diff --git a/.github/workflows/ci-test-controllers.yml b/.github/workflows/ci-test-controllers.yml index f288d2e8e0..fd60219a21 100644 --- a/.github/workflows/ci-test-controllers.yml +++ b/.github/workflows/ci-test-controllers.yml @@ -6,7 +6,7 @@ on: - "main" paths: - "pkg/**" - - ".github/workflows/ci-test-ginkgo.yml" + - ".github/workflows/ci-test-controllers.yml" jobs: kubearmor-controller-test: @@ -22,9 +22,11 @@ jobs: go-version: "v1.20" - uses: actions/checkout@v3 + with: + go-version: "v1.20" - name: Setup a Kubernetes environment - run: ./.github/workflows/install-k3s.sh + run: ../../.github/workflows/install-k3s.sh - name: Build KubeArmorController run: make docker-build TAG=latest diff --git a/tests/ksp/ksp_test.go b/tests/ksp/ksp_test.go index bf940eb554..abc0e02fb8 100644 --- a/tests/ksp/ksp_test.go +++ b/tests/ksp/ksp_test.go @@ -568,55 +568,6 @@ var _ = Describe("Ksp", func() { }) - It("mount will be blocked by default for a pod", func() { - // Start KubeArmor Logs - err := KarmorLogStart("policy", "multiubuntu", "Syscall", ub3) - Expect(err).To(BeNil()) - - // execute mount inside the pod - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "mkdir /mnt/test"}) - Expect(err).To(BeNil()) - sout, _, err = K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "mount /home /mnt/test"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - - expect := protobuf.Alert{ - PolicyName: "DefaultPosture", - Action: "Block", - Result: "Permission denied", - Data: "syscall=SYS_MOUNT", - } - - res, err := KarmorGetTargetAlert(5*time.Second, &expect) - Expect(err).To(BeNil()) - Expect(res.Found).To(BeTrue()) - }) - - It("umount will be blocked by default for a pod as the capability not added", func() { - // Start KubeArmor Logs - err := KarmorLogStart("policy", "multiubuntu", "Syscall", ub3) - Expect(err).To(BeNil()) - - // execute umount inside the pod - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "umount /mnt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - - expect := protobuf.Alert{ - PolicyName: "DefaultPosture", - Action: "Block", - Result: "Operation not permitted", - Data: "syscall=SYS_UMOUNT2", - } - - res, err := KarmorGetTargetAlert(5*time.Second, &expect) - Expect(err).To(BeNil()) - Expect(res.Found).To(BeTrue()) - }) - }) Describe("Apply Files Policies", func() { diff --git a/tests/syscalls/syscalls_test.go b/tests/syscalls/syscalls_test.go index 3da60ec29e..c89f2f56b7 100644 --- a/tests/syscalls/syscalls_test.go +++ b/tests/syscalls/syscalls_test.go @@ -4,8 +4,10 @@ package syscalls import ( + "fmt" "time" + "github.com/kubearmor/KubeArmor/protobuf" . "github.com/kubearmor/KubeArmor/tests/util" . "github.com/onsi/ginkgo/v2" . "github.com/onsi/gomega" @@ -477,6 +479,55 @@ var _ = Describe("Syscalls", func() { Expect(alerts[0].Tags).To(Equal("Global tag")) Expect(alerts[0].Message).To(Equal("Local message")) }) + + It("mount will be blocked by default for a pod", func() { + // Start KubeArmor Logs + err := KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) + Expect(err).To(BeNil()) + + // execute mount inside the pod + sout, _, err := K8sExecInPod(ubuntu, "syscalls", + []string{"bash", "-c", "mkdir /mnt/test"}) + Expect(err).To(BeNil()) + sout, _, err = K8sExecInPod(ubuntu, "syscalls", + []string{"bash", "-c", "mount /home /mnt/test"}) + Expect(err).To(BeNil()) + fmt.Printf("OUTPUT: %s\n", sout) + + expect := protobuf.Alert{ + PolicyName: "DefaultPosture", + Action: "Block", + Result: "Permission denied", + Data: "syscall=SYS_MOUNT", + } + + res, err := KarmorGetTargetAlert(5*time.Second, &expect) + Expect(err).To(BeNil()) + Expect(res.Found).To(BeTrue()) + }) + + It("umount will be blocked by default for a pod as the capability not added", func() { + // Start KubeArmor Logs + err := KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) + Expect(err).To(BeNil()) + + // execute umount inside the pod + sout, _, err := K8sExecInPod(ubuntu, "syscalls", + []string{"bash", "-c", "umount /mnt"}) + Expect(err).To(BeNil()) + fmt.Printf("OUTPUT: %s\n", sout) + + expect := protobuf.Alert{ + PolicyName: "DefaultPosture", + Action: "Block", + Result: "Operation not permitted", + Data: "syscall=SYS_UMOUNT2", + } + + res, err := KarmorGetTargetAlert(5*time.Second, &expect) + Expect(err).To(BeNil()) + Expect(res.Found).To(BeTrue()) + }) }) })