From 5fa148942e3f224a7fde14fa20942e9df7b17ecc Mon Sep 17 00:00:00 2001 From: abhashsolanki18 Date: Sat, 9 Nov 2024 12:55:41 +0530 Subject: [PATCH] Added AssertCommand to replace K8sExecInPod for testing. Signed-off-by: abhashsolanki18 --- tests/k8s_env/blockposture/block_test.go | 26 +- tests/k8s_env/ksp/ksp_test.go | 111 ++++---- tests/k8s_env/smoke/smoke_test.go | 139 +++++----- tests/k8s_env/syscalls/syscalls_test.go | 280 +++++++++++++------- tests/k8s_env/throttling/throttling_test.go | 26 +- tests/k8s_env/visibility/visibility_test.go | 16 +- 6 files changed, 340 insertions(+), 258 deletions(-) diff --git a/tests/k8s_env/blockposture/block_test.go b/tests/k8s_env/blockposture/block_test.go index 5e3bc6b1ff..a220a51fdc 100644 --- a/tests/k8s_env/blockposture/block_test.go +++ b/tests/k8s_env/blockposture/block_test.go @@ -73,11 +73,10 @@ var _ = Describe("Posture", func() { wp, "wordpress-mysql", []string{"bash", "-c", "curl google.com"}, MatchRegexp("curl.*Could not resolve host: google.com"), true, ) - - out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", out) - Expect(out).To(MatchRegexp("((?:.*\r?\n?)*)")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, + MatchRegexp("((?:.*\r?\n?)*)"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -101,16 +100,15 @@ var _ = Describe("Posture", func() { Expect(err).To(BeNil()) //curl needs UDP for DNS resolution - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("cat.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, + MatchRegexp("cat.*Permission denied"), false, + ) //test that tcp is whitelisted - out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", out) - Expect(out).To(MatchRegexp("((?:.*\r?\n?)*)")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"}, + MatchRegexp("((?:.*\r?\n?)*)"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index 37d48b5218..ce36e2916e 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -84,9 +84,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("all", "nginx", "", pods.Items[0].Name) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(pods.Items[0].Name, "nginx", []string{"ls"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + AssertCommand( + pods.Items[0].Name, "nginx", []string{"ls"}, + MatchRegexp(".*"), false, + ) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -110,12 +111,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "ping -c 1 127.0.0.1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("PING.*127.0.0.1")) - + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"}, + MatchRegexp("PING.*127.0.0.1"), false, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-net-icmp", Severity: "8", @@ -220,11 +219,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "arping -c 1 127.0.0.1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("ARPING 127.0.0.1")) + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "arping -c 1 127.0.0.1"}, + MatchRegexp("ARPING 127.0.0.1"), false, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-net-raw", @@ -396,10 +394,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Process", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "sleep 1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "sleep 1"}, + MatchRegexp(""), false, + ) expect := protobuf.Alert{ PolicyName: "ksp-group-2-audit-proc-path", @@ -603,11 +601,10 @@ var _ = Describe("Ksp", func() { AssertCommand(ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"}, MatchRegexp("hello.*Permission denied"), true, ) - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "/home/user1/hello"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("hello.*Permission denied")) + AssertCommand( + ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"}, + MatchRegexp("hello.*Permission denied"), false, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-3-block-proc-path-owner", @@ -908,10 +905,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "touch /home/user1/new1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "touch /home/user1/new1"}, + MatchRegexp(".*"), false, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-file-access-owner-readonly", @@ -1488,10 +1485,11 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"}, + MatchRegexp(".*"), false, + ) + // Expect(sout).To(ContainSubstring("secret file user1")) expectLog := protobuf.Log{ @@ -1605,10 +1603,10 @@ var _ = Describe("Ksp", func() { // Test 3: write operation on the file by the owner should also be allowed // No need for AssertCommand here since there is nothing to match - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub3, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"}, + MatchRegexp(".*"), false, + ) }) @@ -1667,11 +1665,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -r /secret.txt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("s")) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, + MatchRegexp("s"), false, + ) expectLog = protobuf.Log{ Resource: "secret.txt", @@ -1705,10 +1702,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -w /credentials/password"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -w /credentials/password"}, + MatchRegexp(".*"), false, + ) expect := protobuf.Alert{ PolicyName: "DefaultPosture", @@ -1724,10 +1721,10 @@ var _ = Describe("Ksp", func() { // Test 3: reading some other file should be denied as not allowed by the policy - sout, _, err = K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -r /secret.txt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, + MatchRegexp(".*"), false, + ) expect = protobuf.Alert{ PolicyName: "DefaultPosture", @@ -1806,10 +1803,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "touch /dev/shm/new"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "touch /dev/shm/new"}, + MatchRegexp(".*"), false, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-4-audit-file-path-readonly", @@ -1982,11 +1979,11 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "cat /credentials/password"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("password file")) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "cat /credentials/password"}, + ContainSubstring("password file"), false, + ) + }) }) diff --git a/tests/k8s_env/smoke/smoke_test.go b/tests/k8s_env/smoke/smoke_test.go index f3aee3f410..d70b282d3a 100644 --- a/tests/k8s_env/smoke/smoke_test.go +++ b/tests/k8s_env/smoke/smoke_test.go @@ -66,11 +66,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "apt"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "apt"}, + MatchRegexp("apt.*Permission denied"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -91,12 +90,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /var/www/html/wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("wp-config.php.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /var/www/html/wp-config.php"}, + MatchRegexp("wp-config.php.*Permission denied"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -119,12 +116,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("wp-config.php.*Permission denied")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, + MatchRegexp("wp-config.php.*Permission denied"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -146,13 +141,11 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("token.*Permission denied")) - + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, + MatchRegexp("token.*Permission denied"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -174,11 +167,10 @@ var _ = Describe("Smoke", func() { time.Sleep(5 * time.Second) // trigger policy violation alert - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "head /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("token.*Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "head /run/secrets/kubernetes.io/serviceaccount/token"}, + MatchRegexp("token.*Permission denied"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -189,20 +181,22 @@ var _ = Describe("Smoke", func() { Expect(alerts[0].Severity).To(Equal("7")) // trigger normal operations permitted by policy - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/passwd"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, + Not(ContainSubstring("Permission denied")), false, + ) + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, + Not(ContainSubstring("Permission denied")), false, + ) + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "head /etc/passwd"}, + Not(ContainSubstring("Permission denied")), false, + ) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "head /etc/passwd"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) // check for no policy violation alert _, alerts, err = KarmorGetLogs(3*time.Second, 1) @@ -223,10 +217,10 @@ var _ = Describe("Smoke", func() { time.Sleep(5 * time.Second) fname := fmt.Sprintf("/var/lib/mysql/%s", RandString(12)) - sout, _, err := K8sExecInPod(sql, "wordpress-mysql", - []string{"bash", "-c", fmt.Sprintf("touch %s", fname)}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("touch %s", fname)}, + BeEmpty(), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -236,9 +230,11 @@ var _ = Describe("Smoke", func() { Expect(alerts[0].PolicyName).To(Equal("ksp-mysql-audit-dir")) Expect(alerts[0].Severity).To(Equal("5")) - _, _, err = K8sExecInPod(sql, "wordpress-mysql", - []string{"bash", "-c", fmt.Sprintf("rm %s", fname)}) - Expect(err).To(BeNil()) + AssertCommand( + sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("rm %s", fname)}, + BeEmpty(), false, + ) + }) It("can enforce multiple rules targeting same pod", func() { @@ -251,17 +247,16 @@ var _ = Describe("Smoke", func() { Expect(err).To(BeNil()) // trigger policy violation alert - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/passwd"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("/etc/passwd.*Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, + MatchRegexp("/etc/passwd.*Permission denied"), false, + ) + + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/shadow"}, + MatchRegexp("/etc/shadow.*Permission denied"), false, + ) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/shadow"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("/etc/shadow.*Permission denied")) }) It("can block write access and only allow read access to mounted files", func() { @@ -276,11 +271,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "touch /dev/shm/new"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "touch /dev/shm/new"}, + ContainSubstring("Permission denied"), false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -302,10 +296,11 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "curl 142.250.193.46"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, + ContainSubstring("http://www.google.com/"), false, + ) + // tcp action Expect(sout).To(ContainSubstring("http://www.google.com/")) @@ -316,12 +311,10 @@ var _ = Describe("Smoke", func() { Expect(len(alerts)).To(Equal(0)) // tcp + udp + raw action - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "curl google.com"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("http://www.google.com/")) - + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl google.com"}, + ContainSubstring("http://www.google.com/"), false, + ) // check alert _, alerts, err = KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) diff --git a/tests/k8s_env/syscalls/syscalls_test.go b/tests/k8s_env/syscalls/syscalls_test.go index 0a94c691d9..fdb8e8678c 100644 --- a/tests/k8s_env/syscalls/syscalls_test.go +++ b/tests/k8s_env/syscalls/syscalls_test.go @@ -4,7 +4,6 @@ package syscalls import ( - "fmt" "time" "github.com/kubearmor/KubeArmor/protobuf" @@ -58,10 +57,14 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false, + ) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -86,13 +89,19 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, + MatchRegexp(".*"), false, + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false, + ) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -117,16 +126,25 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "mkdir -p /foo/bar"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mkdir -p /foo/bar"}, + MatchRegexp(".*"), false, + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /foo/bar/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /foo/bar/unlink"}, + MatchRegexp(".*"), false, + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/foo/bar/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/foo/bar/unlink /dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -151,13 +169,20 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /unlink"}, + MatchRegexp(".*"), false, + ) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/unlink /dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -185,10 +210,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -213,10 +243,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -237,17 +272,24 @@ var _ = Describe("Syscalls", func() { err := K8sApply([]string{"manifests/matchpaths/unlink-dir-recursive-fromsource-path.yaml"}) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, + MatchRegexp(".*"), false, + ) // Start Kubearmor Logs err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -272,10 +314,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -296,17 +343,24 @@ var _ = Describe("Syscalls", func() { err := K8sApply([]string{"manifests/matchpaths/unlink-dir-recursive-fromsource-dir.yaml"}) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, + MatchRegexp(".*"), false, + ) // Start Kubearmor Logs err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -334,10 +388,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -363,10 +422,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -392,10 +456,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -421,10 +490,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -452,10 +526,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -481,10 +560,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -510,10 +594,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -539,10 +628,15 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, + MatchRegexp(".*"), false, + ) // check policy alert expect := protobuf.Alert{ @@ -567,13 +661,15 @@ var _ = Describe("Syscalls", func() { Expect(err).To(BeNil()) // execute mount inside the pod - sout, _, err := K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "mkdir /mnt/test"}) - Expect(err).To(BeNil()) - sout, _, err = K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "mount /home /mnt/test"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mkdir /mnt/test"}, + MatchRegexp(".*"), false, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mount /home /mnt/test"}, + MatchRegexp(".*"), false, + ) expect := protobuf.Alert{ PolicyName: "DefaultPosture", @@ -596,10 +692,10 @@ var _ = Describe("Syscalls", func() { Expect(err).To(BeNil()) // execute umount inside the pod - sout, _, err := K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "umount /mnt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "umount /mnt"}, + MatchRegexp(".*"), false, + ) expect := protobuf.Alert{ PolicyName: "DefaultPosture", diff --git a/tests/k8s_env/throttling/throttling_test.go b/tests/k8s_env/throttling/throttling_test.go index bfacaa17d1..b746a7b456 100644 --- a/tests/k8s_env/throttling/throttling_test.go +++ b/tests/k8s_env/throttling/throttling_test.go @@ -73,13 +73,13 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt; count=$((count + 1)); done;"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) - + AssertCommand( + wp, + "wordpress-mysql", + []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt; count=$((count + 1)); done;"}, + MatchRegexp("apt.*Permission denied"), + false, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -93,12 +93,12 @@ var _ = Describe("Smoke", func() { Expect(err).To(BeNil()) // check for throttling, alerts should not be genrated - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "apt update"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) - + AssertCommand(wp, + "wordpress-mysql", + []string{"bash", "-c", "apt update"}, + MatchRegexp("apt.*Permission denied"), + false, + ) _, alerts, err = KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) fmt.Printf("throttling alert :%v\n", alerts) diff --git a/tests/k8s_env/visibility/visibility_test.go b/tests/k8s_env/visibility/visibility_test.go index b26ebac49c..9f59a0bb9f 100644 --- a/tests/k8s_env/visibility/visibility_test.go +++ b/tests/k8s_env/visibility/visibility_test.go @@ -60,9 +60,8 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + // Use Assert command + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -89,9 +88,8 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + // Use Assert command + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -115,9 +113,9 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + // Use Assert command + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), false) + // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50)