Skip to content

Commit

Permalink
add readonly fs
Browse files Browse the repository at this point in the history 
Signed-off-by: achref ben saad <[email protected]>
  • Loading branch information
@achrefbensaad
achrefbensaad committed Jul 21, 2022
1 parent d6fef36 commit d003c93
Show file tree
Hide file tree
Showing 17 changed files with 281 additions and 5 deletions.
79 changes: 79 additions & 0 deletions .github/workflows/ci-test-incluster.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
name: run-in-cluster-test

on:
push:
branches:
- "**"
paths:
- "deployments/annotations/**"
- "deployments/generic/**"
- "tests/test-scenarios-github.sh"
- ".github/workflows/ci-test-incluster.yml"
pull_request:
branches: ["*"]
paths:
- "deployments/annotations/**"
- "deployments/generic/**"
- "tests/test-scenarios-github.sh"
- ".github/workflows/ci-test-incluster.yml"

jobs:
manifest-test:
name: Run basic manifest tests / ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest, ubuntu-18.04]
steps:
- name: Kernel version
run: uname -r

- uses: actions/checkout@v2

- name: Setup Enviroment
run: |
./contribution/k3s/install_k3s.sh
- name: Install cmctl
run: |
OS=$(go env GOOS); ARCH=$(go env GOARCH); curl -sSL -o cmctl.tar.gz https://github.com/cert-manager/cert-manager/releases/download/v1.7.2/cmctl-$OS-$ARCH.tar.gz
tar xzf cmctl.tar.gz
sudo mv cmctl /usr/local/bin
- name: Install annotation controller
run: |
kubectl apply -f deployments/annotations/cert-manager.yaml
kubectl wait pods --for=condition=ready -n cert-manager -l app.kubernetes.io/instance=cert-manager
cmctl check api --wait 300s
kubectl apply -f deployments/annotations/kubearmor-annotation-manager.yaml
kubectl wait pods --for=condition=ready -n kube-system -l kubearmor-app=kubearmor-annotation-manager
- name: Apply KubeArmor manifest
run: |
kubectl apply -f deployments/generic/kubearmor.yaml
- name: Test manifests
run: |
./tests/test-scenarios-github.sh
- name: Get pod informations
if: ${{ failure() }}
run: |
kubectl get po -n kube-system
kubectl describe po -n kube-system
- name: Archive log artifacts
if: ${{ failure() }}
uses: actions/upload-artifact@v2
with:
name: kubearmor.logs
path: |
/tmp/kubearmor.test
/tmp/kubearmor.log
/tmp/kubearmor.msg
- name: Check Results
if: ${{ always() }}
run: cat /tmp/kubearmor.test
5 changes: 5 additions & 0 deletions KubeArmor/build/kubearmor-test-containerd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ spec:
imagePullPolicy: Never
securityContext:
privileged: true
readOnlyRootFilesystem: true
ports:
- containerPort: 32767
livenessProbe:
Expand Down Expand Up @@ -121,10 +122,14 @@ spec:
- mountPath: /var/lib/docker
name: docker-storage-path
readOnly: true
- mountPath: /tmp
name: tmp-path
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: bpf
- emptyDir: {}
name: tmp-path
- hostPath:
path: /lib/modules
type: Directory
Expand Down
5 changes: 5 additions & 0 deletions KubeArmor/build/kubearmor-test-crio.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,7 @@ spec:
- containerPort: 32767
securityContext:
privileged: true
readOnlyRootFilesystem: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
Expand All @@ -83,6 +84,8 @@ spec:
- mountPath: /run/crio
name: crio-storage-path
readOnly: true
- mountPath: /tmp
name: tmp-path
dnsPolicy: ClusterFirstWithHostNet
hostNetwork: true
hostPID: true
Expand Down Expand Up @@ -130,6 +133,8 @@ spec:
path: /run/crio
type: DirectoryOrCreate
name: crio-storage-path
- emptyDir: {}
name: tmp-path
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
Expand Down
5 changes: 5 additions & 0 deletions KubeArmor/build/kubearmor-test-docker.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ spec:
imagePullPolicy: Never
securityContext:
privileged: true
readOnlyRootFilesystem: true
ports:
- containerPort: 32767
livenessProbe:
Expand Down Expand Up @@ -118,10 +119,14 @@ spec:
- mountPath: /var/lib/docker
name: docker-storage-path
readOnly: true
- mountPath: /tmp
name: tmp-path
terminationGracePeriodSeconds: 30
volumes:
- emptyDir: {}
name: bpf
- emptyDir: {}
name: tmp-path
- hostPath:
path: /lib/modules
type: Directory
Expand Down
5 changes: 5 additions & 0 deletions KubeArmor/build/kubearmor-test-k3s.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ spec:
imagePullPolicy: Never
securityContext:
privileged: true
readOnlyRootFilesystem: true
ports:
- containerPort: 32767
livenessProbe:
Expand Down Expand Up @@ -118,9 +119,13 @@ spec:
- mountPath: /var/lib/docker
name: docker-storage-path
readOnly: true
- mountPath: /tmp
name: tmp-path
volumes:
- emptyDir: {}
name: bpf
- emptyDir: {}
name: tmp-path
- hostPath:
path: /lib/modules
type: Directory
Expand Down
15 changes: 15 additions & 0 deletions deployments/AKS/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,8 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /tmp
name: tmp-path
- mountPath: /usr/src
name: usr-src-path
readOnly: true
Expand All @@ -142,6 +144,7 @@ spec:
name: init
securityContext:
privileged: true
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/kubearmor/BPF
name: bpf
Expand All @@ -157,6 +160,8 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /tmp
name: tmp-path
- mountPath: /usr/src
name: usr-src-path
readOnly: true
Expand All @@ -170,6 +175,8 @@ spec:
volumes:
- emptyDir: {}
name: bpf
- emptyDir: {}
name: tmp-path
- hostPath:
path: /lib/modules
type: Directory
Expand Down Expand Up @@ -263,6 +270,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
Expand All @@ -277,6 +286,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: kubearmor
terminationGracePeriodSeconds: 10
---
Expand Down Expand Up @@ -332,6 +343,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
Expand All @@ -346,6 +359,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: kubearmor
terminationGracePeriodSeconds: 10
---
Expand Down
15 changes: 15 additions & 0 deletions deployments/BottleRocket/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,8 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /tmp
name: tmp-path
- mountPath: /usr/src
name: usr-src-path
readOnly: true
Expand All @@ -143,6 +145,7 @@ spec:
name: init
securityContext:
privileged: true
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/kubearmor/BPF
name: bpf
Expand All @@ -158,6 +161,8 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /tmp
name: tmp-path
- mountPath: /usr/src
name: usr-src-path
readOnly: true
Expand All @@ -171,6 +176,8 @@ spec:
volumes:
- emptyDir: {}
name: bpf
- emptyDir: {}
name: tmp-path
- hostPath:
path: /lib/modules
type: Directory
Expand Down Expand Up @@ -264,6 +271,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
Expand All @@ -278,6 +287,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: kubearmor
terminationGracePeriodSeconds: 10
---
Expand Down Expand Up @@ -333,6 +344,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
Expand All @@ -347,6 +360,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: kubearmor
terminationGracePeriodSeconds: 10
---
Expand Down
15 changes: 15 additions & 0 deletions deployments/EKS/kubearmor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,8 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /tmp
name: tmp-path
- mountPath: /usr/src
name: usr-src-path
readOnly: true
Expand All @@ -142,6 +144,7 @@ spec:
name: init
securityContext:
privileged: true
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /opt/kubearmor/BPF
name: bpf
Expand All @@ -157,6 +160,8 @@ spec:
- mountPath: /media/root/etc/os-release
name: os-release-path
readOnly: true
- mountPath: /tmp
name: tmp-path
- mountPath: /usr/src
name: usr-src-path
readOnly: true
Expand All @@ -170,6 +175,8 @@ spec:
volumes:
- emptyDir: {}
name: bpf
- emptyDir: {}
name: tmp-path
- hostPath:
path: /lib/modules
type: Directory
Expand Down Expand Up @@ -263,6 +270,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
Expand All @@ -277,6 +286,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: kubearmor
terminationGracePeriodSeconds: 10
---
Expand Down Expand Up @@ -332,6 +343,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
- args:
- --metrics-addr=127.0.0.1:8080
- --enable-leader-election
Expand All @@ -346,6 +359,8 @@ spec:
requests:
cpu: 100m
memory: 20Mi
securityContext:
readOnlyRootFilesystem: true
serviceAccountName: kubearmor
terminationGracePeriodSeconds: 10
---
Expand Down
Loading

0 comments on commit d003c93

Please sign in to comment.