Add kubearmor addon (canonical#147)

Gmerold · Oct 31, 2023 · ac3f90a · ac3f90a
1 parent 441e8e0
commit ac3f90a
Show file tree

Hide file tree

Showing 5 changed files with 101 additions and 0 deletions.
diff --git a/addons.yaml b/addons.yaml
@@ -206,3 +206,12 @@ microk8s-addons:
       supported_architectures:
         - amd64
         - arm64
+
+    - name: "kubearmor"
+      description: "Cloud-native runtime security enforcement system for k8s"
+      version: "0.10.2"
+      check_status: "daemonset.apps/kubearmor"
+      confinement: "classic"
+      supported_architectures:
+        - amd64
+        - arm64
diff --git a/addons/kubearmor/disable b/addons/kubearmor/disable
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+echo "Removing kubearmor from k8s cluster"
+
+sudo microk8s karmor uninstall
+
+if [[ -f "$SNAP_COMMON/plugins/karmor" ]]; then
+    sudo rm "$SNAP_COMMON/plugins/karmor"
+fi
+
+if [[ -f "$SNAP_COMMON/bin/karmor" ]]; then
+    sudo rm "$SNAP_COMMON/bin/karmor"
+fi
+
diff --git a/addons/kubearmor/enable b/addons/kubearmor/enable
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+CURRENT_DIR=$(cd $(dirname "${BASH_SOURCE[0]}") && pwd)
+
+curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b "$SNAP_COMMON/bin"
+
+cp "$CURRENT_DIR/karmor" "$SNAP_COMMON/plugins"
+
+chmod +x "$SNAP_COMMON/plugins/karmor"
+
+sudo microk8s karmor install --image=kubearmor/kubearmor:v0.10.2
diff --git a/addons/kubearmor/karmor b/addons/kubearmor/karmor
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if [ "$EUID" -ne 0 ]
+then echo "Elevated permissions are needed for this command. Please use sudo."
+    exit 1
+fi
+
+export KUBECONFIG=$SNAP_DATA/credentials/client.config
+
+${SNAP_COMMON}/bin/karmor $*
diff --git a/tests/test_kubearmor.py b/tests/test_kubearmor.py
@@ -0,0 +1,55 @@
+import pytest
+import platform
+import os
+
+
+from utils import (
+    is_container,
+    microk8s_enable,
+    microk8s_disable,
+    microk8s_reset,
+    wait_for_installation,
+    wait_for_pod_state,
+)
+
+
+class TestKubearmor(object):
+    @pytest.mark.skipif(
+        os.environ.get("STRICT") == "yes",
+        reason=(
+            "Skipping kubearmor tests in strict confinement as they are expected to fail"
+        ),
+    )
+    @pytest.mark.skipif(
+        is_container(), reason="Kubearmor tests are skipped in containers"
+    )
+    @pytest.mark.skipif(platform.machine() == "s390x", reason="Not available on s390x")
+    def test_kubearmor(self):
+        """
+        Sets up and validates kubearmor.
+        """
+        print("Enabling Kubearmor")
+        microk8s_enable("kubearmor")
+        print("Validating Kubearmor")
+        self.validate_kubearmor()
+        print("Disabling Kubearmor")
+        microk8s_disable("kubearmor")
+        microk8s_reset()
+
+    def validate_kubearmor(self):
+        """
+        Validate kubearmor by applying policy to nginx container.
+        """
+
+        wait_for_installation()
+        kubearmor_pods = [
+            "kubearmor-controller",
+            "kubearmor",
+            "kubearmor-relay",
+        ]
+        for pod in kubearmor_pods:
+            wait_for_pod_state(
+                "", "kube-system", "running", label="kubearmor-app={}".format(pod)
+            )
+
+        print("Kubearmor testing passed.")