KubeArmor
Search…
Testing Guide

Testing Guide

There are two ways to check the functionalities of KubeArmor: 1) testing KubeArmor manually and 2) using the testing framework.

1. Test KubeArmor manually

1.1. Run 'kubectl proxy' in background

1
$ kubectl proxy &
Copied!

1.2. Compile KubeArmor

1
$ cd KubeArmor/KubeArmor
2
~/KubeArmor/KubeArmor$ make clean && make
Copied!

1.3. Run KubeArmor

1
~/KubeArmor/KubeArmor$ sudo -E ./kubearmor -gRPC=[gRPC port number]
2
-logPath=[log file path]
3
-enableKubeArmorPolicy=[true|false]
4
-enableKubeArmorHostPolicy=[true|false]
Copied!

1.4. Apply security policies into Kubernetes

Beforehand, check if the KubeArmorPolicy and KubeArmorHostPolicy CRDs are already applied.
1
$ kubectl explain KubeArmorPolicy
Copied!
If they are still not applied, do so.
1
$ kubectl apply -f ~/KubeArmor/deployments/CRD/
Copied!
Now you can apply specific policies.
1
$ kubectl apply -f [policy file]
Copied!
You can refer to security policies defined for example microservices in examples.

1.5. Trigger policy violations to generate alerts

1
$ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command]
Copied!

1.6. Check generated alerts

  • Watch alerts using karmor cli tool
    1
    $ karmor log [flags]
    Copied!
    flags:
    1
    --gRPC string gRPC server information
    2
    --help help for log
    3
    --json Flag to print alerts and logs in the JSON format
    4
    --logFilter string What kinds of alerts and logs to receive, {policy|system|all} (default "policy")
    5
    --logPath string Output location for alerts and logs, {path|stdout|none} (default "stdout")
    6
    --msgPath string Output location for messages, {path|stdout|none} (default "none")
    Copied!
    Note that you will see alerts and logs generated right after karmor runs logs; thus, we recommend to run the above command in other terminal to see logs live.

2. Test KubeArmor using the auto-testing framework

2.1. Prepare microservices and test scenarios

The auto-testing framework operates based on two things: microservices and test scenarios for each microservice.
  • Microservices
    Create a directory for a microservice in microservices
    1
    $ cd KubeArmor/tests/microservices
    2
    ~/KubeArmor/tests/microservices$ mkdir [microservice name]
    Copied!
    Then, create YAML files for the microservice
    1
    $ cd KubeArmor/tests/microservices/[microservice name]
    2
    ~/KubeArmor/tests/microservices/[microservice name]$ ...
    Copied!
    As an example, we created 'multiubuntu' in microservices and defined 'multiubuntu-deployment.yaml' in multiubuntu.
  • Test scenarios
    Create a directory whose name is like '[microservice name]_[scenario name]' in scenarios
    1
    $ cd KubeArmor/tests/scenarios
    2
    ~/KubeArmor/tests/scenarios$ mkdir [microservice name]_[scenario name]
    Copied!
    Then, define a YAML file for a test policy in the directory
    1
    ~/KubeArmor/tests/scenarios$ cd [microservice name]_[scenario name]
    2
    .../[microservice name]_[scenario name]$ vi [policy name].yaml
    Copied!
    Create cmd files whose names are like 'cmd#'
    1
    .../[microservice name]_[scenario name]$ vi cmd1 / cmd2 / ...
    Copied!
    Here is a template for a cmd file.
    1
    source: [pod name]
    2
    cmd: [command to trigger a policy violation]
    3
    result: [expected result], { passed | failed }
    4
    ---
    5
    operation: [operation], { Process | File | Network }
    6
    condition: [matching string]
    7
    action: [action in a policy] { Allow | Audit | Block }
    Copied!
    This is a cmd example of a test scenario.
    1
    source: ubuntu-1-deployment
    2
    cmd: sleep 1
    3
    result: failed
    4
    ---
    5
    operation: Process
    6
    condition: sleep
    7
    action: Block
    Copied!
    You can refer to predefined testcases in scenarios.

2.2. Test KubeArmor

  • The case that KubeArmor is directly running in a host
    Compile KubeArmor
    1
    $ cd KubeArmor/KubeArmor
    2
    ~/KubeArmor/KubeArmor$ make clean && make
    Copied!
    Run the auto-testing framework
    1
    $ cd KubeArmor/tests
    2
    ~/KubeArmor/tests$ ./test-scenarios-local.sh
    Copied!
    Check the test report
    1
    ~/KubeArmor/tests$ cat /tmp/kubearmor.test
    Copied!
  • The case that KubeArmor is running as a daemonset in Kubernetes
    Run the testing framework
    1
    $ cd KubeArmor/tests
    2
    ~/KubeArmor/tests$ ./test-scenarios-in-runtime.sh
    Copied!
    Check the test report
    1
    ~/KubeArmor/tests$ cat /tmp/kubearmor.test
    Copied!