Skip to content

Commit d1e5d1d

Browse files
ccojocark8s-ci-robot
ccojocar
authored and
k8s-ci-robot
committed
Extend the apparmor e2e test to apply the recorded profile
Extend the e2e test to use the recorded profile and check if is properly enforced Change-Id: I4d91f170a2dc38582a9df25725aa66ffd780b1e4 Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
1 parent 4dee5cf commit d1e5d1d

File tree

1 file changed

+82
-30
lines changed

1 file changed

+82
-30
lines changed

hack/ci/e2e-apparmor.sh

Lines changed: 82 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -29,65 +29,117 @@ check_apparmor_profile() {
2929

3030
# clean up the variance in the recorded apparmor profile
3131
yq -i ".spec" $APPARMOR_PROFILE_FILE
32+
local name="$(grep -o '\btest-recording_test-pod[^ ]*\b' $APPARMOR_PROFILE_FILE)"
3233
sed -i -e "s/\btest-recording_test-pod[^ ]*\b/test-sleep/g" $APPARMOR_PROFILE_FILE
3334

3435
diff $APPARMOR_REFERENCE_PROFILE_FILE $APPARMOR_PROFILE_FILE
36+
echo "${name}"
3537
}
3638

37-
record_apparmor_profile() {
38-
echo "Enable Apparmor profile"
39-
k patch spod spod --type=merge -p '{"spec":{"enableAppArmor":true}}'
40-
k rollout status ds spod --timeout 360s
41-
k_wait spod spod
42-
43-
echo "Recording apparmor profile"
44-
45-
TMP_DIR=$(mktemp -d)
46-
trap 'rm -rf $TMP_DIR' EXIT
47-
48-
echo "Creating profile recording"
49-
k apply -f $APPARMOR_RECORDING_FILE
50-
51-
POD_FILE="$TMP_DIR/pod.yml"
52-
cat <<EOT >"$POD_FILE"
39+
create_pod() {
40+
local pod_name="$1"
41+
local pod_file="$2"
42+
local apparmor_profile="${3-}"
43+
cat <<EOT >"$pod_file"
5344
---
5445
apiVersion: v1
5546
kind: Pod
5647
metadata:
57-
name: $PODNAME
48+
name: $pod_name
5849
labels:
5950
app: alpine
6051
spec:
6152
restartPolicy: Never
6253
containers:
63-
- name: $PODNAME
54+
- name: $pod_name
6455
image: alpine:3
65-
command: ["sleep", "20"]
56+
command: ["sleep", "30"]
6657
EOT
67-
echo "Creating pod:"
68-
cat "$POD_FILE"
6958

70-
k apply -f "$POD_FILE"
59+
if [[ -n "$apparmor_profile" ]]; then
60+
cat <<EOT >>"$pod_file"
61+
securityContext:
62+
appArmorProfile:
63+
type: Localhost
64+
localhostProfile: $apparmor_profile
65+
EOT
66+
fi
67+
cat "$pod_file"
68+
k apply -f "$pod_file"
69+
}
7170

72-
echo "Waiting for pod to be completed"
71+
wait_for_pod_status() {
72+
local pod_name="$1"
73+
local status="$2"
74+
echo "Waiting for pod status: $status"
7375
for ((i = 0; i < 10; i++)); do
74-
if k get pods $PODNAME | grep -q Completed; then
75-
echo "Pod completed"
76+
if k get pods $pod_name | grep -q $status; then
77+
echo "Pod reached status: $status "
7678
break
7779
fi
7880
echo "Still waiting ($i)"
7981
sleep 5
8082
done
83+
}
8184

82-
echo "Deleting pod"
83-
k delete -f "$POD_FILE"
85+
check_profile_enforcement() {
86+
local comamnd="$1"
87+
local apparmor_profile="$2"
88+
local pid="$(pidof $comamnd)"
89+
local enforce="$(cat /proc/${pid}/attr/current)"
90+
local reference="$apparmor_profile (enforce)"
91+
if [[ "$reference" != "$enforce" ]]; then
92+
echo "Apparmor profile $apparmor_profile not enforced: $enforce"
93+
exit 1
94+
fi
95+
echo "Apparmor profile successfully enforced: $enforce"
96+
}
8497

85-
wait_for apparmorprofile $APPARMOR_PROFILE_NAME
98+
record_apparmor_profile() {
99+
echo "Enable Apparmor profile"
100+
k patch spod spod --type=merge -p '{"spec":{"enableAppArmor":true}}'
101+
k rollout status ds spod --timeout 360s
102+
k_wait spod spod
103+
104+
echo "Recording apparmor profile"
105+
echo "--------------------------"
106+
107+
echo "Creating profile recording $RECORDING_NAME"
108+
k apply -f $APPARMOR_RECORDING_FILE
86109

87-
check_apparmor_profile
110+
TMP_DIR=$(mktemp -d)
111+
trap 'rm -rf $TMP_DIR' EXIT
88112

89-
echo "Cleaning up profile $APPARMOR_PROFILE_NAME and recording $RECORDING_NAME resources"
113+
echo "Creating pod $PODNAME and start recording its apparmor profile"
114+
pod_file="${TMP_DIR}/${PODNAME}.yml"
115+
create_pod $PODNAME $pod_file
116+
wait_for_pod_status "$PODNAME" "Completed"
117+
echo "Deleting pod $PODNAME"
118+
k delete -f "$pod_file"
119+
120+
echo "Deleting profile recoridng $RECORDING_NAME"
90121
k delete -f "$APPARMOR_RECORDING_FILE"
122+
123+
wait_for apparmorprofile $APPARMOR_PROFILE_NAME
124+
125+
echo "Verifing apparmor profile"
126+
echo "-------------------------"
127+
128+
echo "Checking the recorded appamror profile matches the reference"
129+
apparmor_profile=$(check_apparmor_profile)
130+
131+
echo "Creating pod $PODNAME with recorded profile in security context"
132+
sec_pod_file="${TMP_DIR}/${PODNAME}-apparmor.yml"
133+
create_pod $PODNAME $sec_pod_file $apparmor_profile
134+
wait_for_pod_status "$PODNAME" "Running"
135+
136+
echo "Checking apparmor profile enforcement on container"
137+
check_profile_enforcement "sleep" $apparmor_profile
138+
139+
echo "Deleting pod $PODNAME"
140+
k delete -f "$sec_pod_file"
141+
142+
echo "Deleting apparmor profile $APPARMOR_PROFILE_NAME"
91143
k delete apparmorprofile $APPARMOR_PROFILE_NAME
92144
}
93145

0 commit comments

Comments
 (0)