KubeArmor manual tests before releases
The documentation provides the tests for KubeArmor which should be performed before creating a new KubeArmor release.
- BottleRocket - BPF-LSM
- GKE COS
- Apparmor
- BPF LSM
- RHEL (certain BPF_LSM primitives are not available on RHEL)
🛡️ Enforcement - Apparmor, BPF-LSM
Workload: wordpress-mysql Wordpress-mysql deployment
Security policies: KubeArmor/examples/wordpress-mysql/security-policies
For observability apply the respective policies and check karmor logs for corresponding logs.
- 🛑 Block policy - Expected alert + Block enforcement for the resource mentioned in the policy
- 🔍 Audit policy -
- If Visibility enabled :- Expected alert but no enforcement
- else :- No alert and no enforcement
- 👍 Allow policy - Expect alerts only for the resource(s) not mentioned in the policy
- Default posture - If it’s set to audit (that’s default) then for an applied Allow policy, we shouldn't be blocking other processes, instead we should get Audit alerts
NOTE: In either case, you'll get alerts only when visibility is enabled
- Default posture - If it’s set to audit (that’s default) then for an applied Allow policy, we shouldn't be blocking other processes, instead we should get Audit alerts
Note down KubeArmor’s CPU and memory usages with and without load. (kubectl top)
This will help us in comparing KubeArmor’s performance among different releases.
