KubeArmor
Search…
Testing Guide
  • Test in manual
    1. 1.
      Run 'kubectl proxy' in background
      1
      $ kubectl proxy &
      Copied!
    2. 2.
      Run KubeArmor
      1
      $ cd KubeArmor/KubeArmor
      2
      ~/KubeArmor/KubeArmor$ make clean && make run
      Copied!
      If you want to change the number of the gRPC port or the location of a log file, run KubeArmor like the below.
      1
      ~/KubeArmor/KubeArmor$ sudo -E ./kubearmor -gRPC=[gRPC port number]
      2
      -logPath=[log file path]
      3
      -enableKubeArmorPolicy
      4
      -enableKubeArmorHostPolicy
      Copied!
    3. 3.
      Apply security policies for testing
      Beforehand, check if the KubeArmorPolicy and KubeArmorHostPolicy CRDs are already applied.
      1
      $ kubectl explain KubeArmorPolicy
      Copied!
      If it's still not applied, do so.
      1
      $ kubectl apply -f ~/KubeArmor/deployments/CRD/
      Copied!
      Now you can apply specific policies.
      1
      $ kubectl apply -f [policy file]
      Copied!
      You can refer to the security policies defined for example microservices in examples.
    4. 4.
      Trigger policy violations to generate logs
      1
      $ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command]
      Copied!
    5. 5.
      Check KubeArmor's alerts and logs
      • Log file
        1
        $ tail (-f) /tmp/kubearmor.log
        Copied!
        If you changed the location of a log file, check your file instead of the default file path.
        1
        $ tail (-f) [your log file path]
        Copied!
      • Log client
        Compile a log client.
        1
        $ git clone https://github.com/kubearmor/kubearmor-log-client
        2
        $ cd kubearmor-log-client
        3
        ~/kubearmor-log-client$ make
        Copied!
        Run the log client.
        1
        ~/kubearmor-log-client$ ./kubearmor-log-client (options...)
        Copied!
        Log client options:
        1
        -gRPC=[ipaddr:port] gRPC server information (default: localhost:32767)
        2
        -msgPath={path|stdout|none} Output location for KubeArmor's messages (default: none)
        3
        -logPath={path|stdout|none} Output location for KubeArmor's alerts and logs (default: stdout)
        4
        -logFilter={policy|system|all} Filter for what kinds of alerts and logs to receive (default: policy)
        5
        -json Flag to print messages, alerts, and logs in a JSON format
        Copied!
        Note that you will see the messages, alerts, and logs generated right after the log client runs, which means that the log client should be ran before any policy violations happen.
  • Test using the auto-testing framework
    1. 1.
      Testcases
      To use the auto-testing framework, you need to define two things: microservices and scenarios for each microservice.
      • Microservices
        Create a directory for a microservice in microservices.
        1
        $ cd KubeArmor/tests/microservices
        2
        ~/KubeArmor/tests/microservices$ mkdir [microservice name]
        Copied!
        Then, create YAML files for the microservice.
        1
        $ cd KubeArmor/tests/microservices/[microservice name]
        2
        ~/KubeArmor/tests/microservices/[microservice name]$ ...
        Copied!
        As an example, we created 'multiubuntu' in microservices, and defined 'multiubuntu-deployment.yaml' in multiubuntu.
      • Test scenarios
        Create a directory whose name is like '[microservice name]_[test scenario name]' in scenarios.
        1
        $ cd KubeArmor/tests/scenarios
        2
        ~/KubeArmor/tests/scenarios$ mkdir [microservice name]_[test scenario name]
        Copied!
        Then, define a YAML file for a test policy in the directory.
        1
        ~/KubeArmor/tests/scenarios$ cd [microservice name]_[test scenario name]
        2
        .../[microservice name]_[test scenario name]$ vi [policy name].yaml
        Copied!
        As a next step, create cmd files whose names are like 'cmd#'.
        1
        .../[microservice name]_[test scenario name]$ vi cmd1 / cmd2 / ...
        Copied!
        Here is a template for a cmd file.
        1
        source: [pod name]
        2
        cmd: [command to trigger a policy violation]
        3
        result: [expected result], { passed | failed }
        4
        ---
        5
        operation: [operation], { Process | File | Network }
        6
        condition: [matching string]
        7
        action: [action in a policy] { Allow | Audit | Block }
        Copied!
        This is an example of a scenario.
        1
        source: ubuntu-1-deployment
        2
        cmd: sleep 1
        3
        result: failed
        4
        ---
        5
        operation: Process
        6
        condition: sleep
        7
        action: Block
        Copied!
        You can refer to our scenarios in scenarios.
    2. 2.
      Test KubeArmor in a local development environment
      • In the case that KubeArmor is not running
        Compile KubeArmor.
        1
        $ cd KubeArmor/KubeArmor
        2
        ~/KubeArmor/KubeArmor$ make clean && make
        Copied!
        Make sure that 'kubectl proxy' is running.
        1
        $ kubectl proxy &
        Copied!
        Run the auto-testing framework (the framework will automatically run KubeArmor).
        1
        $ cd KubeArmor/tests
        2
        ~/KubeArmor/tests$ ./test-scenarios-local.sh
        Copied!
        Check the test report
        1
        ~/KubeArmor/tests$ cat /tmp/kubearmor.test
        Copied!
      • In the case that KubeArmor is running
        Run the auto-testing framework. Please make sure that KubeArmor is in a running state.
        1
        $ cd KubeArmor/tests
        2
        ~/KubeArmor/tests$ ./test-scenarios-in-runtime.sh
        Copied!
        Check the test report
        1
        ~/KubeArmor/tests$ cat /tmp/kubearmor.test
        Copied!
    3. 3.
      Test the containerized KubeArmor image using MicroK8s
      Run the auto-testing framework.
      1
      $ cd KubeArmor/tests
      2
      ~/KubeArmor/tests$ ./test-scenarios-with-microk8s.sh
      Copied!
      Check the test report
      1
      ~/KubeArmor/tests$ cat /tmp/kubearmor.test
      Copied!
    4. 4.
      Test the containerized KubeArmor image on running Kubernetes
      Run the auto-testing framework. Please make sure that KubeArmor is in a running state.
      1
      $ cd KubeArmor/tests
      2
      ~/KubeArmor/tests$ ./test-scenarios-in-runtime.sh
      Copied!
      Check the test report
      1
      ~/KubeArmor/tests$ cat /tmp/kubearmor.test
      Copied!
Last modified 1mo ago
Export as PDF
Copy link