This program provides integrity monitoring that checks file or directory of container to determine whether or not they have been tampered with or corrupted.
integrity-sum, which is a type of change auditing, verifies and validates these files by comparing them to the stored data in the database.
If program detects that files have been altered, updated, added or compromised, it rolls back deployments to a previous version.
integrity-sum injects a hasher-sidecar
to your pods as a sidecar container.
hasher-sidecar
the implementation of a hasher in golang, which calculates the checksum of files using different algorithms in kubernetes:
- MD5
- SHA256
- SHA1
- SHA224
- SHA384
- SHA512
$ cd path/to/install
$ git clone https://github.com/ScienceSoft-Inc/integrity-sum.git
Download the named modules into the module cache
go mod download
You can test this application in your CLI — Command Line Interface on local files and folders.
You can use it with option(flags) like:
-d
(path to dir):
go run cmd/demo-app/main.go -d ./..
-a
(hash algorithm):
go run cmd/demo-app/main.go -a sha256
go run cmd/demo-app/main.go -a SHA256
go run cmd/demo-app/main.go -a SHA256 -d ./..
-h
(options docs):
go run cmd/demo-app/main.go -h
The code only works running inside a pod in Kubernetes.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.
If you do not already have a cluster, you can create one by using minikube
.
Example https://minikube.sigs.k8s.io/docs/start/
Before using helm charts you need to install helm on your local machine.
You can find the necessary installation information at this link https://helm.sh/docs/intro/install/
To work properly, you first need to set the configuration files:
- environmental variables in the
.env
file - values in the file
helm-charts/database-to-integrity-sum/values.yaml
- values in the file
helm-charts/app-to-monitor/values.yaml
You can use make function.
Runs all necessary cleaning targets and dependencies for the project:
make all
Remove an installed Helm deployments and stop minikube:
make stop
Building and running the project on a local machine:
make run
If you want to generate binaries for different platforms:
make compile
Set some values
-
set the value
secretNameDB
in the filehelm-charts/app-to-monitor/values.yaml
to be the same as the value ofsecretName
in the filehelm-charts/database-to-integrity-sum/values.yaml
-
set the value
releaseNameDB
in the filehelm-charts/app-to-monitor/values.yaml
to be the same as the release name you will use when installing the database -
Minikube start
minikube start
Build docker images hasher:
eval $(minikube docker-env)
docker build -t hasher .
Then update the on-disk dependencies to mirror Chart.yaml.
helm dependency update helm-charts/database-to-integrity-sum
This command installs a chart archive.
helm install `release name` `path to a packaged chart`
Install helm chart with database for example
helm install db helm-charts/database-to-integrity-sum
Install helm chart with app for example
helm install app helm-charts/app-to-monitor
If you want to use a hasher-sidecar, then you need to specify the following data in your deployment:
main-process-name: "your main process name"
template:spec:serviceAccountName:
api-version-hasher
template:shareProcessNamespace: true
Sometimes you may find that pod is injected with sidecar container as expected, check the following items:
- The pod is in running state with
hasher-sidecar
sidecar container injected and no error logs. - Check if the application pod has he correct labels
main-process-name
.
godoc -http=:6060/integritySum
go doc packge.function_name
for example
go doc pkg/api.Result
First of all you need to install mockgen:
go install github.com/golang/mock/mockgen@${VERSION_MOCKGEN}
Generate a mock:
go generate ./internal/core/ports/repository.go
go generate ./internal/core/ports/service.go
You need to go to the folder where the file is located *_test.go and run the following command:
go test -v
for example
cd ../pkg/api
go test -v
or
go test -v ./...
golangci-lint run
This project uses the MIT software license. See full license file