add ci workflow to test ubi image

Signed-off-by: rksharma95 <[email protected]>
kubearmor · Aug 22, 2023 · ff81002 · ff81002
1 parent 4772505
commit ff81002
Show file tree

Hide file tree

Showing 12 changed files with 233 additions and 33 deletions.
diff --git a/.github/workflows/ci-latest-release.yml b/.github/workflows/ci-latest-release.yml
@@ -115,11 +115,13 @@ jobs:
         run: | 
           echo "imagedigest=$(jq -r '.["containerimage.digest"]' kubearmor.json)" >> $GITHUB_OUTPUT
           echo "initdigest=$(jq -r '.["containerimage.digest"]' kubearmor-init.json)" >> $GITHUB_OUTPUT
+          echo "ubidigest=$(jq -r '.["containerimage.digest"]' kubearmor-ubi.json)" >> $GITHUB_OUTPUT
 
       - name: Sign the Container Images
         run: |
           cosign sign -r kubearmor/kubearmor@${{ steps.digest.outputs.imagedigest }} --yes
           cosign sign -r kubearmor/kubearmor-init@${{ steps.digest.outputs.initdigest }} --yes
+          cosign sign -r kubearmor/kubearmor-ubi@${{ steps.digest.outputs.ubidigest }} --yes
 
   push-stable-version:
     name: Create KubeArmor stable release

diff --git a/.github/workflows/ci-test-controllers.yml b/.github/workflows/ci-test-controllers.yml
@@ -32,6 +32,7 @@ jobs:
           helm upgrade --install kubearmor ./deployments/helm/KubeArmor \
           --values ./KubeArmor/build/kubearmor-helm-test-values.yaml \
           --set kubearmorController.imagePullPolicy=Never \
+          --set kubearmorInit.imagePullPolicy=Always \
           --set kubearmor.imagePullPolicy=Always \
           --set kubearmor.image.tag=latest \
           -n kube-system;

diff --git a/.github/workflows/ci-test-ubi-image.yml b/.github/workflows/ci-test-ubi-image.yml
@@ -0,0 +1,107 @@
+name: ci-test-ubi-ginkgo
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "KubeArmor/**"
+      - "tests/**"
+      - "protobuf/**"
+      - ".github/workflows/ci-test-ginkgo.yml"
+  pull_request:
+    branches: [main]
+    paths:
+      - "KubeArmor/**"
+      - "tests/**"
+      - "protobuf/**"
+      - ".github/workflows/ci-test-ginkgo.yml"
+
+jobs:
+  build:
+    name: Auto-testing Framework / ${{ matrix.os }} / ${{ matrix.runtime }}
+    runs-on: ${{ matrix.os }}
+    env:
+      RUNTIME: ${{ matrix.runtime }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["bpflsm"]
+
+        runtime: ["crio"]
+
+
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          submodules: true
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "v1.20"
+
+      - name: Install the latest LLVM toolchain
+        run: ./.github/workflows/install-llvm.sh
+
+      - name: Compile libbpf
+        run: ./.github/workflows/install-libbpf.sh
+
+      - name: Setup a Kubernetes environment
+        run: ./.github/workflows/install-k3s.sh
+
+      - name: Generate KubeArmor artifacts
+        run: |
+          GITHUB_SHA=$GITHUB_SHA ./KubeArmor/build/build_kubearmor.sh
+
+      - name: Run KubeArmor
+        run: |
+          sudo podman pull docker-daemon:kubearmor/kubearmor-init:latest
+          sudo podman pull docker-daemon:kubearmor/kubearmor-ubi:latest
+          helm upgrade --install kubearmor-operator ./deployments/helm/KubeArmorOperator -n kube-system
+          kubectl wait --for=condition=ready --timeout=5m -n kube-system pod -l kubearmor-app=kubearmor-operator
+          kubectl get pods -A
+          kubectl apply -f pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml
+          kubectl wait -n kube-system --timeout=5m --for=jsonpath='{.status.phase}'=Running kubearmorconfigs/kubearmorconfig-test
+          kubectl wait --timeout=5m --for=condition=ready pod -l kubearmor-app,kubearmor-app!=kubearmor-snitch -n kube-system
+          kubectl get pods -A
+
+      - name: Test KubeArmor using Ginkgo
+        run: |
+          go install -mod=mod github.com/onsi/ginkgo/v2/ginkgo
+          make
+        working-directory: ./tests
+        timeout-minutes: 30
+
+      - name: Get karmor sysdump
+        if: ${{ failure() }}
+        run: |
+          kubectl describe pod -n kube-system -l kubearmor-app=kubearmor
+          curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin
+          mkdir -p /tmp/kubearmor/ && cd /tmp/kubearmor && karmor sysdump
+
+      - name: Archive log artifacts
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: kubearmor.logs
+          path: |
+            /tmp/kubearmor/
+            /tmp/kubearmor.*
+
+      - name: Measure code coverage
+        if: ${{ always() }}
+        run: |
+          go install github.com/modocache/gover@latest
+          gover
+          go tool cover -func=gover.coverprofile
+        working-directory: KubeArmor
+        env:
+          GOPATH: /home/vagrant/go
+      - uses: codecov/codecov-action@v3
+        if: ${{ always() }}
+        with:
+          files: ./KubeArmor/gover.coverprofile
+      - name: Run cleanup
+        if: ${{ always() }}
+        run: ./.github/workflows/cleanup.sh
+
+
diff --git a/.github/workflows/cleanup.sh b/.github/workflows/cleanup.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2021 Authors of KubeArmor
+
+# Cleanup function
+cleanup() {
+  echo "Performing cleanup..."
+
+  ./usr/local/bin/k3s-killall.sh
+
+  /usr/local/bin/k3s-uninstall.sh
+
+  docker system prune -a -f
+
+  # rm -rf /home/vagrant/actions-runner/_work/KubeArmor
+
+  echo "Cleanup complete."
+}
+# Invoke the cleanup function
+cleanup
diff --git a/Dockerfile b/Dockerfile
@@ -17,19 +17,36 @@ WORKDIR /usr/src/KubeArmor/KubeArmor
 RUN go install github.com/golang/protobuf/protoc-gen-go@latest
 RUN make
 
+### Make executable image
+
+FROM alpine:3.17 as kubearmor
+
+RUN echo "@community http://dl-cdn.alpinelinux.org/alpine/edge/community" | tee -a /etc/apk/repositories
+
+RUN apk --no-cache update
+RUN apk add apparmor@community apparmor-utils@community bash
+
+COPY --from=builder /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
+COPY --from=builder /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/
+
+ENTRYPOINT ["/KubeArmor/kubearmor"]
+
+### TODO ###
+
 ### build apparmor_parser binary
 
 ## debian:10 uses glibc2.28 version similar to ubi9
-FROM debian:10 AS apparmor-builder
-RUN apt-get update && apt-get install -y apparmor
-RUN mkdir /tmp/apparmor && \
-    cp /sbin/apparmor_parser /tmp/apparmor/
+# FROM debian:10 AS apparmor-builder
+# RUN apt-get update && apt-get install -y apparmor
+# RUN mkdir /tmp/apparmor && \
+#     cp /sbin/apparmor_parser /tmp/apparmor/
 
 ### Make UBI-based executable image
 
-FROM redhat/ubi9-minimal as kubearmor
+FROM redhat/ubi9-minimal as kubearmor-ubi
 
 ARG VERSION=latest
+ENV KUBEARMOR_UBI=true
 
 LABEL name="kubearmor" \
       vendor="Accuknox" \
@@ -51,10 +68,12 @@ RUN groupadd --gid 1000 default \
 COPY LICENSE /licenses/license.txt
 COPY --from=builder --chown=default:dafault /usr/src/KubeArmor/KubeArmor/kubearmor /KubeArmor/kubearmor
 COPY --from=builder --chown=default:default /usr/src/KubeArmor/KubeArmor/templates/* /KubeArmor/templates/
-COPY --from=apparmor-builder /tmp/apparmor/apparmor_parser /usr/sbin/
 
-RUN chmod u+s /usr/sbin/apparmor_parser
-RUN setcap "cap_sys_admin=ep cap_ipc_lock=ep cap_sys_resource=ep cap_dac_override=ep cap_dac_read_search=ep" /KubeArmor/kubearmor
+# TODO
+# COPY --from=apparmor-builder /tmp/apparmor/apparmor_parser /usr/sbin/
+# RUN chmod u+s /usr/sbin/apparmor_parser
+
+RUN setcap "cap_sys_admin=ep cap_sys_ptrace=ep cap_ipc_lock=ep cap_sys_resource=ep cap_dac_override=ep cap_dac_read_search=ep" /KubeArmor/kubearmor
 
 USER 1000
 ENTRYPOINT ["/KubeArmor/kubearmor"]

diff --git a/KubeArmor/build/build_kubearmor.sh b/KubeArmor/build/build_kubearmor.sh
@@ -4,6 +4,8 @@
 
 [[ "$REPO" == "" ]] && REPO="kubearmor/kubearmor"
 
+UBIREPO="kubearmor/kubearmor-ubi"
+
 realpath() {
     CURR=$PWD
 
@@ -45,7 +47,7 @@ unset LABEL
 # build a kubearmor image
 DTAG="-t $REPO:$VERSION"
 echo "[INFO] Building $DTAG"
-cd $ARMOR_HOME/..; docker build $DTAG -f Dockerfile --build-arg VERSION=$VERSION  --target kubearmor . $LABEL
+cd $ARMOR_HOME/..; docker build $DTAG -f Dockerfile --target kubearmor . $LABEL
 
 if [ $? != 0 ]; then
     echo "[FAILED] Failed to build $REPO:$VERSION"
@@ -64,4 +66,15 @@ if [ $? != 0 ]; then
 fi
 echo "[PASSED] Built $REPO-init:$VERSION"
 
+# build a kubearmor-ubi image
+DTAGUBI="-t $UBIREPO:$VERSION"
+echo "[INFO] Building $UBIREPO"
+cd $ARMOR_HOME/..; docker build $DTAGUBI -f Dockerfile --build-arg VERSION=$VERSION --target kubearmor-ubi . $LABEL
+
+if [ $? != 0 ]; then
+    echo "[FAILED] Failed to build $DTAGUBI:$VERSION"
+    exit 1
+fi
+echo "[PASSED] Built $DTAGUBI:$VERSION"
+
 exit 0
diff --git a/KubeArmor/build/push_kubearmor.sh b/KubeArmor/build/push_kubearmor.sh
@@ -8,6 +8,8 @@
 
 [[ "$STABLE_VERSION" != "" ]] && STABEL_LABEL="--label stabel-version=$STABLE_VERSION"
 
+UBIREPO="kubearmor/kubearmor-ubi"
+
 # set LABEL
 unset LABEL
 [[ "$GITHUB_SHA" != "" ]] && LABEL="--label github_sha=$GITHUB_SHA"
@@ -42,7 +44,7 @@ pwd
 
 # push $REPO
 echo "[INFO] Pushing $REPO:$VERSION"
-cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor.json --platform $PLATFORMS --build-arg VERSION=$VERSION -t $REPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .
+cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor.json --platform $PLATFORMS --target kubearmor -t $REPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .
 
 [[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO:$VERSION" && exit 1
 echo "[PASSED] Pushed $REPO:$VERSION"
@@ -54,4 +56,11 @@ cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor-init.json --pla
 [[ $? -ne 0 ]] && echo "[FAILED] Failed to push $REPO-init:$VERSION" && exit 1
 echo "[PASSED] Pushed $REPO-init:$VERSION"
 
+# push $UBIREPO
+echo "[INFO] Pushing $UBIREPO:$VERSION"
+cd $ARMOR_HOME/..; docker buildx build --metadata-file kubearmor-ubi.json --platform $PLATFORMS --build-arg VERSION=$VERSION --target kubearmor-ubi -t $UBIREPO:$VERSION -f Dockerfile --push $LABEL $STABEL_LABEL .
+
+[[ $? -ne 0 ]] && echo "[FAILED] Failed to push $UBIREPO:$VERSION" && exit 1
+echo "[PASSED] Pushed $UBIREPO:$VERSION"
+
 exit 0
diff --git a/KubeArmor/main.go b/KubeArmor/main.go
@@ -30,10 +30,12 @@ func init() {
 }
 
 func main() {
-	// if os.Geteuid() != 0 {
-	// 	kg.Printf("Need to have root privileges to run %s\n", os.Args[0])
-	// 	return
-	// }
+	if os.Geteuid() != 0 {
+		if os.Getenv("KUBEARMOR_UBI") == "" {
+			kg.Printf("Need to have root privileges to run %s\n", os.Args[0])
+			return
+		}
+	}
 
 	dir, err := filepath.Abs(filepath.Dir(os.Args[0]))
 	if err != nil {

diff --git a/Makefile b/Makefile
diff --git a/pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml b/pkg/KubeArmorOperator/config/samples/kubearmor-ubi-test.yaml
@@ -0,0 +1,28 @@
+apiVersion: operator.kubearmor.com/v1
+kind: KubeArmorConfig
+metadata:
+  labels:
+    app.kubernetes.io/name: kubearmorconfig
+    app.kubernetes.io/instance: kubearmorconfig-sample
+    app.kubernetes.io/part-of: kubearmoroperator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: kubearmoroperator
+  name: kubearmorconfig-test
+  namespace: kube-system
+spec:
+  defaultCapabilitiesPosture: block
+  defaultFilePosture: block
+  defaultNetworkPosture: block
+  defaultVisibility: process,file,network
+  kubearmorImage:
+    image: kubearmor/kubearmor-ubi:latest
+    imagePullPolicy: Never
+  kubearmorInitImage:
+    image: kubearmor/kubearmor-init:latest
+    imagePullPolicy: Never
+  kubearmorRelayImage:
+    image: kubearmor/kubearmor-relay-server:latest
+    imagePullPolicy: Always
+  kubearmorControllerImage:
+    image: kubearmor/kubearmor-controller:latest
+    imagePullPolicy: Always
diff --git a/tests/ksp/ksp_test.go b/tests/ksp/ksp_test.go
@@ -1776,6 +1776,10 @@ var _ = Describe("Ksp", func() {
 		It("it can block access to the files that following a given pattern", func() {
 			// multiubuntu_test_11, github_test_03
 
+			if strings.Contains(K8sRuntimeEnforcer(), "bpf") {
+				Skip("Skipping due to policy not supported by bpflsm enforcer")
+			}
+
 			// Test 1 : trying to access file following the pattern
 
 			// Apply KubeArmor Policy
@@ -1856,6 +1860,9 @@ var _ = Describe("Ksp", func() {
 
 		It("it can block access to a file directory recursively using native apparmor spec", func() {
 			// multiubuntu_test_10, github_test_11
+			if strings.Contains(K8sRuntimeEnforcer(), "bpf") {
+				Skip("Skipping due to apparmor specific policy")
+			}
 
 			// Apply KubeArmor Policy
 			err := K8sApplyFile("multiubuntu/nsp-group-1-block-file-dir-recursive.yaml")

diff --git a/tests/util/kartutil.go b/tests/util/kartutil.go
@@ -587,3 +587,14 @@ func K8sCRIRuntime() string {
 	containerRuntime := nodes.Items[0].Status.NodeInfo.ContainerRuntimeVersion
 	return containerRuntime
 }
+
+// K8sRuntimeEnforcer extracts Runtime Enforcer from the Node Labels
+func K8sRuntimeEnforcer() string {
+	nodes, _ := k8sClient.K8sClientset.CoreV1().Nodes().List(context.Background(), metav1.ListOptions{})
+	if len(nodes.Items) <= 0 {
+		return ""
+	}
+
+	runtimeEnforcer := nodes.Items[0].Labels["kubearmor.io/enforcer"]
+	return runtimeEnforcer
+}