Вход Зарегистрироваться
Обзор
Проекты с открытым исходным кодом > Cutting-edge Technology > Cloud Native &&
Сканировать QR-код WeChat для оплаты
Отмена
Платеж завершен
Смотреть
Отписаться Следить за всеми активностями Следить только за динамикой выпуска обновлений Подписаться без уведомления
1 В избранное 0 Ответвления 0

OSCHINA-MIRROR/mirrors-KubeArmor

Код Задачи 0 Запросы на слияние 0 Wiki Статистика
Присоединиться к Gitlife
Откройте для себя и примите участие в публичных проектах с открытым исходным кодом с участием более 10 миллионов разработчиков. Приватные репозитории также полностью бесплатны :)
Присоединиться бесплатно
Клонировать/Скачать
HTTPS SSH SVN SVN+SSH
Копировать
Скачать ZIP
testing_guide.md 5.3 КБ
Копировать Редактировать Web IDE Исходные данные Просмотреть построчно История
Achref Ben Saadd Отправлено 02.05.2022 03:11 6d85e92

Testing Guide

There are two ways to check the functionalities of KubeArmor: 1) testing KubeArmor manually and 2) using the testing framework.

0. Make sure that the annotation controller is installed on the cluster (Applicable for Steps 1 and 2)

  • To install the controller from KubeArmor docker repository to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make deploy
  • To install the controller (local version) to your cluster run
$ cd KubeArmor/pkg/KubeArmorAnnotation
~/KubeArmor/pkg/KubeArmorAnnotation$ make docker-build deploy

1. Test KubeArmor manually

1.1. Run 'kubectl proxy' in background

$ kubectl proxy &

1.2. Compile KubeArmor

$ cd KubeArmor/KubeArmor
~/KubeArmor/KubeArmor$ make clean && make

1.3. Run KubeArmor

~/KubeArmor/KubeArmor$ sudo -E ./kubearmor -gRPC=[gRPC port number]
                                           -logPath=[log file path]
                                           -enableKubeArmorPolicy=[true|false]
                                           -enableKubeArmorHostPolicy=[true|false]

1.4. Apply security policies into Kubernetes

Beforehand, check if the KubeArmorPolicy and KubeArmorHostPolicy CRDs are already applied.

$ kubectl explain KubeArmorPolicy

If they are still not applied, do so.

$ kubectl apply -f ~/KubeArmor/deployments/CRD/

Now you can apply specific policies.

$ kubectl apply -f [policy file]

You can refer to security policies defined for example microservices in examples.

1.5. Trigger policy violations to generate alerts

$ kubectl -n [namespace name] exec -it [pod name] -- bash -c [command]

1.6. Check generated alerts

  • Watch alerts using karmor cli tool

    $ karmor log [flags]

    flags:

    --gRPC string        gRPC server information
--help               help for log
--json               Flag to print alerts and logs in the JSON format
--logFilter string   What kinds of alerts and logs to receive, {policy|system|all} (default "policy")
--logPath string     Output location for alerts and logs, {path|stdout|none} (default "stdout")
--msgPath string     Output location for messages, {path|stdout|none} (default "none")

    Note that you will see alerts and logs generated right after karmor runs logs; thus, we recommend to run the above command in other terminal to see logs live.

2. Test KubeArmor using the auto-testing framework

2.1. Prepare microservices and test scenarios

The auto-testing framework operates based on two things: microservices and test scenarios for each microservice.

  • Microservices

    Create a directory for a microservice in microservices

    $ cd KubeArmor/tests/microservices
~/KubeArmor/tests/microservices$ mkdir [microservice name]

    Then, create YAML files for the microservice

    $ cd KubeArmor/tests/microservices/[microservice name]
~/KubeArmor/tests/microservices/[microservice name]$ ...

    As an example, we created 'multiubuntu' in microservices and defined 'multiubuntu-deployment.yaml' in multiubuntu.

  • Test scenarios

    Create a directory whose name is like '[microservice name]_[scenario name]' in scenarios

    $ cd KubeArmor/tests/scenarios
~/KubeArmor/tests/scenarios$ mkdir [microservice name]_[scenario name]

    Then, define a YAML file for a test policy in the directory

    ~/KubeArmor/tests/scenarios$ cd [microservice name]_[scenario name]
.../[microservice name]_[scenario name]$ vi [policy name].yaml

    Create cmd files whose names are like 'cmd#'

    .../[microservice name]_[scenario name]$ vi cmd1 / cmd2 / ...

    Here is a template for a cmd file.

    source: [pod name]
cmd: [command to trigger a policy violation]
result: [expected result], { passed | failed }
---
operation: [operation], { Process | File | Network }
condition: [matching string]
action: [action in a policy] { Allow | Audit | Block }

    This is a cmd example of a test scenario.

    source: ubuntu-1-deployment
cmd: sleep 1
result: failed
---
operation: Process
condition: sleep
action: Block

    You can refer to predefined testcases in scenarios.

2.2. Test KubeArmor

  • The case that KubeArmor is directly running in a host

    Compile KubeArmor

    $ cd KubeArmor/KubeArmor
~/KubeArmor/KubeArmor$ make clean && make

    Run the auto-testing framework

    $ cd KubeArmor/tests
~/KubeArmor/tests$ ./test-scenarios-local.sh

    Check the test report

    ~/KubeArmor/tests$ cat /tmp/kubearmor.test

  • The case that KubeArmor is running as a daemonset in Kubernetes

    Run the testing framework

    $ cd KubeArmor/tests
~/KubeArmor/tests$ ./test-scenarios-in-runtime.sh

    Check the test report

    ~/KubeArmor/tests$ cat /tmp/kubearmor.test

Опубликовать ( 0 )

Вы можете оставить комментарий после Вход в систему

1
https://api.gitlife.ru/oschina-mirror/mirrors-KubeArmor.git
git@api.gitlife.ru:oschina-mirror/mirrors-KubeArmor.git
oschina-mirror
mirrors-KubeArmor
mirrors-KubeArmor
main
Опубликовать
Отчет о репозитории
Вернуться к началу