changed k8sexecinpod function to assert

kubearmor · Jun 26, 2024 · 59f4e16 · 59f4e16
1 parent 1fc5a38
commit 59f4e16
Show file tree

Hide file tree

Showing 6 changed files with 318 additions and 254 deletions.
diff --git a/tests/k8s_env/blockposture/block_test.go b/tests/k8s_env/blockposture/block_test.go
@@ -74,10 +74,11 @@ var _ = Describe("Posture", func() {
 				MatchRegexp("curl.*Could not resolve host: google.com"), true,
 			)
 
-			out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "curl 142.250.193.46"})
-			Expect(err).To(BeNil())
-			fmt.Printf("---START---\n%s---END---\n", out)
-			Expect(out).To(MatchRegexp("<HTML>((?:.*\r?\n?)*)</HTML>"))
+			AssertCommand(wp, "wordpress-mysql",
+				[]string{"bash", "-c", "curl 142.250.193.46"},
+				MatchRegexp("<HTML>((?:.*\r?\n?)*)</HTML>"),
+				false)
+
 			// check policy violation alert
 			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
 			Expect(err).To(BeNil())
@@ -101,16 +102,17 @@ var _ = Describe("Posture", func() {
 			Expect(err).To(BeNil())
 
 			//curl needs UDP for DNS resolution
-			sout, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat wp-config.php"})
-			Expect(err).To(BeNil())
-			fmt.Printf("---START---\n%s---END---\n", sout)
-			Expect(sout).To(MatchRegexp("cat.*Permission denied"))
+			AssertCommand(wp, "wordpress-mysql",
+				[]string{"bash", "-c", "cat wp-config.php"},
+				MatchRegexp("cat.*Permission denied"),
+				false)
 
 			//test that tcp is whitelisted
-			out, _, err := K8sExecInPod(wp, "wordpress-mysql", []string{"bash", "-c", "cat readme.html"})
-			Expect(err).To(BeNil())
-			fmt.Printf("---START---\n%s---END---\n", out)
-			Expect(out).To(MatchRegexp("<!DOCTYPE html>((?:.*\r?\n?)*)</html>"))
+			AssertCommand(wp, "wordpress-mysql",
+				[]string{"bash", "-c", "cat readme.html"},
+				MatchRegexp("<!DOCTYPE html>((?:.*\r?\n?)*)</html>"),
+				false)
+
 			// check policy violation alert
 			_, alerts, err := KarmorGetLogs(5*time.Second, 1)
 			Expect(err).To(BeNil())

diff --git a/tests/k8s_env/ksp/ksp_test.go b/tests/k8s_env/ksp/ksp_test.go
@@ -84,9 +84,10 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("all", "nginx", "", pods.Items[0].Name)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(pods.Items[0].Name, "nginx", []string{"ls"})
-			Expect(err).To(BeNil())
-			fmt.Printf("---START---\n%s---END---\n", sout)
+			AssertCommand(pods.Items[0].Name, "nginx",
+				[]string{"ls"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
 
 			// check audit logs
 			logs, _, err := KarmorGetLogs(5*time.Second, 50)
@@ -110,11 +111,12 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("policy", "multiubuntu", "Network", ub1)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub1, "multiubuntu",
-				[]string{"bash", "-c", "ping -c 1 127.0.0.1"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
-			Expect(sout).To(MatchRegexp("PING.*127.0.0.1"))
+			//sout, _, err := K8sExecInPod(ub1, "multiubuntu",
+			//	[]string{"bash", "-c", "ping -c 1 127.0.0.1"})
+			//Expect(err).To(BeNil())
+			//fmt.Printf("OUTPUT: %s\n", sout)
+			//Expect(sout).To(MatchRegexp("PING.*127.0.0.1"))
+			AssertCommand(ub1, "multiubuntu", []string{"bash", "-c", "ping -c 1 127.0.0.1"}, MatchRegexp("PING.*127.0.0.1"), false)
 
 			expect := protobuf.Alert{
 				PolicyName: "ksp-ubuntu-1-audit-net-icmp",
@@ -220,11 +222,10 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("policy", "multiubuntu", "Network", ub1)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub1, "multiubuntu",
-				[]string{"bash", "-c", "arping -c 1 127.0.0.1"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
-			Expect(sout).To(MatchRegexp("ARPING 127.0.0.1"))
+			AssertCommand(ub1, "multiubuntu",
+				[]string{"bash", "-c", "arping -c 1 127.0.0.1"},
+				MatchRegexp("ARPING 127.0.0.1"),
+				false)
 
 			expect := protobuf.Alert{
 				PolicyName: "ksp-ubuntu-1-audit-net-raw",
@@ -396,10 +397,10 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("policy", "multiubuntu", "Process", ub4)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub4, "multiubuntu",
-				[]string{"bash", "-c", "sleep 1"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
+			AssertCommand(ub4, "multiubuntu",
+				[]string{"bash", "-c", "sleep 1"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
 
 			expect := protobuf.Alert{
 				PolicyName: "ksp-group-2-audit-proc-path",
@@ -603,11 +604,10 @@ var _ = Describe("Ksp", func() {
 			AssertCommand(ub3, "multiubuntu", []string{"bash", "-c", "/home/user1/hello"},
 				MatchRegexp("hello.*Permission denied"), true,
 			)
-			sout, _, err := K8sExecInPod(ub3, "multiubuntu",
-				[]string{"bash", "-c", "/home/user1/hello"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
-			Expect(sout).To(MatchRegexp("hello.*Permission denied"))
+			AssertCommand(ub3, "multiubuntu",
+				[]string{"bash", "-c", "/home/user1/hello"},
+				MatchRegexp("hello.*Permission denied"),
+				false)
 
 			expect := protobuf.Alert{
 				PolicyName: "ksp-ubuntu-3-block-proc-path-owner",
@@ -908,10 +908,10 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("policy", "multiubuntu", "File", ub1)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub1, "multiubuntu",
-				[]string{"bash", "-c", "touch  /home/user1/new1"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
+			AssertCommand(ub1, "multiubuntu",
+				[]string{"bash", "-c", "touch /home/user1/new1"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
 
 			expect := protobuf.Alert{
 				PolicyName: "ksp-ubuntu-1-audit-file-access-owner-readonly",
@@ -1497,10 +1497,11 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("system", "multiubuntu", "File", ub4)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub4, "multiubuntu",
-				[]string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
+			AssertCommand(ub4, "multiubuntu",
+				[]string{"bash", "-c", "su - user1 -c 'cat /home/user1/secret_data1.txt'"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
+
 			// Expect(sout).To(ContainSubstring("secret file user1"))
 
 			expectLog := protobuf.Log{
@@ -1614,10 +1615,10 @@ var _ = Describe("Ksp", func() {
 
 			// Test 3: write operation on the file by the owner should also be allowed
 			// No need for AssertCommand here since there is nothing to match
-			sout, _, err := K8sExecInPod(ub3, "multiubuntu",
-				[]string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
+			AssertCommand(ub3, "multiubuntu",
+				[]string{"bash", "-c", "su - user1 -c 'echo user1 >> /home/user1/secret_data1.txt'"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
 
 		})
 
@@ -1676,11 +1677,10 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("system", "multiubuntu", "File", ub4)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub4, "multiubuntu",
-				[]string{"bash", "-c", "./readwrite -r /secret.txt"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
-			Expect(sout).To(ContainSubstring("s"))
+			AssertCommand(ub4, "multiubuntu",
+				[]string{"bash", "-c", "./readwrite -r /secret.txt"},
+				ContainSubstring("s"),
+				false)
 
 			expectLog = protobuf.Log{
 				Resource: "secret.txt",
@@ -1714,10 +1714,10 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("policy", "multiubuntu", "File", ub4)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub4, "multiubuntu",
-				[]string{"bash", "-c", "./readwrite -w /credentials/password"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
+			AssertCommand(ub4, "multiubuntu",
+				[]string{"bash", "-c", "./readwrite -w /credentials/password"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
 
 			expect := protobuf.Alert{
 				PolicyName: "DefaultPosture",
@@ -1733,10 +1733,10 @@ var _ = Describe("Ksp", func() {
 
 			// Test 3: reading some other file should be denied as not allowed by the policy
 
-			sout, _, err = K8sExecInPod(ub4, "multiubuntu",
-				[]string{"bash", "-c", "./readwrite -r /secret.txt"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
+			AssertCommand(ub4, "multiubuntu",
+				[]string{"bash", "-c", "./readwrite -r /secret.txt"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
 
 			expect = protobuf.Alert{
 				PolicyName: "DefaultPosture",
@@ -1815,10 +1815,10 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("policy", "multiubuntu", "File", ub4)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub4, "multiubuntu",
-				[]string{"bash", "-c", "touch /dev/shm/new"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
+			AssertCommand(ub4, "multiubuntu",
+				[]string{"bash", "-c", "touch /dev/shm/new"},
+				MatchRegexp(".*"), // MatchRegexp(".*") allows any output
+				false)
 
 			expect := protobuf.Alert{
 				PolicyName: "ksp-ubuntu-4-audit-file-path-readonly",
@@ -1999,11 +1999,11 @@ var _ = Describe("Ksp", func() {
 			err = KarmorLogStart("system", "multiubuntu", "File", ub4)
 			Expect(err).To(BeNil())
 
-			sout, _, err := K8sExecInPod(ub4, "multiubuntu",
-				[]string{"bash", "-c", "cat /credentials/password"})
-			Expect(err).To(BeNil())
-			fmt.Printf("OUTPUT: %s\n", sout)
-			Expect(sout).To(ContainSubstring("password file"))
+			AssertCommand(ub4, "multiubuntu",
+				[]string{"bash", "-c", "cat /credentials/password"},
+				ContainSubstring("password file"),
+				false)
+
 		})
 
 	})