changes suggested in review

Signed-off-by: Rudraksh Pareek <[email protected]>
kubearmor · Jun 14, 2022 · c10756d · c10756d
1 parent 09fb42d
commit c10756d
Show file tree

Hide file tree

Showing 7 changed files with 80 additions and 48 deletions.
diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml
@@ -18,19 +18,19 @@ on:
 
 jobs:
   build:
-    name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}
+    name: Auto-testing Framework / ${{ matrix.os }}
     runs-on: ${{ matrix.os }}
-    env:
-      RUNTIME: ${{ matrix.runtime }}
     strategy:
       fail-fast: false
       matrix:
         os: [ubuntu-latest, ubuntu-18.04]
-        runtime: ["containerd", "docker", "crio"]
     steps:
       - name: Kernel version
         run: uname -r
 
+      - name: Check Docker Version
+        run: docker --version
+
       - uses: actions/checkout@v2
 
       - name: Set up Go
@@ -54,15 +54,7 @@ jobs:
 
       - name: Setup Enviroment
         run: |
-          if [ "$RUNTIME" == "crio" ]; then
-            ./contribution/self-managed-k8s/crio/install-crio.sh
-            crio --version
-          elif [ "$RUNTIME" == "containerd" ]; then
-            # stop the running default containerd service so that k3s embedded
-            # containerd service can be used
-            sudo systemctl stop containerd.service
-          fi
-          RUNTIME=$RUNTIME ./contribution/k3s/install_k3s.sh
+          ./contribution/k3s/install_k3s.sh
 
       - name: Install annotation controller
         run: |
@@ -75,7 +67,7 @@ jobs:
         run: kubectl proxy &
 
       - name: Test KubeArmor
-        run: RUNTIME=$RUNTIME ./tests/test-scenarios-github.sh
+        run: ./tests/test-scenarios-github.sh
         timeout-minutes: 15
 
       - name: Archive log artifacts

diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go
@@ -485,42 +485,42 @@ func KubeArmor() {
 					return
 				}
 			}
-		} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "containerd") { // containerd
+		} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "cri-o") { // cri-o
 			sockFile := false
 
-			for _, candidate := range []string{"/var/run/containerd/containerd.sock", "/var/snap/microk8s/common/run/containerd.sock", "/run/k3s/containerd/containerd.sock"} {
+			for _, candidate := range []string{"/var/run/crio/crio.sock"} {
 				if _, err := os.Stat(candidate); err == nil {
 					sockFile = true
 					break
 				}
 			}
 
 			if sockFile {
-				// monitor containerd events
-				go dm.MonitorContainerdEvents()
+				// monitor cri-o events
+				go dm.MonitorCrioEvents()
 			} else {
-				dm.Logger.Err("Failed to monitor containers (Containerd socket file is not accessible)")
+				dm.Logger.Err("Failed to monitor containers (CRI-O socket file is not accessible)")
 
 				// destroy the daemon
 				dm.DestroyKubeArmorDaemon()
 
 				return
 			}
-		} else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "cri-o") { // cri-o
+		} else { // containerd
 			sockFile := false
 
-			for _, candidate := range []string{"/var/run/crio/crio.sock"} {
+			for _, candidate := range []string{"/var/run/containerd/containerd.sock", "/var/snap/microk8s/common/run/containerd.sock", "/run/k3s/containerd/containerd.sock"} {
 				if _, err := os.Stat(candidate); err == nil {
 					sockFile = true
 					break
 				}
 			}
 
 			if sockFile {
-				// monitor cri-o events
-				go dm.MonitorCrioEvents()
+				// monitor containerd events
+				go dm.MonitorContainerdEvents()
 			} else {
-				dm.Logger.Err("Failed to monitor containers (CRI-O socket file is not accessible)")
+				dm.Logger.Err("Failed to monitor containers (Containerd socket file is not accessible)")
 
 				// destroy the daemon
 				dm.DestroyKubeArmorDaemon()

diff --git a/contribution/k3s/install_k3s.sh b/contribution/k3s/install_k3s.sh
@@ -12,12 +12,12 @@ if [ "$RUNTIME" == "docker" ]; then # docker
         curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik --docker" sh -
         [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1
     fi
-elif [ "$RUNTIME" == "containerd" ]; then # containerd
-    curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik" sh -
-    [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1
-else #cri-o
+elif [ "$RUNTIME" == "crio" ]; then # cri-o
   curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik --container-runtime-endpoint unix:///var/run/crio/crio.sock --kubelet-arg cgroup-driver=systemd" sh -
   [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1
+else # use containerd by default
+  curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik" sh -
+  [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1
 fi
 
 if [[ $(hostname) = kubearmor-dev* ]]; then

diff --git a/contribution/self-managed-k8s-selinux/crio/install_crio.sh b/contribution/self-managed-k8s-selinux/crio/install_crio.sh
@@ -0,0 +1,36 @@
+#!/bin/bash
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2022 Authors of KubeArmor
+
+. /etc/os-release
+
+if [ "$ID" != "centos" ]; then
+    echo "Supports CentOS"
+    exit
+fi
+
+OS="CentOS_${VERSION_ID}"
+VERSION=1.19
+
+if [ "$NAME" == "CentOS Stream" ]; then
+	OS="${OS}_Stream"
+fi
+
+# remove podman
+sudo yum remove buildah skopeo podman containers-common atomic-registries docker container-tools
+
+# remove left-over files
+sudo rm -rf /etc/containers/* /var/lib/containers/* /etc/docker /etc/subuid* /etc/subgid*
+cd ~ && rm -rf /.local/share/containers/
+
+# disable selinux
+sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
+
+# setup repo
+sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/devel:kubic:libcontainers:stable.repo
+sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo
+
+sudo yum install cri-o containernetworking-plugins
+
+sudo systemctl daemon-reload
+sudo systemctl start crio.service
diff --git a/contribution/self-managed-k8s-selinux/crio/uninstall_crio.sh b/contribution/self-managed-k8s-selinux/crio/uninstall_crio.sh
@@ -0,0 +1,10 @@
+#!/bin/bash
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2022 Authors of KubeArmor
+
+sudo systemctl stop crio.service
+
+sudo dnf remove cri-o
+
+sudo rm -rf /etc/crictl.yaml
+sudo rm -rf /var/lib/crio
diff --git a/contribution/vagrant/Vagrantfile b/contribution/vagrant/Vagrantfile
@@ -76,6 +76,13 @@ Vagrant.configure("2") do |config|
       # install Kubernetes
       config.vm.provision :shell, :inline => "RUNTIME=docker /home/vagrant/KubeArmor/contribution/self-managed-k8s-selinux/k8s/install_kubernetes.sh"
 
+    elsif ENV['RUNTIME'] == "crio" then
+      # install CRI-O
+      config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s-selinux/crio/install_crio.sh"
+
+      # install Kubernetes
+      config.vm.provision :shell, :inline => "RUNTIME=crio /home/vagrant/KubeArmor/contribution/self-managed-k8s-selinux/k8s/install_kubernetes.sh"
+
     else # default == 'docker'
       # install Docker
       config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s-selinux/docker/install_docker.sh"
@@ -108,6 +115,13 @@ Vagrant.configure("2") do |config|
       # install Kubernetes
       config.vm.provision :shell, :inline => "RUNTIME=containerd /home/vagrant/KubeArmor/contribution/self-managed-k8s/k8s/install_kubernetes.sh"
 
+    elsif ENV['RUNTIME'] == "crio" then
+      # install CRI-O
+      config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s/crio/install-crio.sh"
+
+      # install Kubernetes
+      config.vm.provision :shell, :inline => "CRI_SOCKET=unix:///var/run/crio/crio.sock /home/vagrant/KubeArmor/contribution/self-managed-k8s/k8s/install_kubernetes.sh"
+
     else # default == 'docker'
       # install Docker
       config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s/docker/install_docker.sh"

diff --git a/tests/test-scenarios-github.sh b/tests/test-scenarios-github.sh
@@ -22,13 +22,6 @@ realpath() {
 TEST_HOME=`dirname $(realpath "$0")`
 CRD_HOME=`dirname $(realpath "$0")`/../deployments/CRD
 ARMOR_HOME=`dirname $(realpath "$0")`/../KubeArmor
-IGN_FILE=$TEST_HOME/tests.ignore
-
-# skip tests that don't work with some runtimes
-if [ "$RUNTIME" == "crio" ]; then
-	# see #697
-	echo "github_test_13" | tee -a $IGN_FILE
-fi
 
 LSM="none"
 
@@ -627,16 +620,6 @@ INFO "Started KubeArmor"
 
 res_microservice=0
 
-is_test_ignored()
-{
-    [[ ! -f $IGN_FILE ]] && return 0
-    for line in `grep "^[a-zA-Z].*" $IGN_FILE`; do
-        echo $testcase | grep $line >/dev/null
-        [[ $? -eq 0 ]] && echo "matched ignore pattern [$line]" && return 1
-    done
-    return 0
-}
-
 if [[ $SKIP_CONTAINER_POLICY -eq 0 || $SKIP_NATIVE_POLICY -eq 0 ]]; then
     INFO "Running Container Scenarios"
 
@@ -659,9 +642,6 @@ if [[ $SKIP_CONTAINER_POLICY -eq 0 || $SKIP_NATIVE_POLICY -eq 0 ]]; then
 
     for testcase in $(find -maxdepth 1 -mindepth 1 -type d  -name "${microservice}_*")
     do
-        is_test_ignored
-        [[ $? -eq 1 ]] && WARN "Testcase $testcase ignored" && continue
-
         res_case=0
 
         INFO "Testing $testcase"