Add kubearmor addon

addons.yaml

@@ -207,3 +207,11 @@ microk8s-addons:
       supported_architectures:
         - amd64
         - arm64
+
+    - name: "kubearmor"
+      description: "Cloud-native runtime security enforcement system for k8s"
+      version: "0.10.2"
+      check_status: "daemonset.apps/kubearmor"
+      supported_architectures:
+        - amd64
+        - arm64

addons/kubearmor/disable

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+echo "Removing kubearmor from k8s cluster"
+
+config=$(sudo microk8s config)
+
+echo "$config" > $SNAP_DATA/.kube/config
+
+export KUBECONFIG=$SNAP_DATA/.kube/config
+
+karmor uninstall
+
+rm $SNAP_DATA/.kube/config
+
+if [[ -f "/usr/local/bin/karmor" ]]; then
+    sudo rm /usr/local/bin/karmor
+fi

addons/kubearmor/enable

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+set -e
+
+config=$(sudo microk8s config)
+
+echo "$config" > $SNAP_DATA/.kube/config
+
+export KUBECONFIG=$SNAP_DATA/.kube/config
+
+if hash karmor 2>/dev/null; then
+    echo "karmor tool is already installed"
+else 
+    curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
+fi
+
+karmor install

tests/templates/kubearmor-nginx.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubearmor-test
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginx
+  namespace: kubearmor-test
+  labels:
+    app: nginx-test-pod
+spec:
+  containers:
+    - name: nginx
+      image: nginx:latest
+      ports:
+        - containerPort: 80

tests/templates/kubearmor-policy.yaml

@@ -0,0 +1,16 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  name: kubearmor-block-process
+  namespace: kubearmor-test
+spec:
+  severity: 3
+  selector:
+    matchLabels:
+      app: nginx-test-pod
+  process:
+    matchPaths:
+      - path: /usr/bin/apt
+      - path: /usr/bin/apt-get
+
+  action: Block

tests/test_kubearmor.py

@@ -0,0 +1,60 @@
+import os
+import pytest
+import platform
+
+
+from utils import (
+    kubectl,
+    microk8s_enable,
+    microk8s_disable,
+    microk8s_reset,
+    wait_for_installation,
+    wait_for_pod_state,
+)
+
+
+class TestKubearmor(object):
+    @pytest.mark.skipif(platform.machine() == "s390x", reason="Not available on s390x")
+    def test_kubearmor(self):
+        """
+        Sets up and validates kubearmor.
+        """
+        print("Enabling Kubearmor")
+        microk8s_enable("kubearmor")
+        print("Validating Kubearmor")
+        self.validate_kubearmor()
+        print("Disabling Kubearmor")
+        microk8s_disable("kubearmor")
+        microk8s_reset()
+
+    def validate_kubearmor(self):
+        """
+        Validate kubearmor by applying policy to nginx container.
+        """
+
+        wait_for_installation()
+        kubearmor_pods = [
+            "kubearmor-controller",
+            "kubearmor",
+            "kubearmor-relay",
+        ]
+        for pod in kubearmor_pods:
+            wait_for_pod_state(
+                "", "kube-system", "running", label="kubearmor-app={}".format(pod)
+            )
+
+        here = os.path.dirname(os.path.abspath(__file__))
+        manifest = os.path.join(here, "templates", "kubearmor-nginx.yaml")
+        policy = os.path.join(here, "templates", "kubearmor-policy.yaml")
+        kubectl("apply -f {}".format(manifest))
+        wait_for_pod_state("", "kubearmor-test", "running", label="app=nginx-test-pod")
+        kubectl("apply -f {}".format(policy))
+        output = kubectl("exec -n kubearmor-test nginx -- apt")
+        kubectl("delete -f {}".format(policy))
+        kubectl("delete -f {}".format(manifest))
+        if "permission denied" in output:
+            print("Kubearmor testing passed.")
+            assert True
+        else:
+            print("Kubearmor testing failed.")
+            assert False