Skip to content

Commit

Permalink
First iteration of seccomp testing
Browse files Browse the repository at this point in the history 
Signed-off-by: PrimalPimmy <[email protected]>

Fixes

Signed-off-by: PrimalPimmy <[email protected]>

Fixes

Signed-off-by: PrimalPimmy <[email protected]>

Fixes2

Signed-off-by: PrimalPimmy <[email protected]>

Making seccomp work (I hope)

Signed-off-by: PrimalPimmy <[email protected]>

Fixed seccomp path

Signed-off-by: PrimalPimmy <[email protected]>

removed some elements

Signed-off-by: PrimalPimmy <[email protected]>

Seccomp iteration-2

Signed-off-by: PrimalPimmy <[email protected]>

updated go

Signed-off-by: PrimalPimmy <[email protected]>

Only smoke test

Signed-off-by: PrimalPimmy <[email protected]>

Only smoke test

Signed-off-by: PrimalPimmy <[email protected]>

Again all tests

Signed-off-by: PrimalPimmy <[email protected]>

removed patch

Signed-off-by: PrimalPimmy <[email protected]>

secondary test

Signed-off-by: PrimalPimmy <[email protected]>

secondary test-2

Signed-off-by: PrimalPimmy <[email protected]>

updated kubejson

Signed-off-by: PrimalPimmy <[email protected]>

updated yaml

Signed-off-by: PrimalPimmy <[email protected]>

updated yaml

Signed-off-by: PrimalPimmy <[email protected]>

updated yaml

Signed-off-by: PrimalPimmy <[email protected]>

updated yaml with seccomp patch

Signed-off-by: PrimalPimmy <[email protected]>

updated yaml with seccomp patch-2

Signed-off-by: PrimalPimmy <[email protected]>

updated yaml with seccomp patch-3

Signed-off-by: PrimalPimmy <[email protected]>

updated yaml with seccomp patch-4

Signed-off-by: PrimalPimmy <[email protected]>

json

Signed-off-by: PrimalPimmy <[email protected]>

json

Signed-off-by: PrimalPimmy <[email protected]>

checking seccomp

Signed-off-by: PrimalPimmy <[email protected]>

working apparmor

Signed-off-by: PrimalPimmy <[email protected]>
  • Loading branch information
@PrimalPimmy
PrimalPimmy committed Feb 22, 2024
1 parent 5ce1883 commit f3cc38f
Show file tree
Hide file tree
Showing 3 changed files with 119 additions and 42 deletions.
51 changes: 12 additions & 39 deletions .github/workflows/ci-test-ginkgo.yml → .github/workflows/ci-test-seccomp.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: ci-test-ginkgo
name: ci-test-seccomp

on:
push:
Expand All @@ -7,7 +7,7 @@ on:
- "KubeArmor/**"
- "tests/**"
- "protobuf/**"
- ".github/workflows/ci-test-ginkgo.yml"
- ".github/workflows/ci-test-seccomp.yml"
- "pkg/KubeArmorOperator/**"
- "deployments/helm/**"
pull_request:
Expand All @@ -16,7 +16,7 @@ on:
- "KubeArmor/**"
- "tests/**"
- "protobuf/**"
- ".github/workflows/ci-test-ginkgo.yml"
- ".github/workflows/ci-test-seccomp.yml"
- "pkg/KubeArmorOperator/**"
- "deployments/helm/**"

Expand Down Expand Up @@ -54,42 +54,14 @@ jobs:

- name: Generate KubeArmor artifacts
run: |
GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh
- name: Build Kubearmor-Operator
working-directory: pkg/KubeArmorOperator
run: |
make docker-build
- name: deploy pre existing pod
run: |
kubectl apply -f ./tests/k8s_env/ksp/pre-run-pod.yaml
sleep 60
kubectl get pods -A
- name: Run KubeArmor
run: |
if [ ${{ matrix.runtime }} == "containerd" ]; then
docker save kubearmor/kubearmor-init:latest | sudo k3s ctr images import -
docker save kubearmor/kubearmor:latest | sudo k3s ctr images import -
docker save kubearmor/kubearmor-operator:latest | sudo k3s ctr images import -
docker save kubearmor/kubearmor-snitch:latest | sudo k3s ctr images import -
else
if [ ${{ matrix.runtime }} == "crio" ]; then
sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
sudo podman pull docker-daemon:kubearmor/kubearmor:latest
sudo podman pull docker-daemon:kubearmor/kubearmor-operator:latest
sudo podman pull docker-daemon:kubearmor/kubearmor-snitch:latest
fi
fi
helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kubearmor --create-namespace
kubectl wait --for=condition=ready --timeout=5m -n kubearmor pod -l kubearmor-app=kubearmor-operator
kubectl get pods -A
kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-test.yaml
kubectl wait -n kubearmor --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
kubectl wait --timeout=7m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kubearmor
kubectl get pods -A
grep CONFIG_SECCOMP= /boot/config-$(uname -r)
sudo mkdir /var/lib/kubelet/seccomp
sudo mkdir /var/lib/kubelet/seccomp/profiles
sudo cp ./.github/workflows/kube.json /var/lib/kubelet/seccomp/profiles/kube.json
sudo cat /var/lib/kubelet/seccomp/profiles/kube.json
curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
karmor install --image kubearmor/kubearmor:latest
kubectl patch ds kubearmor --namespace kubearmor --patch '{"spec": {"template": {"spec": {"containers": [{"name": "kubearmor", "securityContext": {"seccompProfile": {"type": "Localhost", "localhostProfile": "profiles/kube.json"}}}]}}}}'
- name: Test KubeArmor using Ginkgo
run: |
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
Expand All @@ -103,6 +75,7 @@ jobs:
kubectl describe pod -n kubearmor -l kubearmor-app=kubearmor
curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump
cat /var/log/syslog | grep 'kubearmor' >> karmorsyslog.txt
- name: Archive log artifacts
if: ${{ failure() }}
Expand Down
105 changes: 105 additions & 0 deletions .github/workflows/kube.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
{
"defaultAction": "SCMP_ACT_ERRNO",
"architectures": [
"SCMP_ARCH_X86_64",
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
],
"syscalls": [
{
"names": [
"getsockopt",
"epoll_ctl",
"capget",
"fstat",
"mmap",
"fstatfs",
"bpf",
"utimensat",
"memfd_create",
"prlimit64",
"open",
"getgid",
"dup2",
"sigaltstack",
"clone",
"stat",
"read",
"newfstatat",
"setgroups",
"sched_getaffinity",
"wait4",
"munmap",
"accept4",
"mprotect",
"futex",
"prctl",
"gettid",
"getsockname",
"exit_group",
"rt_sigaction",
"readlinkat",
"getcwd",
"execve",
"madvise",
"dup",
"fcntl",
"close",
"write",
"setuid",
"ioctl",
"readv",
"writev",
"uname",
"nanosleep",
"socket",
"bind",
"capset",
"getrlimit",
"epoll_create1",
"pread64",
"eventfd2",
"dup3",
"brk",
"getuid",
"pipe",
"chdir",
"statfs",
"unlinkat",
"kill",
"rt_sigreturn",
"geteuid",
"getrandom",
"getpgid",
"openat",
"setgid",
"getpid",
"tgkill",
"fsync",
"faccessat2",
"sched_yield",
"getpeername",
"setsockopt",
"rt_sigprocmask",
"connect",
"perf_event_open",
"access",
"getdents64",
"epoll_wait",
"fork",
"rename",
"set_tid_address",
"getppid",
"pipe2",
"epoll_pwait",
"waitid",
"arch_prctl",
"listen",
"lseek",
"getegid",
"mkdirat"
],
"action": "SCMP_ACT_ALLOW"
}
]
}
5 changes: 2 additions & 3 deletions tests/k8s_env/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,9 +5,8 @@
build:
@go mod tidy
# run in two steps as syscall suite fails if run at the very end
# see - https://github.com/kubearmor/KubeArmor/issues/1269
@ginkgo --vv --flake-attempts=10 --timeout=10m syscalls/
@ginkgo --vv smoke/
@ginkgo -r --vv --flake-attempts=10 --timeout=30m --skip-package "syscalls"
.PHONY: test
test:
@ginkgo -r -v
@ginkgo -r -v

0 comments on commit f3cc38f

Please sign in to comment.