy", "wordpress-mysql", "Process", wp) + Expect(err).To(BeNil()) + + // wait for policy creation + time.Sleep(5 * time.Second) + + sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "apt"}) + Expect(err).To(BeNil()) + fmt.Printf("---START---\n%s---END---\n", sout) + Expect(sout).To(MatchRegexp("apt.*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + fmt.Printf("alert :%v\n", alerts) + Expect(len(alerts)).To(BeNumerically(">=", 1)) + Expect(alerts[0].PolicyName).To(Equal("ksp-wordpress-block-process")) + Expect(alerts[0].Severity).To(Equal("3")) + }) + }) + Describe("Alert Throttling", func() { + + It("enabled with new throttling conditions", func() { + // enable throttling and change throttling condition using configmap + cm := NewDefaultConfigMapData() + cm.AlertThrottling = "true" + cm.MaxAlertPerSec = "2" + cm.ThrottleSec = "500" + cm.Visibility = "process,network,file,capabilities" + err := cm.CreateKAConfigMap() // will create a configMap with new throttling condition + Expect(err).To(BeNil()) + + // Apply policy + err = K8sApplyFile("res/ksp-wordpress-block-process.yaml") + Expect(err).To(BeNil()) + + // Start Kubearmor Logs + err = KarmorLogStart("all", "wordpress-mysql", "AlertThreshold", wp) + Expect(err).To(BeNil()) + + // wait for policy creation + time.Sleep(5 * time.Second) + + sout, _, err := K8sExecInPod(wp, "wordpress-mysql", + []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt; count=$((count + 1)); done;"}) + Expect(err).To(BeNil()) + fmt.Printf("OUTPUT: %s\n", sout) + Expect(sout).To(MatchRegexp("apt.*Permission denied")) + + // check policy violation alert + _, alerts, err := KarmorGetLogs(5*time.Second, 1) + Expect(err).To(BeNil()) + fmt.Printf("throttling alert :%v\n", alerts) + Expect(alerts[0].Type).To(Equal("SystemEvent")) + Expect(alerts[0].Operation).To(Equal("AlertThreshold")) + Expect(alerts[0].MaxAlertsPerSec).To(Equal(2)) + Expect(alerts[0].DroppingAlertsInterval).To(Equal(500)) + + // should get an throttling alert + // check policy violation alert + + // target := protobuf.Alert{ + // NamespaceName: "wordpress-mysql", + // Operation: "AlertThreshold", + // Type: "SystemEvent", + // MaxAlertsPerSec: 2, + // DroppingAlertsInterval: 360, + // } + + // res, err := KarmorGetTargetAlert(5*time.Second, &target) + // Expect(err).To(BeNil()) + // Expect(res.Found).To(BeTrue()) + + // _, alerts, err := KarmorGetLogs(5*time.Second, 1) + // Expect(err).To(BeNil()) + // Expect(len(alerts)).To(BeNumerically("==", 3)) + + // check for throttling, alerts should not be genrated + // sout, _, err = K8sExecInPod(wp, "wordpress-mysql", + // []string{"bash", "-c", "apt update"}) + // Expect(err).To(BeNil()) + // fmt.Printf("---START---\n%s---END---\n", sout) + // Expect(sout).To(MatchRegexp("apt.*Permission denied")) + + // _, alerts, err = KarmorGetLogs(5*time.Second, 1) + // Expect(err).To(BeNil()) + // Expect(len(alerts)).To(BeNumerically("==", 0)) + }) + }) +})