Skip to content

Commit f7feb55

Browse files
PrateeknandlePrateeknandle
committed
adding smoke tests
Signed-off-by: Prateeknandle <prateeknandle@gmail.com> adding function Signed-off-by: Prateeknandle <prateeknandle@gmail.com> removing file Signed-off-by: Prateeknandle <prateeknandle@gmail.com> removing comments Signed-off-by: Prateeknandle <prateeknandle@gmail.com> changing name of function Signed-off-by: Prateeknandle <prateeknandle@gmail.com> [Enhancement] Show recommended policy using DE - download and parse recommended policies from policy-templates GH - generate recommended policy using cronjob with 1h time interval - update or insert generated recommended policies to DataBase - sends recommended policy along with system policy to SaaS Signed-off-by: Vishnu Soman <vishnu@accuknox.com> [Bug Fix] Show recommended policy using DE - updated clusterrole in helm chart Signed-off-by: Vishnu Soman <vishnu@accuknox.com> changed org in workflows Signed-off-by: Rahul Jadhav <nyrahul@gmail.com> Fix for invalid timestamp for Kubearmor alerts Signed-off-by: Eswar Rajan Subramanian <eswar@accuknox.com> Show recommended policy using DE (accuknox#651) - yaml import change Signed-off-by: Vishnu Soman <vishnu@accuknox.com> adding ci workflow for ginkgo tests Signed-off-by: Prateeknandle <prateeknandle@gmail.com> sample test Signed-off-by: Prateeknandle <prateeknandle@gmail.com> go mod tidy Signed-off-by: Prateeknandle <prateeknandle@gmail.com> byte conversion Signed-off-by: Prateeknandle <prateeknandle@gmail.com> byte Signed-off-by: Prateeknandle <prateeknandle@gmail.com> valid Signed-off-by: Prateeknandle <prateeknandle@gmail.com> validate Signed-off-by: Prateeknandle <prateeknandle@gmail.com> ginkgo version Signed-off-by: Prateeknandle <prateeknandle@gmail.com> ginkgo versions Signed-off-by: Prateeknandle <prateeknandle@gmail.com> ginkgo versions1 Signed-off-by: Prateeknandle <prateeknandle@gmail.com> ginkgo versions2 Signed-off-by: Prateeknandle <prateeknandle@gmail.com> ginkgo versions3 Signed-off-by: Prateeknandle <prateeknandle@gmail.com>
1 parent 470c09e commit f7feb55

28 files changed

+2089
-26
lines changed

.github/workflows/ci-go.yml

+28
Original file line numberDiff line numberDiff line change
@@ -50,3 +50,31 @@ jobs:
5050
go get .
5151
gosec -exclude=G204,G304,G107 -exclude-dir=protobuf/ ./...
5252
working-directory: src
53+
54+
go-ginkgo-test:
55+
runs-on: ubuntu-latest
56+
steps:
57+
- name: Checkout Source
58+
uses: actions/checkout@v2
59+
60+
- uses: actions/setup-go@v2
61+
with:
62+
go-version: v1.18
63+
64+
- name: Setup Enviroment
65+
run: |
66+
# setup kubernetes environment
67+
./k3s/install_k3s.sh
68+
69+
- name: Run KubeArmor in background
70+
run: |
71+
curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
72+
karmor install
73+
74+
- name: Install Ginkgo
75+
run: |
76+
go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
77+
78+
- name: Run ginkgo tests
79+
run: ginkgo -r
80+
working-directory: tests

.github/workflows/latest-release.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ name: Create discovery engine release after testing the image
1414
jobs:
1515
build:
1616
name: Create discovery engine Release
17-
if: github.repository == 'kubearmor/discovery-engine'
17+
if: github.repository == 'accuknox/discovery-engine'
1818
runs-on: ubuntu-20.04
1919
timeout-minutes: 60
2020
steps:

.github/workflows/stable-release.yml

+1-1
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ name: discovery engine stable release
1212
jobs:
1313
build:
1414
name: Create discovery engine stable release
15-
if: github.repository == 'kubearmor/discovery-engine'
15+
if: github.repository == 'accuknox/discovery-engine'
1616
runs-on: ubuntu-20.04
1717
timeout-minutes: 60
1818
steps:

deployments/helm/configmapfiles/discovery-engine/conf.yaml

+6-1
Original file line numberDiff line numberDiff line change
@@ -74,4 +74,9 @@ feed-consumer:
7474
enable: false
7575
cert: /kafka-ssl/user.cert.pem
7676
key: /kafka-ssl/user.key.pem
77-
77+
78+
# Recommended policies configuration
79+
recommend:
80+
operation-mode: 1 # 1: cronjob | 2: one-time-job
81+
cron-job-time-interval: "1h0m00s" # format: XhYmZs
82+

deployments/helm/values.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -32,7 +32,7 @@ clusterRole:
3232
create: true
3333
name: discovery-engine-role
3434
rules:
35-
- apiGroups: [""]
35+
- apiGroups: ["*"]
3636
resources: ["pods", "services", "deployments", "endpoints", "namespaces"]
3737
verbs: ["get", "list", "watch"]
3838

deployments/k8s/deployment.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,11 @@ data:
122122
kubearmor:
123123
url: kubearmor.kube-system.svc.cluster.local
124124
port: 32767
125+
126+
# Recommended policies configuration
127+
recommend:
128+
operation-mode: 1 # 1: cronjob | 2: one-time-job
129+
cron-job-time-interval: "1h0m00s" # format: XhYmZs
125130
---
126131
apiVersion: v1
127132
kind: Service

src/Dockerfile

+3
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,9 @@ RUN cd src && make
1313

1414
FROM artifactory.accuknox.com/accuknox/ubuntu:22.04
1515

16+
RUN apt-get update && \
17+
apt-get install -y ca-certificates && \
18+
update-ca-certificates
1619
COPY --from=builder /usr/src/knox/grpcurl /usr/local/bin/grpcurl
1720
COPY --from=builder /usr/src/knox/scripts/convert_net_policy.sh /convert_net_policy.sh
1821
COPY --from=builder /usr/src/knox/scripts/dbclear.sh /dbclear.sh

src/build/Dockerfile.autopol

+4
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,10 @@ RUN cd src && make
1212

1313
FROM ubuntu:22.04
1414

15+
RUN apt-get update && \
16+
apt-get install -y ca-certificates && \
17+
update-ca-certificates
18+
1519
COPY --from=builder /usr/src/knox/grpcurl /usr/local/bin/grpcurl
1620
COPY --from=builder /usr/src/knox/scripts/convert_net_policy.sh /convert_net_policy.sh
1721
COPY --from=builder /usr/src/knox/scripts/dbclear.sh /dbclear.sh

src/conf/local-file.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -113,3 +113,8 @@ feed-consumer:
113113
# connection-timeout: 10 # in second
114114
# operation-timeout: 30 # in second
115115
# -----------------------------------------------
116+
117+
# Recommended policies configuration
118+
recommend:
119+
operation-mode: 1 # 1: cronjob | 2: one-time-job
120+
cron-job-time-interval: "1h0m00s" # format: XhYmZs

src/conf/local.yaml

+5
Original file line numberDiff line numberDiff line change
@@ -65,3 +65,8 @@ cilium-hubble:
6565
kubearmor:
6666
url: localhost
6767
port: 32767
68+
69+
# Recommended policies configuration
70+
recommend:
71+
operation-mode: 1 # 1: cronjob | 2: one-time-job
72+
cron-job-time-interval: "1h0m00s" # format: XhYmZs

src/config/configManager.go

+23
Original file line numberDiff line numberDiff line change
@@ -207,6 +207,13 @@ func LoadConfigFromFile() {
207207
DBName: viper.GetStringSlice("purge-old-db-entries.dbname"),
208208
}
209209

210+
// recommend policy configurations
211+
CurrentCfg.ConfigRecommendPolicy = types.ConfigRecommendPolicy{
212+
CronJobTimeInterval: "@every " + viper.GetString("recommend.cron-job-time-interval"),
213+
OneTimeJobTimeSelection: "", // e.g., 2021-01-20 07:00:23|2021-01-20 07:00:25
214+
OperationMode: viper.GetInt("recommend.operation-mode"),
215+
}
216+
210217
// load database
211218
CurrentCfg.ConfigDB = LoadConfigDB()
212219

@@ -489,3 +496,19 @@ func GetCfgPurgeOldDBEntriesCronJobTime() string {
489496
func GetCfgPurgeOldDBEntriesDBName() []string {
490497
return CurrentCfg.ConfigPurgeOldDBEntries.DBName
491498
}
499+
500+
// ============================ //
501+
// == Get Recommend Config Info == //
502+
// ============================ //
503+
504+
func GetCfgRecOperationMode() int {
505+
return CurrentCfg.ConfigRecommendPolicy.OperationMode
506+
}
507+
508+
func GetCfgRecCronJobTime() string {
509+
return CurrentCfg.ConfigRecommendPolicy.CronJobTimeInterval
510+
}
511+
512+
func GetCfgRecOneTime() string {
513+
return CurrentCfg.ConfigRecommendPolicy.OneTimeJobTimeSelection
514+
}

src/go.mod

+3
Original file line numberDiff line numberDiff line change
@@ -10,11 +10,13 @@ replace (
1010
require (
1111
github.com/DATA-DOG/go-sqlmock v1.5.0
1212
github.com/apache/pulsar-client-go v0.8.1
13+
github.com/cavaliergopher/grab/v3 v3.0.1
1314
github.com/cilium/cilium v1.10.14
1415
github.com/clarketm/json v1.17.1
1516
github.com/confluentinc/confluent-kafka-go v1.6.1
1617
github.com/go-sql-driver/mysql v1.5.0
1718
github.com/google/go-cmp v0.5.8
19+
github.com/google/go-github v17.0.0+incompatible
1820
github.com/kubearmor/KVMService/src/types v0.0.0-20220714130113-b0eba8c9ff34
1921
github.com/kubearmor/KubeArmor/protobuf v0.0.0-20220504043216-6451e04be58b
2022
github.com/mattn/go-sqlite3 v1.14.12
@@ -70,6 +72,7 @@ require (
7072
github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
7173
github.com/golang/protobuf v1.5.2 // indirect
7274
github.com/golang/snappy v0.0.3 // indirect
75+
github.com/google/go-querystring v1.1.0 // indirect
7376
github.com/google/gofuzz v1.2.0 // indirect
7477
github.com/googleapis/gnostic v0.5.5 // indirect
7578
github.com/gsterjov/go-libsecret v0.0.0-20161001094733-a6f4afe4910c // indirect

src/go.sum

+6
Original file line numberDiff line numberDiff line change
@@ -153,6 +153,8 @@ github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM
153153
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
154154
github.com/bmizerany/perks v0.0.0-20141205001514-d9a9656a3a4b/go.mod h1:ac9efd0D1fsDb3EJvhqgXRbFx7bs2wqZ10HQPeU8U/Q=
155155
github.com/buger/jsonparser v0.0.0-20180808090653-f4dd9f5a6b44/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s=
156+
github.com/cavaliergopher/grab/v3 v3.0.1 h1:4z7TkBfmPjmLAAmkkAZNX/6QJ1nNFdv3SdIHXju0Fr4=
157+
github.com/cavaliergopher/grab/v3 v3.0.1/go.mod h1:1U/KNnD+Ft6JJiYoYBAimKH2XrYptb8Kl3DFGmsjpq4=
156158
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
157159
github.com/census-instrumentation/opencensus-proto v0.3.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
158160
github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
@@ -474,6 +476,10 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
474476
github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
475477
github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
476478
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
479+
github.com/google/go-github v17.0.0+incompatible h1:N0LgJ1j65A7kfXrZnUDaYCs/Sf4rEjNlfyDHW9dolSY=
480+
github.com/google/go-github v17.0.0+incompatible/go.mod h1:zLgOLi98H3fifZn+44m+umXrS52loVEgC2AApnigrVQ=
481+
github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
482+
github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
477483
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
478484
github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
479485
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=

src/libs/common.go

+7-4
Original file line numberDiff line numberDiff line change
@@ -145,6 +145,11 @@ func SetDefaultConfig() {
145145
viper.SetDefault("feed-consumer.pulsar.connection-timeout", "10")
146146
viper.SetDefault("feed-consumer.pulsar.operation-timeout", "30")
147147

148+
// recommend config
149+
150+
viper.SetDefault("recommend.cron-job-time-interval", "1h0m00s")
151+
viper.SetDefault("recommend.operation-mode", 1)
152+
148153
}
149154

150155
type cfgArray []string
@@ -311,10 +316,8 @@ func IsICMP(protocol int) bool {
311316
}
312317

313318
func IsReplyICMP(icmpType int) bool {
314-
if ContainsElement(ICMPReplyType, icmpType) {
315-
return true
316-
}
317-
return false
319+
return ContainsElement(ICMPReplyType, icmpType)
320+
318321
}
319322

320323
// ============ //

src/plugin/kubearmor.go

+16-12
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ func ConvertKnoxSystemPolicyToKubeArmorPolicy(knoxPolicies []types.KnoxSystemPol
6060

6161
kubePolicy.Spec = policy.Spec
6262

63-
if kubePolicy.Kind == "KubeArmorPolicy" {
63+
if kubePolicy.Kind == "KubeArmorPolicy" && policy.Spec.Action == "Allow" {
6464
dirRule := types.KnoxMatchDirectories{
6565
Dir: types.PreConfiguredKubearmorRule,
6666
Recursive: true,
@@ -469,17 +469,21 @@ func StartKubeArmorRelay(StopChan chan struct{}, cfg types.ConfigKubeArmorRelay)
469469
}
470470

471471
kubearmorLog := pb.Log{
472-
ClusterName: res.ClusterName,
473-
ContainerName: res.ContainerName,
474-
HostName: res.HostName,
475-
NamespaceName: res.NamespaceName,
476-
PodName: res.PodName,
477-
Source: res.Source,
478-
Operation: res.Operation,
479-
Resource: res.Resource,
480-
Data: res.Data,
481-
Result: res.Result,
482-
Type: res.Type,
472+
ClusterName: res.ClusterName,
473+
ContainerName: res.ContainerName,
474+
ContainerID: res.ContainerID,
475+
HostName: res.HostName,
476+
NamespaceName: res.NamespaceName,
477+
PodName: res.PodName,
478+
Source: res.Source,
479+
Operation: res.Operation,
480+
Resource: res.Resource,
481+
Data: res.Data,
482+
Result: res.Result,
483+
Type: res.Type,
484+
ProcessName: res.ProcessName,
485+
ParentProcessName: res.ParentProcessName,
486+
Timestamp: res.Timestamp,
483487
}
484488

485489
if ignoreLogFromRelayWithNamespace(nsFilter, nsNotFilter, &kubearmorLog) {

0 commit comments

Comments
 (0)