KubeArmor
Search…
Testing Guide

Testing Guide

There are two ways to check the functionalities of KubeArmor: 1) testing KubeArmor manually and 2) using the testing framework.

0. Make sure that the annotation controller is installed on the cluster (Applicable for Steps 1 and 2)

  • To install the controller from KubeArmor docker repository to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make deploy
  • To install the controller (local version) to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make docker-build deploy

1. Test KubeArmor manually

1.1. Run 'kubectl proxy' in background

$ kubectl proxy &

1.2. Compile KubeArmor

$ cd KubeArmor/KubeArmor
~/KubeArmor/KubeArmor$ make clean && make

1.3. Run KubeArmor

~/KubeArmor/KubeArmor$ sudo -E ./kubearmor -gRPC=[gRPC port number]
-logPath=[log file path]
-enableKubeArmorPolicy=[true|false]
-enableKubeArmorHostPolicy=[true|false]

1.4. Apply security policies into Kubernetes

Beforehand, check if the KubeArmorPolicy and KubeArmorHostPolicy CRDs are already applied.
$ kubectl explain KubeArmorPolicy
If they are still not applied, do so.
$ kubectl apply -f ~/KubeArmor/deployments/CRD/
Now you can apply specific policies.
$ kubectl apply -f [policy file]
You can refer to security policies defined for example microservices in examples.

1.5. Trigger policy violations to generate alerts

$ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command]

1.6. Check generated alerts

  • Watch alerts using karmor cli tool
    $ karmor log [flags]
    flags:
    --gRPC string gRPC server information
    --help help for log
    --json Flag to print alerts and logs in the JSON format
    --logFilter string What kinds of alerts and logs to receive, {policy|system|all} (default "policy")
    --logPath string Output location for alerts and logs, {path|stdout|none} (default "stdout")
    --msgPath string Output location for messages, {path|stdout|none} (default "none")
    Note that you will see alerts and logs generated right after karmor runs logs; thus, we recommend to run the above command in other terminal to see logs live.

2. Test KubeArmor using the auto-testing framework

2.1. Prepare microservices and test scenarios

The auto-testing framework operates based on two things: microservices and test scenarios for each microservice.
  • Microservices
    Create a directory for a microservice in microservices
    $ cd KubeArmor/tests/microservices
    ~/KubeArmor/tests/microservices$ mkdir [microservice name]
    Then, create YAML files for the microservice
    $ cd KubeArmor/tests/microservices/[microservice name]
    ~/KubeArmor/tests/microservices/[microservice name]$ ...
    As an example, we created 'multiubuntu' in microservices and defined 'multiubuntu-deployment.yaml' in multiubuntu.
  • Test scenarios
    Create a directory whose name is like '[microservice name]_[scenario name]' in scenarios
    $ cd KubeArmor/tests/scenarios
    ~/KubeArmor/tests/scenarios$ mkdir [microservice name]_[scenario name]
    Then, define a YAML file for a test policy in the directory
    ~/KubeArmor/tests/scenarios$ cd [microservice name]_[scenario name]
    .../[microservice name]_[scenario name]$ vi [policy name].yaml
    Create cmd files whose names are like 'cmd#'
    .../[microservice name]_[scenario name]$ vi cmd1 / cmd2 / ...
    Here is a template for a cmd file.
    source: [pod name]
    cmd: [command to trigger a policy violation]
    result: [expected result], { passed | failed }
    ---
    operation: [operation], { Process | File | Network }
    condition: [matching string]
    action: [action in a policy] { Allow | Audit | Block }
    This is a cmd example of a test scenario.
    source: ubuntu-1-deployment
    cmd: sleep 1
    result: failed
    ---
    operation: Process
    condition: sleep
    action: Block
    You can refer to predefined testcases in scenarios.

2.2. Test KubeArmor

  • The case that KubeArmor is directly running in a host
    Compile KubeArmor
    $ cd KubeArmor/KubeArmor
    ~/KubeArmor/KubeArmor$ make clean && make
    Run the auto-testing framework
    $ cd KubeArmor/tests
    ~/KubeArmor/tests$ ./test-scenarios-local.sh
    Check the test report
    ~/KubeArmor/tests$ cat /tmp/kubearmor.test
  • The case that KubeArmor is running as a daemonset in Kubernetes
    Run the testing framework
    $ cd KubeArmor/tests
    ~/KubeArmor/tests$ ./test-scenarios-in-runtime.sh
    Check the test report
    ~/KubeArmor/tests$ cat /tmp/kubearmor.test
Export as PDF
Copy link
On this page
Testing Guide
0. Make sure that the annotation controller is installed on the cluster (Applicable for Steps 1 and 2)
1. Test KubeArmor manually
1.1. Run 'kubectl proxy' in background
1.2. Compile KubeArmor
1.3. Run KubeArmor
1.4. Apply security policies into Kubernetes
1.5. Trigger policy violations to generate alerts
1.6. Check generated alerts
2. Test KubeArmor using the auto-testing framework
2.1. Prepare microservices and test scenarios
2.2. Test KubeArmor