Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.5.0 release checklist #1894

Open
13 of 24 tasks
rksharma95 opened this issue Nov 14, 2024 · 7 comments
Open
13 of 24 tasks

v1.5.0 release checklist #1894

rksharma95 opened this issue Nov 14, 2024 · 7 comments
Assignees
@rksharma95
Labels
enhancement New feature or request

Comments

@rksharma95
Copy link
Collaborator

rksharma95 commented Nov 14, 2024
edited
Loading

Release Checklist

Backlog Status

  • Manual Tests
    • EKS - BottleRocket
    • EKS - Gravitron (ARM64)
    • EKS - Amazon Linux 2
    • GKE COS (AppArmor)
    • GKE COS (BPF-LSM)
    • RHEL (certain BPF_LSM primitives are not available on RHEL)
    • minikube - VM Based
    • AKS Cluster - Ubuntu
    • AKS Cluster - Azure Linux - No AppArmor packages
    • VM support - test kubearmor packages without k8s on RHEL and Debian based systems
    • VM Support - Docker Compose
    • KubeArmor Performance Benchmarking Data for BPF-LSM
    • Seccomp implementation in all cluster envs mentioned above
  • MarketPlace Image updates
  • Release Blog
  • Mark as stable release
  • Update to getting-started guide for helm
  • Does it require a manual update to Operator bundle? (changes required)
  • Check helm charts has been released

Note: Release checklist is needed since testing of certain platforms is not automated in CI env due to non-technical (primarily cost) concerns.
@rksharma95 rksharma95 added the enhancement New feature or request label Nov 14, 2024
@rksharma95 rksharma95 self-assigned this Nov 14, 2024
@rksharma95 rksharma95 changed the title v1.4.4 release checklist v1.5.0 release checklist Jan 17, 2025
@rksharma95
Copy link
Collaborator Author

@Aryan-sharma11 EKS, AKS
@rksharma95 Marketplaces, RHEL, VM, Talos
@rootxrishabh GKE, NRI
@daemon1024 Release Blog

@rksharma95
Copy link
Collaborator Author

rksharma95 commented Jan 22, 2025
edited
Loading

Environment: VM
Orchestration system: Unorchestrated
Tests: https://github.com/kubearmor/KubeArmor/tree/main/tests/nonk8s_env

Ubuntu 20.04.6 LTS 
Found KubeArmor running in Systemd mode 

Host : 
        OS Image:                       Ubuntu 20.04.6 LTS               
        Kernel Version:                 5.4.0-169-generic                
        Kubelet Version:                                                 
        Container Runtime:                                               
        Active LSM:                     AppArmor                         
        Host Security:                  true                             
        Container Security:             true                             
        Container Default Posture:      audit(File)                             audit(Capabilities)     audit(Network)
        Host Default Posture:           audit(File)                             audit(Capabilities)     audit(Network)
        Host Visibility:                process,file,network,capabilities
Armored Up Containers : 
+-----------------+------------------+
| CONTAINER NAME  |      POLICY      |
+-----------------+------------------+
| wordpress-mysql | ksp-block-policy |
+-----------------+------------------+

/home/vagrant/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21
  > Enter [AfterSuite] TOP-LEVEL - /home/vagrant/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/21/25 08:21:12.141
  < Exit [AfterSuite] TOP-LEVEL - /home/vagrant/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/21/25 08:21:18.056 (5.916s)
[AfterSuite] PASSED [5.916 seconds]
------------------------------

Ran 4 of 4 Specs in 115.236 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
PASS

Ginkgo ran 1 suite in 2m54.211143847s
Test Suite Passed
Red Hat Enterprise Linux 9.5 
Found KubeArmor running in Systemd mode

Host :
      	OS Image:                       Red Hat Enterprise Linux 9.5 (Plow)
        Kernel Version:                 5.14.0-503.15.1.el9_5.x86_64
        Kubelet Version:
        Container Runtime:
        Active LSM:                     BPFLSM
        Host Security:                  true
        Container Security:             true
        Container Default Posture:	audit(File)                             audit(Cap
abilities)	audit(Network)
        Host Default Posture:           audit(File)                             audit(Cap
abilities)	audit(Network)
        Host Visibility:                process,file,network,capabilities
Armored Up Containers :
+-----------------+------------------+
| CONTAINER NAME  |      POLICY      |
+-----------------+------------------+
| wordpress-mysql | ksp-block-policy |
+-----------------+------------------+

[AfterSuite] 
/home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21
  > Enter [AfterSuite] TOP-LEVEL - /home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/22/25 07:18:28.476
  < Exit [AfterSuite] TOP-LEVEL - /home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/smoke_test.go:21 @ 01/22/25 07:18:33.999 (5.523s)
[AfterSuite] PASSED [5.523 seconds]
------------------------------

Ran 4 of 4 Specs in 18.840 seconds
SUCCESS! -- 4 Passed | 0 Failed | 0 Pending | 0 Skipped
PASS

Ginkgo ran 1 suite in 26.398071969s
Test Suite Passed

$ docker exec -it wordpress-mysql apt                
exec /usr/bin/apt: permission denied

== Alert / 2025-01-22 08:09:55.394043 ==
ClusterName: default
HostName: ip-172-31-18-72.ec2.internal
NamespaceName: container_namespace
PodName: wordpress-mysql
Labels: com.docker.compose.oneoff=False,com.docker.compose.project.working_dir=/home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/res/wordpress_docker,com.docker.compose.config-hash=262f147e472b4380f054219d231be78c05d3b91e71134b5d0403d125c81fa400,com.docker.compose.container-number=1,com.docker.compose.project=wordpress_docker,com.docker.compose.project.config_files=/home/ec2-user/KubeArmor/tests/nonk8s_env/smoke/res/wordpress_docker/compose.yaml,com.docker.compose.service=wordpress,com.docker.compose.version=2.32.4,com.docker.compose.depends_on=,com.docker.compose.image=sha256:c012b71a41fc3c0c778ba2d120c275cc75f5181852be1bff3402eb21d5a758de,namespaceName=container_namespace,kubearmor.io/container.name=wordpress-mysql
ContainerName: wordpress-mysql
ContainerID: 76351f7d85f15a5d1a48dcb68678da70c445add3998466e903a4e3417c5f2a79
ContainerImage: wordpress:latest
Type: MatchedPolicy
PolicyName: ksp-block-policy
Severity: 3
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: syscall=SYS_EXECVE
Enforcer: BPFLSM
Result: Permission denied
Cwd: /var/www/html/
HostPID: 37474
HostPPID: 37463
PID: 62
PPID: 0
ProcessName: /usr/bin/apt
TTY: pts0
UID: 0

@rksharma95
Copy link
Collaborator Author

Environment: EKS
Orchestration system: Orchestrated
Tests: https://github.com/kubearmor/KubeArmor/tree/main/tests/k8s_env

NAME                            STATUS   ROLES    AGE   VERSION               INTERNAL-IP     EXTERNAL-IP      OS-IMAGE                                KERNEL-VERSION                   CONTAINER-RUNTIME
ip-172-31-23-222.ec2.internal   Ready    <none>   92m   v1.31.4-eks-aeac579   172.31.23.222   34.229.14.244    Amazon Linux 2                          5.10.230-223.885.amzn2.x86_64    containerd://1.7.23
ip-172-31-24-125.ec2.internal   Ready    <none>   61m   v1.31.3-eks-7636447   172.31.24.125   54.208.125.7     Bottlerocket OS 1.31.0 (aws-k8s-1.31)   6.1.119                          containerd://1.7.24+bottlerocket
ip-172-31-64-200.ec2.internal   Ready    <none>   94m   v1.31.4-eks-aeac579   172.31.64.200   44.197.206.184   Amazon Linux 2                          5.10.230-223.885.amzn2.aarch64   containerd://1.7.23
karmor probe 
Found KubeArmor running in Kubernetes

Daemonset :
 	kubearmor 	Desired: 3	Ready: 3	Available: 3	
Deployments : 
 	kubearmor-controller	Desired: 1	Ready: 1	Available: 1	
 	kubearmor-operator  	Desired: 1	Ready: 1	Available: 1	
 	kubearmor-relay     	Desired: 1	Ready: 1	Available: 1	
Containers : 
 	kubearmor-bpf-containerd-98c2c-2x7vz 	Running: 1	Image Version: kubearmor/kubearmor:latest             	
 	kubearmor-bpf-containerd-98c2c-mhglx 	Running: 1	Image Version: kubearmor/kubearmor:latest             	
 	kubearmor-bpf-containerd-98c2c-nssql 	Running: 1	Image Version: kubearmor/kubearmor:latest             	
 	kubearmor-controller-8684dbc7c6-bhc5q	Running: 1	Image Version: kubearmor/kubearmor-controller:latest  	
 	kubearmor-operator-8468587df9-v8p8l  	Running: 1	Image Version: kubearmor/kubearmor-operator:latest    	
 	kubearmor-relay-fb966b895-vxmxf      	Running: 1	Image Version: kubearmor/kubearmor-relay-server:latest	
Node 1 : 
 	OS Image:                 	Amazon Linux 2                	
 	Kernel Version:           	5.10.230-223.885.amzn2.aarch64	
 	Kubelet Version:          	v1.31.4-eks-aeac579           	
 	Container Runtime:        	containerd://1.7.23           	
 	Active LSM:               	                             	
 	Host Security:            	false                         	
 	Container Security:       	false                         	
 	Container Default Posture:	block(File)                   	block(Capabilities)	block(Network)	
 	Host Default Posture:     	audit(File)                   	audit(Capabilities)	audit(Network)	
 	Host Visibility:          	none                          	
Node 2 : 
 	OS Image:                 	Bottlerocket OS 1.31.0 (aws-k8s-1.31)	
 	Kernel Version:           	6.1.119                              	
 	Kubelet Version:          	v1.31.3-eks-7636447                  	
 	Container Runtime:        	containerd://1.7.24+bottlerocket     	
 	Active LSM:               	BPFLSM                               	
 	Host Security:            	false                                	
 	Container Security:       	true                                 	
 	Container Default Posture:	block(File)                          	block(Capabilities)	block(Network)	
 	Host Default Posture:     	audit(File)                          	audit(Capabilities)	audit(Network)	
 	Host Visibility:          	none                                 	
Node 3 : 
 	OS Image:                 	Amazon Linux 2               	
 	Kernel Version:           	5.10.230-223.885.amzn2.x86_64	
 	Kubelet Version:          	v1.31.4-eks-aeac579          	
 	Container Runtime:        	containerd://1.7.23          	
 	Active LSM:               	BPFLSM                       	
 	Host Security:            	false                        	
 	Container Security:       	true                         	
 	Container Default Posture:	block(File)                  	block(Capabilities)	block(Network)	
 	Host Default Posture:     	audit(File)                  	audit(Capabilities)	audit(Network)	
 	Host Visibility:          	none                         	
Armored Up pods : 
+-----------+-----------------+------------+------+--------+
| NAMESPACE | DEFAULT POSTURE | VISIBILITY | NAME | POLICY |
+-----------+-----------------+------------+------+--------+
+-----------+-----------------+------------+------+--------+
Performance 
Pod: kubearmor-bpf-containerd-98c2c-2x7vz
  Average CPU (m): 4.81
  Average Memory (MiB): 60.83
  Peak CPU (m): 47
  Peak Memory (MiB): 87
  Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08

Pod: kubearmor-bpf-containerd-98c2c-mhglx
  Average CPU (m): 8.15
  Average Memory (MiB): 135.92
  Peak CPU (m): 355
  Peak Memory (MiB): 167
  Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08

Pod: kubearmor-bpf-containerd-98c2c-nssql
  Average CPU (m): 30.95
  Average Memory (MiB): 78.13
  Peak CPU (m): 722
  Peak Memory (MiB): 106
  Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08

Pod: kubearmor-controller-8684dbc7c6-bhc5q
  Average CPU (m): 1.82
  Average Memory (MiB): 16.14
  Peak CPU (m): 6
  Peak Memory (MiB): 18
  Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08

Pod: kubearmor-operator-8468587df9-v8p8l
  Average CPU (m): 2.52
  Average Memory (MiB): 9.83
  Peak CPU (m): 4
  Peak Memory (MiB): 10
  Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08

Pod: kubearmor-relay-fb966b895-vxmxf
  Average CPU (m): 10.90
  Average Memory (MiB): 11.40
  Peak CPU (m): 44
  Peak Memory (MiB): 16
  Time Range: 2025-01-27 11:23:36 - 2025-01-27 11:57:08
Test Result 
Ginkgo ran 10 suites in 23m55.383333199s
Test Suite Passed

@rksharma95
Copy link
Collaborator Author

Environment: OpenShift
Orchestration system: Orchestrated

oc get nodes -o wide
NAME   STATUS   ROLES                         AGE    VERSION   INTERNAL-IP      EXTERNAL-IP   OS-IMAGE                                                KERNEL-VERSION                 CONTAINER-RUNTIME
crc    Ready    control-plane,master,worker   120d   v1.30.4   192.168.126.11   <none>        Red Hat Enterprise Linux CoreOS 417.94.202409121747-0   5.14.0-427.35.1.el9_4.x86_64   cri-o://1.30.5-7.rhaos4.17.git2e89940.el9
karmor probe 
karmor probe

Found KubeArmor running in Kubernetes

Daemonset :
        kubearmor       Desired: 1      Ready: 1        Available: 1
Deployments : 
        kubearmor-controller    Desired: 1      Ready: 1        Available: 1
        kubearmor-relay         Desired: 1      Ready: 1        Available: 1
Containers : 
        kubearmor-snitch-j28hx-g2pbf            Running: 1      Image Version: docker.io/kubearmor/kubearmor-snitch@sha256:6ed475b122785e7fea6941ef2e81a8c558707a348d917c6fc3b8476750d343d5      
        kubearmor-bpf-cri-o-47653-2vkzx         Running: 1      Image Version: docker.io/kubearmor/kubearmor-ubi@sha256:0c335fb514a173ffb70ff56d0d613bbcfd103331429ef4ea7e3e515eabd77b34         
        kubearmor-controller-8845f7f8d-c4cj9    Running: 1      Image Version: docker.io/kubearmor/kubearmor-controller@sha256:eed7383b3c58deccb063ea621f32c1661d50412e343d56f4631b63901b1da51f  
        kubearmor-operator-596c785d46-mzg84     Running: 1      Image Version: docker.io/kubearmor/kubearmor-operator@sha256:1bceb45544fe2d0b8cb7d985cb6b42b2cc2f4ad09d57aff9fd407dc142a59b8a    
        kubearmor-relay-9f5d74cbf-rnmd8         Running: 1      Image Version: docker.io/kubearmor/kubearmor-relay-server@sha256:ac1c41c2d69caa7e53546ec2ae33bc868a0d1dc8bd1d649ef25b397ec220f31f
Node 1 : 
        OS Image:                       Red Hat Enterprise Linux CoreOS 417.94.202409121747-0
        Kernel Version:                 5.14.0-427.35.1.el9_4.x86_64                         
        Kubelet Version:                v1.30.4                                              
        Container Runtime:              cri-o://1.30.5-7.rhaos4.17.git2e89940.el9            
        Active LSM:                     BPFLSM                                               
        Host Security:                  false                                                
        Container Security:             true                                                 
        Container Default Posture:      block(File)                                             block(Capabilities)     block(Network)
        Host Default Posture:           audit(File)                                             audit(Capabilities)     audit(Network)
        Host Visibility:                none
karmor logs 
karmor logs
local port to be used for port forwarding kubearmor-relay-9f5d74cbf-rnmd8: 32851 
Created a gRPC client (localhost:32851)
Checked the liveness of the gRPC server
Started to watch alerts
== Alert / 2025-01-27 11:52:12.514772 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /dev/pts/ptmx
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR|O_NOCTTY|O_CLOEXEC
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:12.514789 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /dev/pts/0
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
TTY: pts0
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:12.515946 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-remote-services
Severity: 3
Message: Warning! access sensitive files detected
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /etc/passwd
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDONLY|O_CLOEXEC
Enforcer: BPFLSM
Result: Passed
ATags: [5G FGT1021 FIGHT MITRE MITRE_T1021_Remote_Services]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
TTY: pts0
Tags: 5G,FGT1021,FIGHT,MITRE,MITRE_T1021_Remote_Services
UID: 0
== Alert / 2025-01-27 11:52:12.518307 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh -i -c TERM=xterm sh
Resource: /dev/tty
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82976
HostPPID: 82968
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 43
PPID: 0
ParentProcessName: /usr/bin/runc
ProcessName: /usr/bin/dash
TTY: pts0
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:12.518352 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-write-under-dev-dir
Severity: 5
Message: Alert! File creation under /dev/ directory detected.
Source: /usr/bin/sh
Resource: /dev/tty
Operation: File
Action: Audit
Data: syscall=SYS_OPENAT fd=-100 flags=O_RDWR
Enforcer: BPFLSM
Result: Passed
ATags: [MITRE MITRE_T1036_masquerading NIST NIST_800-53_AU-2 NIST_800-53_SI-4]
Cwd: /
HostPID: 82983
HostPPID: 82976
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 49
PPID: 43
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/dash
TTY: pts0
Tags: MITRE,MITRE_T1036_masquerading,NIST,NIST_800-53_AU-2,NIST_800-53_SI-4
UID: 0
== Alert / 2025-01-27 11:52:14.648461 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: lsm=SECURITY_BPRM_CHECK
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 82983
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0
== Alert / 2025-01-27 11:52:14.648228 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: syscall=SYS_EXECVE
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 49
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
TTY: pts0
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0
== Alert / 2025-01-27 11:52:14.648674 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /bin/apt
Operation: Process
Action: Block
Data: syscall=SYS_EXECVE
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 49
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
TTY: pts0
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0
== Alert / 2025-01-27 11:52:14.649937 ==
ClusterName: default
HostName: crc
NamespaceName: default
PodName: nginx-bf5d5cf98-bwgtv
Labels: app=nginx
ContainerName: nginx
ContainerID: be447898c4c2b761e3c27460fb73a83ddc4e144beef7bf7c89107f1679781de1
ContainerImage: docker.io/library/nginx:latest@sha256:0a399eb16751829e1af26fea27b20c3ec28d7ab1fb72182879dcae1cca21206a
Type: MatchedPolicy
PolicyName: harden-pkg-mngr-exec
Severity: 5
Message: Alert! Execution of package management process inside container is denied
Source: /usr/bin/dash
Resource: /usr/bin/apt
Operation: Process
Action: Block
Data: lsm=SECURITY_BPRM_CHECK
Enforcer: BPFLSM
Result: Permission denied
ATags: [NIST NIST_800-53_CM-7(4) NIST_800-53_SI-4 SI-4 process]
Cwd: /
HostPID: 83042
HostPPID: 82983
Owner: map[Name:nginx Namespace:default Ref:Deployment]
PID: 50
PPID: 82983
ParentProcessName: /usr/bin/dash
ProcessName: /usr/bin/apt
Tags: NIST,NIST_800-53_CM-7(4),NIST_800-53_SI-4,SI-4,process
UID: 0

@rootxrishabh
Copy link
Member

Environment: GKE
Orchestration system: Orchestrated
Enforcer: BPFLSM
O.S: Container Optimized OS

Ran 17 of 19 Specs in 236.789 seconds
SUCCESS! -- 17 Passed | 0 Failed | 0 Pending | 2 Skipped
PASS

Ginkgo ran 1 suite in 4m2.127196858s
Test Suite Passed

@rootxrishabh
Copy link
Member

Environment: GKE
Orchestration system: Orchestrated
Enforcer: AppArmor
O.S: Container Optimized OS

Summarizing 1 Failure:
  [FAIL] Smoke Policy Apply [It] can block execution of pkg mgmt tools such as apt, apt-get
  /home/rootxrishabh/accuknox/KubeArmor/tests/k8s_env/smoke/smoke_test.go:85

Ran 9 of 9 Specs in 249.345 seconds
FAIL! -- 8 Passed | 1 Failed | 0 Pending | 0 Skipped
--- FAIL: TestSmoke (249.35s)
FAIL

Ginkgo ran 1 suite in 4m15.698470445s

Test Suite Failed

@rksharma95
Copy link
Collaborator Author

AWS Listing will be updated with upcoming release with updated stable relay.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rksharma95 rksharma95

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rootxrishabh @rksharma95