diff --git a/tests/k8s_env/blockposture/block_test.go b/tests/k8s_env/blockposture/block_test.go index 5e3bc6b1ff..1dc15eb81a 100644 --- a/tests/k8s_env/blockposture/block_test.go +++ b/tests/k8s_env/blockposture/block_test.go @@ -74,10 +74,10 @@ var _ = Describe("Posture", func() { MatchRegexp("curl.*Could not resolve host: google.com"), true, ) - out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", out) - Expect(out).To(MatchRegexp("((?:.*\r?\n?)*)")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, + MatchRegexp("((?:.*\\r?\\n?)*)"), true, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) @@ -101,16 +101,16 @@ var _ = Describe("Posture", func() { Expect(err).To(BeNil()) //curl needs UDP for DNS resolution - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("cat.*Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, + MatchRegexp("cat.*Permission denied"), true, + ) //test that tcp is whitelisted - out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", out) - Expect(out).To(MatchRegexp("((?:.*\r?\n?)*)")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"}, + MatchRegexp("((?:.*\r?\n?)*)"), true, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go index a172fcdfd2..7a46554392 100644 --- a/tests/k8s_env/ksp/ksp_test.go +++ b/tests/k8s_env/ksp/ksp_test.go @@ -84,9 +84,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("all", "nginx", "", pods.Items[0].Name) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(pods.Items[0].Name, "nginx", []string{"ls"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + AssertCommand( + pods.Items[0].Name, "nginx", []string{"ls"}, + MatchRegexp(".*"), true, + ) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -110,11 +111,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "ping -c 1 127.0.0.1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("PING.*127.0.0.1")) + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"}, + MatchRegexp("PING.*127.0.0.1"), true, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-net-icmp", @@ -220,11 +220,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Network", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "arping -c 1 127.0.0.1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("ARPING 127.0.0.1")) + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "arping -c 1 127.0.0.1"}, + MatchRegexp("ARPING 127.0.0.1"), true, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-net-raw", @@ -422,10 +421,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "Process", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "sleep 1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "sleep 1"}, + MatchRegexp(".*"), true, + ) expect := protobuf.Alert{ PolicyName: "ksp-group-2-audit-proc-path", @@ -629,11 +628,10 @@ var _ = Describe("Ksp", func() { AssertCommand(ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"}, MatchRegexp("hello.*Permission denied"), true, ) - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "/home/user1/hello"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("hello.*Permission denied")) + AssertCommand( + ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"}, + MatchRegexp("hello.*Permission denied"), true, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-3-block-proc-path-owner", @@ -934,10 +932,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub1) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub1, "multiubuntu", - []string{"bash", "-c", "touch /home/user1/new1"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub1, "multiubuntu", []string{"bash", "-c", "touch /home/user1/new1"}, + MatchRegexp(".*"), true, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-1-audit-file-access-owner-readonly", @@ -1514,10 +1512,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"}, + MatchRegexp(".*"), true, + ) // Expect(sout).To(ContainSubstring("secret file user1")) expectLog := protobuf.Log{ @@ -1631,10 +1629,10 @@ var _ = Describe("Ksp", func() { // Test 3: write operation on the file by the owner should also be allowed // No need for AssertCommand here since there is nothing to match - sout, _, err := K8sExecInPod(ub3, "multiubuntu", - []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub3, "multiubuntu", []string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"}, + MatchRegexp(".*"), true, + ) }) @@ -1693,11 +1691,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -r /secret.txt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("s")) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, + ContainSubstring("s"), true, + ) expectLog = protobuf.Log{ Resource: "secret.txt", @@ -1731,10 +1728,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -w /credentials/password"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -w /credentials/password"}, + MatchRegexp(".*"), true, + ) expect := protobuf.Alert{ PolicyName: "DefaultPosture", @@ -1750,10 +1747,10 @@ var _ = Describe("Ksp", func() { // Test 3: reading some other file should be denied as not allowed by the policy - sout, _, err = K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "./readwrite -r /secret.txt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "./readwrite -r /secret.txt"}, + MatchRegexp(".*"), true, + ) expect = protobuf.Alert{ PolicyName: "DefaultPosture", @@ -1832,10 +1829,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("policy", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "touch /dev/shm/new"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "touch /dev/shm/new"}, + MatchRegexp(".*"), true, + ) expect := protobuf.Alert{ PolicyName: "ksp-ubuntu-4-audit-file-path-readonly", @@ -2008,11 +2005,10 @@ var _ = Describe("Ksp", func() { err = KarmorLogStart("system", "multiubuntu", "File", ub4) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(ub4, "multiubuntu", - []string{"bash", "-c", "cat /credentials/password"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("password file")) + AssertCommand( + ub4, "multiubuntu", []string{"bash", "-c", "cat /credentials/password"}, + ContainSubstring("password file"), true, + ) }) }) diff --git a/tests/k8s_env/smoke/smoke_test.go b/tests/k8s_env/smoke/smoke_test.go index f0f3b1a303..0c25276574 100644 --- a/tests/k8s_env/smoke/smoke_test.go +++ b/tests/k8s_env/smoke/smoke_test.go @@ -68,10 +68,8 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "apt"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "apt"}, MatchRegexp("apt.*Permission denied"), true) + // check policy violation alert expect := protobuf.Alert{ @@ -97,11 +95,8 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /var/www/html/wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("wp-config.php.*Permission denied")) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "cat /var/www/html/wp-config.php"}, MatchRegexp("wp-config.php.*Permission denied"), true) + // check policy violation alert expect := protobuf.Alert{ @@ -127,11 +122,7 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat wp-config.php"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("wp-config.php.*Permission denied")) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"}, MatchRegexp("wp-config.php.*Permission denied"), true) // check policy violation alert expect := protobuf.Alert{ @@ -156,11 +147,8 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("token.*Permission denied")) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, MatchRegexp("token.*Permission denied"), true) + // check policy violation alert expect := protobuf.Alert{ @@ -185,11 +173,7 @@ var _ = Describe("Smoke", func() { time.Sleep(5 * time.Second) // trigger policy violation alert - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "head /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("token.*Permission denied")) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "head /run/secrets/kubernetes.io/serviceaccount/token"}, MatchRegexp("token.*Permission denied"), true) // check policy violation alert expect := protobuf.Alert{ @@ -202,20 +186,11 @@ var _ = Describe("Smoke", func() { Expect(res.Found).To(BeTrue()) // trigger normal operations permitted by policy - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "cat /run/secrets/kubernetes.io/serviceaccount/token"}, Not(MatchRegexp("Permission denied")), true) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/passwd"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) - - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "head /etc/passwd"}) - Expect(err).To(BeNil()) - Expect(sout).To(Not(ContainSubstring("Permission denied"))) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, Not(MatchRegexp("Permission denied")), true) + + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "head /etc/passwd"}, Not(MatchRegexp("Permission denied")), true) // check for no policy violation alert expect = protobuf.Alert{ @@ -241,10 +216,7 @@ var _ = Describe("Smoke", func() { time.Sleep(5 * time.Second) fname := fmt.Sprintf("/var/lib/mysql/%s", RandString(12)) - sout, _, err := K8sExecInPod(sql, "wordpress-mysql", - []string{"bash", "-c", fmt.Sprintf("touch %s", fname)}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand(sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("touch %s", fname)}, MatchRegexp(".*"), true) // check policy violation alert expect := protobuf.Alert{ @@ -255,9 +227,8 @@ var _ = Describe("Smoke", func() { Expect(err).To(BeNil()) Expect(res.Found).To(BeTrue()) - _, _, err = K8sExecInPod(sql, "wordpress-mysql", - []string{"bash", "-c", fmt.Sprintf("rm %s", fname)}) - Expect(err).To(BeNil()) + AssertCommand(sql, "wordpress-mysql", []string{"bash", "-c", fmt.Sprintf("rm %s", fname)}, MatchRegexp(".*"), true) + }) It("can enforce multiple rules targeting same pod", func() { @@ -270,17 +241,10 @@ var _ = Describe("Smoke", func() { Expect(err).To(BeNil()) // trigger policy violation alert - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/passwd"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("/etc/passwd.*Permission denied")) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/passwd"}, MatchRegexp("/etc/passwd.*Permission denied"), true) + + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "cat /etc/shadow"}, MatchRegexp("/etc/shadow.*Permission denied"), true) - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "cat /etc/shadow"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("/etc/shadow.*Permission denied")) }) It("can block write access and only allow read access to mounted files", func() { @@ -295,11 +259,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "touch /dev/shm/new"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("Permission denied")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "touch /dev/shm/new"}, + MatchRegexp("Permission denied"), true, + ) // check policy violation alert expect := protobuf.Alert{ @@ -324,12 +287,10 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "curl 142.250.193.46"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - // tcp action - Expect(sout).To(ContainSubstring("http://www.google.com/")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"}, + MatchRegexp("http://www.google.com/"), true, + ) // check alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -338,11 +299,10 @@ var _ = Describe("Smoke", func() { Expect(len(alerts)).To(Equal(0)) // tcp + udp + raw action - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "curl google.com"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(ContainSubstring("http://www.google.com/")) + AssertCommand( + wp, "wordpress-mysql", []string{"bash", "-c", "curl google.com"}, + MatchRegexp("http://www.google.com/"), true, + ) // check alert expect := protobuf.Alert{ diff --git a/tests/k8s_env/syscalls/syscalls_test.go b/tests/k8s_env/syscalls/syscalls_test.go index 0a94c691d9..ed0d23f7f0 100644 --- a/tests/k8s_env/syscalls/syscalls_test.go +++ b/tests/k8s_env/syscalls/syscalls_test.go @@ -4,7 +4,7 @@ package syscalls import ( - "fmt" + "time" "github.com/kubearmor/KubeArmor/protobuf" @@ -58,10 +58,8 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, MatchRegexp(".*"), true) // check policy alert expect := protobuf.Alert{ @@ -86,13 +84,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) - - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /dummy"}, MatchRegexp(".*"), true) // check policy alert expect := protobuf.Alert{ @@ -117,16 +111,13 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "mkdir -p /foo/bar"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "mkdir -p /foo/bar"}, MatchRegexp(".*"), true) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /foo/bar/unlink"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /foo/bar/unlink"}, MatchRegexp(".*"), true) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/foo/bar/unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, MatchRegexp(".*"), true) + + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "/foo/bar/unlink /dummy"}, MatchRegexp(".*"), true) // check policy alert expect := protobuf.Alert{ @@ -151,13 +142,11 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /unlink"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /unlink"}, MatchRegexp(".*"), true) + + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "/unlink /dummy"}, MatchRegexp(".*"), true) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/unlink /dummy"}) - Expect(err).To(BeNil()) // check policy alert expect := protobuf.Alert{ @@ -185,10 +174,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), true) + // check policy alert expect := protobuf.Alert{ @@ -213,10 +201,8 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /dummy"}, MatchRegexp(".*"), true) // check policy alert expect := protobuf.Alert{ @@ -237,17 +223,14 @@ var _ = Describe("Syscalls", func() { err := K8sApply([]string{"manifests/matchpaths/unlink-dir-recursive-fromsource-path.yaml"}) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, MatchRegexp(".*"), true) // Start Kubearmor Logs err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, MatchRegexp(".*"), true) // check policy alert expect := protobuf.Alert{ @@ -272,10 +255,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), true) + // check policy alert expect := protobuf.Alert{ @@ -296,17 +278,14 @@ var _ = Describe("Syscalls", func() { err := K8sApply([]string{"manifests/matchpaths/unlink-dir-recursive-fromsource-dir.yaml"}) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "cp /usr/bin/unlink /bin/unlink"}, MatchRegexp(".*"), true) // Start Kubearmor Logs err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "/bin/unlink /home/dummy"}, MatchRegexp(".*"), true) // check policy alert expect := protobuf.Alert{ @@ -334,10 +313,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), true) + // check policy alert expect := protobuf.Alert{ @@ -363,10 +341,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), true) + // check policy alert expect := protobuf.Alert{ @@ -392,10 +369,10 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), true) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), true) + // check policy alert expect := protobuf.Alert{ @@ -421,10 +398,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), false) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), false) + // check policy alert expect := protobuf.Alert{ @@ -452,10 +428,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), false) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), false) + // check policy alert expect := protobuf.Alert{ @@ -481,10 +456,10 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), false) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), false) + // check policy alert expect := protobuf.Alert{ @@ -510,10 +485,9 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), false) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), false) // check policy alert expect := protobuf.Alert{ @@ -539,10 +513,8 @@ var _ = Describe("Syscalls", func() { err = KarmorLogStart("policy", "syscalls", "Syscall", ubuntu) Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}) - Expect(err).To(BeNil()) - _, _, err = K8sExecInPod(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}) - Expect(err).To(BeNil()) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "touch /home/dummy"}, MatchRegexp(".*"), false) + AssertCommand(ubuntu, "syscalls", []string{"bash", "-c", "unlink /home/dummy"}, MatchRegexp(".*"), false) // check policy alert expect := protobuf.Alert{ @@ -567,13 +539,15 @@ var _ = Describe("Syscalls", func() { Expect(err).To(BeNil()) // execute mount inside the pod - sout, _, err := K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "mkdir /mnt/test"}) - Expect(err).To(BeNil()) - sout, _, err = K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "mount /home /mnt/test"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mkdir /mnt/test"}, + MatchRegexp(".*"), true, + ) + + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "mount /home /mnt/test"}, + MatchRegexp(".*"), true, + ) expect := protobuf.Alert{ PolicyName: "DefaultPosture", @@ -596,10 +570,10 @@ var _ = Describe("Syscalls", func() { Expect(err).To(BeNil()) // execute umount inside the pod - sout, _, err := K8sExecInPod(ubuntu, "syscalls", - []string{"bash", "-c", "umount /mnt"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) + AssertCommand( + ubuntu, "syscalls", []string{"bash", "-c", "umount /mnt"}, + MatchRegexp(".*"), true, + ) expect := protobuf.Alert{ PolicyName: "DefaultPosture", diff --git a/tests/k8s_env/throttling/throttling_test.go b/tests/k8s_env/throttling/throttling_test.go index bfacaa17d1..7459b1815d 100644 --- a/tests/k8s_env/throttling/throttling_test.go +++ b/tests/k8s_env/throttling/throttling_test.go @@ -74,11 +74,11 @@ var _ = Describe("Smoke", func() { // wait for policy creation time.Sleep(5 * time.Second) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt; count=$((count + 1)); done;"}) - Expect(err).To(BeNil()) - fmt.Printf("OUTPUT: %s\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) + AssertCommand( + wp, "wordpress-mysql", + []string{"bash", "-c", "count=0; while [ $count -lt 5 ]; do apt; count=$((count + 1)); done;"}, + MatchRegexp("apt.*Permission denied"), true, + ) // check policy violation alert _, alerts, err := KarmorGetLogs(5*time.Second, 1) @@ -93,11 +93,11 @@ var _ = Describe("Smoke", func() { Expect(err).To(BeNil()) // check for throttling, alerts should not be genrated - sout, _, err = K8sExecInPod(wp, "wordpress-mysql", - []string{"bash", "-c", "apt update"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) - Expect(sout).To(MatchRegexp("apt.*Permission denied")) + AssertCommand( + wp, "wordpress-mysql", + []string{"bash", "-c", "apt update"}, + MatchRegexp("apt.*Permission denied"), true, + ) _, alerts, err = KarmorGetLogs(5*time.Second, 1) Expect(err).To(BeNil()) diff --git a/tests/k8s_env/visibility/visibility_test.go b/tests/k8s_env/visibility/visibility_test.go index b26ebac49c..4ae2ce7e28 100644 --- a/tests/k8s_env/visibility/visibility_test.go +++ b/tests/k8s_env/visibility/visibility_test.go @@ -60,9 +60,8 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), true) + // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -89,9 +88,8 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), true) + // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50) @@ -115,9 +113,7 @@ var _ = Describe("Visibility", func() { err = KarmorLogStart("all", "wordpress-mysql", "", wp) Expect(err).To(BeNil()) - sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}) - Expect(err).To(BeNil()) - fmt.Printf("---START---\n%s---END---\n", sout) + AssertCommand(wp, "wordpress-mysql", []string{"bash", "-c", "ping google.com -c1"}, MatchRegexp(".*"), true) // check audit logs logs, _, err := KarmorGetLogs(5*time.Second, 50)