Add kubearmor addon

addons.yaml

@@ -207,3 +207,12 @@ microk8s-addons:
       supported_architectures:
         - amd64
         - arm64
+
+    - name: "kubearmor"
+      description: "Cloud-native runtime security enforcement system for k8s"
+      version: "0.10.2"
+      check_status: "daemonset.apps/kubearmor"
+      confinement: "classic"
+      supported_architectures:
+        - amd64
+        - arm64

addons/kubearmor/disable

@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+
+echo "Removing kubearmor from k8s cluster"
+
+sudo microk8s karmor uninstall
+
+if [[ -f "$SNAP_COMMON/plugins/karmor" ]]; then
+    sudo rm "$SNAP_COMMON/plugins/karmor"
+fi
+
+if [[ -f "$SNAP_COMMON/bin/karmor" ]]; then
+    sudo rm "$SNAP_COMMON/bin/karmor"
+fi
+

addons/kubearmor/enable

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+CURRENT_DIR=$(cd $(dirname "${BASH_SOURCE[0]}") && pwd)
+
+curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b "$SNAP_COMMON/bin"
+
+cp "$CURRENT_DIR/karmor" "$SNAP_COMMON/plugins"
+
+chmod +x "$SNAP_COMMON/plugins/karmor"
+
+sudo microk8s karmor install

addons/kubearmor/karmor

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+if [ "$EUID" -ne 0 ]
+then echo "Elevated permissions are needed for this command. Please use sudo."
+    exit 1
+fi
+
+export KUBECONFIG=$SNAP_DATA/credentials/client.config
+
+${SNAP_COMMON}/bin/karmor $*

tests/test_kubearmor.py

@@ -0,0 +1,48 @@
+import pytest
+import platform
+import os
+
+
+from utils import (
+    is_container,
+    microk8s_enable,
+    microk8s_disable,
+    microk8s_reset,
+    wait_for_installation,
+    wait_for_pod_state,
+)
+
+
+class TestKubearmor(object):
+    @pytest.mark.skipif(os.environ.get("STRICT") == "yes", reason=("Skipping kubearmor tests in strict confinement as they are expected to fail"))
+    @pytest.mark.skipif(is_container(), reason="Kubearmor tests are skipped in containers")
+    @pytest.mark.skipif(platform.machine() == "s390x", reason="Not available on s390x")
+    def test_kubearmor(self):
+        """
+        Sets up and validates kubearmor.
+        """
+        print("Enabling Kubearmor")
+        microk8s_enable("kubearmor")
+        print("Validating Kubearmor")
+        self.validate_kubearmor()
+        print("Disabling Kubearmor")
+        microk8s_disable("kubearmor")
+        microk8s_reset()
+
+    def validate_kubearmor(self):
+        """
+        Validate kubearmor by applying policy to nginx container.
+        """
+
+        wait_for_installation()
+        kubearmor_pods = [
+            "kubearmor-controller",
+            "kubearmor",
+            "kubearmor-relay",
+        ]
+        for pod in kubearmor_pods:
+            wait_for_pod_state(
+                "", "kube-system", "running", label="kubearmor-app={}".format(pod)
+            )
+
+        print("Kubearmor testing passed.")