From c10756d62ed68f30209bfe4c5a5e68e04009f850 Mon Sep 17 00:00:00 2001 From: Rudraksh Pareek Date: Tue, 14 Jun 2022 20:51:08 +0530 Subject: [PATCH] changes suggested in review Signed-off-by: Rudraksh Pareek --- .github/workflows/ci-test.yml | 20 ++++------- KubeArmor/core/kubeArmor.go | 20 +++++------ contribution/k3s/install_k3s.sh | 8 ++--- .../crio/install_crio.sh | 36 +++++++++++++++++++ .../crio/uninstall_crio.sh | 10 ++++++ contribution/vagrant/Vagrantfile | 14 ++++++++ tests/test-scenarios-github.sh | 20 ----------- 7 files changed, 80 insertions(+), 48 deletions(-) create mode 100755 contribution/self-managed-k8s-selinux/crio/install_crio.sh create mode 100755 contribution/self-managed-k8s-selinux/crio/uninstall_crio.sh diff --git a/.github/workflows/ci-test.yml b/.github/workflows/ci-test.yml index f8148851f5..36e1a757ce 100644 --- a/.github/workflows/ci-test.yml +++ b/.github/workflows/ci-test.yml @@ -18,19 +18,19 @@ on: jobs: build: - name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }} + name: Auto-testing Framework / ${{ matrix.os }} runs-on: ${{ matrix.os }} - env: - RUNTIME: ${{ matrix.runtime }} strategy: fail-fast: false matrix: os: [ubuntu-latest, ubuntu-18.04] - runtime: ["containerd", "docker", "crio"] steps: - name: Kernel version run: uname -r + - name: Check Docker Version + run: docker --version + - uses: actions/checkout@v2 - name: Set up Go @@ -54,15 +54,7 @@ jobs: - name: Setup Enviroment run: | - if [ "$RUNTIME" == "crio" ]; then - ./contribution/self-managed-k8s/crio/install-crio.sh - crio --version - elif [ "$RUNTIME" == "containerd" ]; then - # stop the running default containerd service so that k3s embedded - # containerd service can be used - sudo systemctl stop containerd.service - fi - RUNTIME=$RUNTIME ./contribution/k3s/install_k3s.sh + ./contribution/k3s/install_k3s.sh - name: Install annotation controller run: | @@ -75,7 +67,7 @@ jobs: run: kubectl proxy & - name: Test KubeArmor - run: RUNTIME=$RUNTIME ./tests/test-scenarios-github.sh + run: ./tests/test-scenarios-github.sh timeout-minutes: 15 - name: Archive log artifacts diff --git a/KubeArmor/core/kubeArmor.go b/KubeArmor/core/kubeArmor.go index e93320921f..3e2d015079 100644 --- a/KubeArmor/core/kubeArmor.go +++ b/KubeArmor/core/kubeArmor.go @@ -485,10 +485,10 @@ func KubeArmor() { return } } - } else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "containerd") { // containerd + } else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "cri-o") { // cri-o sockFile := false - for _, candidate := range []string{"/var/run/containerd/containerd.sock", "/var/snap/microk8s/common/run/containerd.sock", "/run/k3s/containerd/containerd.sock"} { + for _, candidate := range []string{"/var/run/crio/crio.sock"} { if _, err := os.Stat(candidate); err == nil { sockFile = true break @@ -496,20 +496,20 @@ func KubeArmor() { } if sockFile { - // monitor containerd events - go dm.MonitorContainerdEvents() + // monitor cri-o events + go dm.MonitorCrioEvents() } else { - dm.Logger.Err("Failed to monitor containers (Containerd socket file is not accessible)") + dm.Logger.Err("Failed to monitor containers (CRI-O socket file is not accessible)") // destroy the daemon dm.DestroyKubeArmorDaemon() return } - } else if strings.HasPrefix(dm.Node.ContainerRuntimeVersion, "cri-o") { // cri-o + } else { // containerd sockFile := false - for _, candidate := range []string{"/var/run/crio/crio.sock"} { + for _, candidate := range []string{"/var/run/containerd/containerd.sock", "/var/snap/microk8s/common/run/containerd.sock", "/run/k3s/containerd/containerd.sock"} { if _, err := os.Stat(candidate); err == nil { sockFile = true break @@ -517,10 +517,10 @@ func KubeArmor() { } if sockFile { - // monitor cri-o events - go dm.MonitorCrioEvents() + // monitor containerd events + go dm.MonitorContainerdEvents() } else { - dm.Logger.Err("Failed to monitor containers (CRI-O socket file is not accessible)") + dm.Logger.Err("Failed to monitor containers (Containerd socket file is not accessible)") // destroy the daemon dm.DestroyKubeArmorDaemon() diff --git a/contribution/k3s/install_k3s.sh b/contribution/k3s/install_k3s.sh index bf23978fc5..e870a6c878 100755 --- a/contribution/k3s/install_k3s.sh +++ b/contribution/k3s/install_k3s.sh @@ -12,12 +12,12 @@ if [ "$RUNTIME" == "docker" ]; then # docker curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik --docker" sh - [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1 fi -elif [ "$RUNTIME" == "containerd" ]; then # containerd - curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik" sh - - [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1 -else #cri-o +elif [ "$RUNTIME" == "crio" ]; then # cri-o curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik --container-runtime-endpoint unix:///var/run/crio/crio.sock --kubelet-arg cgroup-driver=systemd" sh - [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1 +else # use containerd by default + curl -sfL https://get.k3s.io | K3S_KUBECONFIG_MODE="644" INSTALL_K3S_EXEC="--disable=traefik" sh - + [[ $? != 0 ]] && echo "Failed to install k3s" && exit 1 fi if [[ $(hostname) = kubearmor-dev* ]]; then diff --git a/contribution/self-managed-k8s-selinux/crio/install_crio.sh b/contribution/self-managed-k8s-selinux/crio/install_crio.sh new file mode 100755 index 0000000000..0fb83e86f0 --- /dev/null +++ b/contribution/self-managed-k8s-selinux/crio/install_crio.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2022 Authors of KubeArmor + +. /etc/os-release + +if [ "$ID" != "centos" ]; then + echo "Supports CentOS" + exit +fi + +OS="CentOS_${VERSION_ID}" +VERSION=1.19 + +if [ "$NAME" == "CentOS Stream" ]; then + OS="${OS}_Stream" +fi + +# remove podman +sudo yum remove buildah skopeo podman containers-common atomic-registries docker container-tools + +# remove left-over files +sudo rm -rf /etc/containers/* /var/lib/containers/* /etc/docker /etc/subuid* /etc/subgid* +cd ~ && rm -rf /.local/share/containers/ + +# disable selinux +sudo sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config + +# setup repo +sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/devel:kubic:libcontainers:stable.repo +sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo + +sudo yum install cri-o containernetworking-plugins + +sudo systemctl daemon-reload +sudo systemctl start crio.service diff --git a/contribution/self-managed-k8s-selinux/crio/uninstall_crio.sh b/contribution/self-managed-k8s-selinux/crio/uninstall_crio.sh new file mode 100755 index 0000000000..fe01cc5481 --- /dev/null +++ b/contribution/self-managed-k8s-selinux/crio/uninstall_crio.sh @@ -0,0 +1,10 @@ +#!/bin/bash +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2022 Authors of KubeArmor + +sudo systemctl stop crio.service + +sudo dnf remove cri-o + +sudo rm -rf /etc/crictl.yaml +sudo rm -rf /var/lib/crio diff --git a/contribution/vagrant/Vagrantfile b/contribution/vagrant/Vagrantfile index 8446700687..ea40c17078 100644 --- a/contribution/vagrant/Vagrantfile +++ b/contribution/vagrant/Vagrantfile @@ -76,6 +76,13 @@ Vagrant.configure("2") do |config| # install Kubernetes config.vm.provision :shell, :inline => "RUNTIME=docker /home/vagrant/KubeArmor/contribution/self-managed-k8s-selinux/k8s/install_kubernetes.sh" + elsif ENV['RUNTIME'] == "crio" then + # install CRI-O + config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s-selinux/crio/install_crio.sh" + + # install Kubernetes + config.vm.provision :shell, :inline => "RUNTIME=crio /home/vagrant/KubeArmor/contribution/self-managed-k8s-selinux/k8s/install_kubernetes.sh" + else # default == 'docker' # install Docker config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s-selinux/docker/install_docker.sh" @@ -108,6 +115,13 @@ Vagrant.configure("2") do |config| # install Kubernetes config.vm.provision :shell, :inline => "RUNTIME=containerd /home/vagrant/KubeArmor/contribution/self-managed-k8s/k8s/install_kubernetes.sh" + elsif ENV['RUNTIME'] == "crio" then + # install CRI-O + config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s/crio/install-crio.sh" + + # install Kubernetes + config.vm.provision :shell, :inline => "CRI_SOCKET=unix:///var/run/crio/crio.sock /home/vagrant/KubeArmor/contribution/self-managed-k8s/k8s/install_kubernetes.sh" + else # default == 'docker' # install Docker config.vm.provision :shell, path: kubearmor_home + "/contribution/self-managed-k8s/docker/install_docker.sh" diff --git a/tests/test-scenarios-github.sh b/tests/test-scenarios-github.sh index b34bdb5d6e..973de0f290 100755 --- a/tests/test-scenarios-github.sh +++ b/tests/test-scenarios-github.sh @@ -22,13 +22,6 @@ realpath() { TEST_HOME=`dirname $(realpath "$0")` CRD_HOME=`dirname $(realpath "$0")`/../deployments/CRD ARMOR_HOME=`dirname $(realpath "$0")`/../KubeArmor -IGN_FILE=$TEST_HOME/tests.ignore - -# skip tests that don't work with some runtimes -if [ "$RUNTIME" == "crio" ]; then - # see #697 - echo "github_test_13" | tee -a $IGN_FILE -fi LSM="none" @@ -627,16 +620,6 @@ INFO "Started KubeArmor" res_microservice=0 -is_test_ignored() -{ - [[ ! -f $IGN_FILE ]] && return 0 - for line in `grep "^[a-zA-Z].*" $IGN_FILE`; do - echo $testcase | grep $line >/dev/null - [[ $? -eq 0 ]] && echo "matched ignore pattern [$line]" && return 1 - done - return 0 -} - if [[ $SKIP_CONTAINER_POLICY -eq 0 || $SKIP_NATIVE_POLICY -eq 0 ]]; then INFO "Running Container Scenarios" @@ -659,9 +642,6 @@ if [[ $SKIP_CONTAINER_POLICY -eq 0 || $SKIP_NATIVE_POLICY -eq 0 ]]; then for testcase in $(find -maxdepth 1 -mindepth 1 -type d -name "${microservice}_*") do - is_test_ignored - [[ $? -eq 1 ]] && WARN "Testcase $testcase ignored" && continue - res_case=0 INFO "Testing $testcase"