From 0f69a67d9b153e8a0de6ed79310675c0cd6fad2c Mon Sep 17 00:00:00 2001 From: Ved Ratan <82467006+VedRatan@users.noreply.github.com> Date: Thu, 2 May 2024 09:42:17 +0530 Subject: [PATCH] added e2e tests (#96) Signed-off-by: Ved Ratan --- .github/workflows/pr-checks.yaml | 99 +++++++++++++++- Makefile | 12 +- tests/e2e/dns-manipulation/create/README.md | 112 ++++++++++++++++++ .../create/chainsaw-test.yaml | 65 ++++++++++ tests/e2e/dns-manipulation/delete/README.md | 100 ++++++++++++++++ .../delete/chainsaw-test.yaml | 71 +++++++++++ tests/e2e/dns-manipulation/ksp.yaml | 27 +++++ tests/e2e/dns-manipulation/netpol.yaml | 31 +++++ .../nimbus-policy-assert.yaml | 24 ++++ .../dns-manipulation/np-status-assert.yaml | 16 +++ .../dns-manipulation/sib-status-assert.yaml | 13 ++ tests/e2e/dns-manipulation/update/README.md | 111 +++++++++++++++++ .../update/chainsaw-test.yaml | 56 +++++++++ tests/e2e/dns-manipulation/updated-ksp.yaml | 22 ++++ .../e2e/dns-manipulation/updated-netpol.yaml | 25 ++++ .../namespaced/dns-manipulation-si.yaml | 13 ++ .../namespaced/dns-manipulation-sib.yaml | 17 +++ 17 files changed, 808 insertions(+), 6 deletions(-) create mode 100644 tests/e2e/dns-manipulation/create/README.md create mode 100644 tests/e2e/dns-manipulation/create/chainsaw-test.yaml create mode 100644 tests/e2e/dns-manipulation/delete/README.md create mode 100644 tests/e2e/dns-manipulation/delete/chainsaw-test.yaml create mode 100644 tests/e2e/dns-manipulation/ksp.yaml create mode 100644 tests/e2e/dns-manipulation/netpol.yaml create mode 100644 tests/e2e/dns-manipulation/nimbus-policy-assert.yaml create mode 100644 tests/e2e/dns-manipulation/np-status-assert.yaml create mode 100644 tests/e2e/dns-manipulation/sib-status-assert.yaml create mode 100644 tests/e2e/dns-manipulation/update/README.md create mode 100644 tests/e2e/dns-manipulation/update/chainsaw-test.yaml create mode 100644 tests/e2e/dns-manipulation/updated-ksp.yaml create mode 100644 tests/e2e/dns-manipulation/updated-netpol.yaml create mode 100644 tests/e2e/resources/namespaced/dns-manipulation-si.yaml create mode 100644 tests/e2e/resources/namespaced/dns-manipulation-sib.yaml diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml index 2e87f2c5..dba82763 100644 --- a/.github/workflows/pr-checks.yaml +++ b/.github/workflows/pr-checks.yaml @@ -95,8 +95,8 @@ jobs: working-directory: ./pkg/adapter/${{ matrix.adapters }} run: make docker-build - chainsaw-tests: - name: Test + chainsaw-integration-tests: + name: Integration-Test runs-on: ubuntu-latest steps: - name: Checkout @@ -128,4 +128,97 @@ jobs: kubectl get pods -A - name: Run Tests - run: make test + run: make integration-test + + chainsaw-e2e-tests: + name: E2E-Test + runs-on: ubuntu-latest + steps: + - name: Checkout source code + uses: actions/checkout@v3 + + - name: Install helm + id: helm + uses: azure/setup-helm@5119fcb9089d432beecbf79bb2c7915207344b78 # v3.5 + with: + token: ${{ secrets.GITHUB_TOKEN }} + + - name: Create k8s Kind Cluster + uses: helm/kind-action@v1 + with: + cluster_name: testing + + - name: Build nimbus image and load in the kind cluster + run: | + make docker-build + kind load docker-image 5gsec/nimbus:latest --name=testing + + - name: Build nimbus-netpol image and load in the kind cluster + working-directory: ./pkg/adapter/nimbus-netpol + run: | + make docker-build + kind load docker-image 5gsec/nimbus-netpol:latest --name=testing + + - name: Build nimbus-kubearmor image and load in the kind cluster + working-directory: ./pkg/adapter/nimbus-kubearmor + run: | + make docker-build + kind load docker-image 5gsec/nimbus-kubearmor:latest --name=testing + + - name: Build nimbus-kyverno image and load in the kind cluster + working-directory: ./pkg/adapter/nimbus-kyverno + run: | + make docker-build + kind load docker-image 5gsec/nimbus-kyverno:latest --name=testing + + - name: Install Kubearmor CRDs + run: | + kubectl create -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/CRD/KubeArmorPolicy.yaml + + - name: Install Kyverno CRDs + run: | + kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_clusterpolicies.yaml + kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/config/crds/kyverno/kyverno.io_policies.yaml + + + - name: Install Nimbus + run: | + helm upgrade --install nimbus-operator deployments/nimbus -n nimbus --create-namespace --set image.pullPolicy=Never + + - name: Wait for Nimbus to start + run: | + kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus + kubectl get pods -A + + - name: Install nimbus-netpol + working-directory: deployments/nimbus-netpol/ + run: | + helm upgrade --install nimbus-netpol . -n nimbus --set image.pullPolicy=Never + + - name: Wait for nimbus-netpol to start + run: | + kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-netpol + kubectl get pods -A + + - name: Install nimbus-kubearmor + working-directory: deployments/nimbus-kubearmor/ + run: | + helm upgrade --install nimbus-kubearmor . -n nimbus --set image.pullPolicy=Never + + - name: Wait for nimbus-kubearmor to start + run: | + kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-kubearmor + kubectl get pods -A + + - name: Install nimbus-kyverno + working-directory: deployments/nimbus-kyverno/ + run: | + helm upgrade --install nimbus-kyverno . -n nimbus --set image.pullPolicy=Never + + - name: Wait for nimbus-kyverno to start + run: | + kubectl wait --for=condition=ready --timeout=5m -n nimbus pod -l app.kubernetes.io/name=nimbus-kyverno + kubectl get pods -A + + - name: Run Tests + run: make e2e-test diff --git a/Makefile b/Makefile index 0d3db6d9..d0506d7d 100644 --- a/Makefile +++ b/Makefile @@ -6,6 +6,8 @@ IMG ?= 5gsec/nimbus # Image Tag to use all building/pushing image targets TAG ?= v0.1 +TEST_DIR ?= tests/controllers + # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set) ifeq (,$(shell go env GOBIN)) GOBIN=$(shell go env GOPATH)/bin @@ -62,13 +64,17 @@ fmt: ## Run go fmt against code. vet: ## Run go vet against code. go vet ./... -.PHONY: test -test: chainsaw ## Run tests. +.PHONY: integration-test +integration-test: chainsaw ## Run integration tests. @$(LOCALBIN)/chainsaw test --test-dir=tests/controllers/ --config tests/chainsaw-config.yaml +.PHONY: e2e-test +e2e-test: chainsaw ## Run e2e tests. + @$(LOCALBIN)/chainsaw test --test-dir=tests/e2e/ --config tests/chainsaw-config.yaml + .PHONY: test-doc test-doc: chainsaw ## Build documentation of tests. - @$(LOCALBIN)/chainsaw build docs --test-dir=tests/controllers/ + @$(LOCALBIN)/chainsaw build docs --test-dir=$(TEST_DIR) GOLANGCI_LINT = $(shell pwd)/bin/golangci-lint GOLANGCI_LINT_VERSION ?= v1.54.2 diff --git a/tests/e2e/dns-manipulation/create/README.md b/tests/e2e/dns-manipulation/create/README.md new file mode 100644 index 00000000..ed97e8b3 --- /dev/null +++ b/tests/e2e/dns-manipulation/create/README.md @@ -0,0 +1,112 @@ +# Test: `netpol-kubearmor-adapter-policy-creation` + +This test validates that creating a `dns-manipulation` SecurityIntent with SecurityIntentBinding generates the expected Network Policy and KubeArmor policy. + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify NetworkPolicy creation](#step-Verify NetworkPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify KubeArmorPolicy creation](#step-Verify KubeArmorPolicy creation) | 0 | 1 | 0 | 0 | +| 6 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 7 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 | +| 8 | [Verify that the corresponding netpol native policy is being updated in the NimbusPolicy status](#step-Verify that the corresponding netpol native policy is being updated in the NimbusPolicy status) | 0 | 1 | 0 | 0 | +| 9 | [Verify that the corresponding kubearmor native policy is being updated in the NimbusPolicy status](#step-Verify that the corresponding kubearmor native policy is being updated in the NimbusPolicy status) | 0 | 1 | 0 | 0 | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NetworkPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify KubeArmorPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify status of created SecurityIntentBinding` + +Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, along with the generated NimbusPolicy name. + + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify status of created NimbusPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify that the corresponding netpol native policy is being updated in the NimbusPolicy status` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify that the corresponding kubearmor native policy is being updated in the NimbusPolicy status` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/dns-manipulation/create/chainsaw-test.yaml b/tests/e2e/dns-manipulation/create/chainsaw-test.yaml new file mode 100644 index 00000000..0aee8b71 --- /dev/null +++ b/tests/e2e/dns-manipulation/create/chainsaw-test.yaml @@ -0,0 +1,65 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: netpol-kubearmor-adapter-policy-creation +spec: + description: > + This test validates that creating a `dns-manipulation` SecurityIntent with SecurityIntentBinding generates the expected Network Policy and KubeArmor policy. + steps: + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-si.yaml + + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-sib.yaml + + - name: "Verify NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Verify NetworkPolicy creation" + try: + - assert: + file: ../netpol.yaml + + - name: "Verify KubeArmorPolicy creation" + try: + - assert: + file: ../ksp.yaml + + - name: "Verify status of created SecurityIntentBinding" + description: > + Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, + along with the generated NimbusPolicy name. + try: + - assert: + file: ../sib-status-assert.yaml + + - name: "Verify status of created NimbusPolicy" + try: + - assert: + file: ../np-status-assert.yaml + + - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated Network Policy" + try: + - script: + content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.adapterPolicies}' + check: + (contains($stdout, 'NetworkPolicy/dns-manipulation-binding-dnsmanipulation')): true + + - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy" + try: + - script: + content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.adapterPolicies}' + check: + (contains($stdout, 'KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation')): true + + + diff --git a/tests/e2e/dns-manipulation/delete/README.md b/tests/e2e/dns-manipulation/delete/README.md new file mode 100644 index 00000000..655aa098 --- /dev/null +++ b/tests/e2e/dns-manipulation/delete/README.md @@ -0,0 +1,100 @@ +# Test: `netpol-kubearmor-adapter-policy-deletion` + +This test validates if the adapters re-create their manually deleted generated policyies. + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify NetworkPolicy creation](#step-Verify NetworkPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Delete existing Netpol](#step-Delete existing Netpol) | 0 | 1 | 0 | 0 | +| 6 | [Verify Netpol recreation](#step-Verify Netpol recreation) | 0 | 1 | 0 | 0 | +| 7 | [Delete existing KubearmorPolicy](#step-Delete existing KubearmorPolicy) | 0 | 1 | 0 | 0 | +| 8 | [Verify KubearmorPolicy recreation](#step-Verify KubearmorPolicy recreation) | 0 | 1 | 0 | 0 | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NetworkPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Delete existing Netpol` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | + +### Step: `Verify Netpol recreation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Delete existing KubearmorPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `delete` | 0 | 0 | *No description* | + +### Step: `Verify KubearmorPolicy recreation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/dns-manipulation/delete/chainsaw-test.yaml b/tests/e2e/dns-manipulation/delete/chainsaw-test.yaml new file mode 100644 index 00000000..827a1ca7 --- /dev/null +++ b/tests/e2e/dns-manipulation/delete/chainsaw-test.yaml @@ -0,0 +1,71 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: netpol-kubearmor-adapter-policy-deletion +spec: + description: > + This test validates if the adapters re-create their manually deleted generated policies. + steps: + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-si.yaml + + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-sib.yaml + + - name: "Verify NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Verify NetworkPolicy creation" + try: + - assert: + file: ../netpol.yaml + + - name: "Delete existing NetworkPolicy" + try: + - delete: + ref: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: dns-manipulation-binding-dnsmanipulation + expect: + - match: + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + name: dns-manipulation-binding-dnsmanipulation + check: + ($error != null): true + + - name: "Verify NetworkPolicy recreation" + try: + - assert: + file: ../netpol.yaml + + - name: "Delete existing KubearmorPolicy" + try: + - delete: + ref: + apiVersion: security.kubearmor.com/v1 + kind: KubeArmorPolicy + name: dns-manipulation-binding-dnsmanipulation + expect: + - match: + apiVersion: security.kubearmor.com/v1 + kind: KubeArmorPolicy + name: dns-manipulation-binding-dnsmanipulation + check: + ($error != null): true + + - name: "Verify KubearmorPolicy recreation" + try: + - assert: + file: ../ksp.yaml + diff --git a/tests/e2e/dns-manipulation/ksp.yaml b/tests/e2e/dns-manipulation/ksp.yaml new file mode 100644 index 00000000..0ef95467 --- /dev/null +++ b/tests/e2e/dns-manipulation/ksp.yaml @@ -0,0 +1,27 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-kubearmor + name: dns-manipulation-binding-dnsmanipulation + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: NimbusPolicy +spec: + action: Block + capabilities: {} + file: + matchPaths: + - path: /etc/resolv.conf + readOnly: true + message: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + network: {} + process: {} + selector: + matchLabels: + app: nginx + syscalls: {} + \ No newline at end of file diff --git a/tests/e2e/dns-manipulation/netpol.yaml b/tests/e2e/dns-manipulation/netpol.yaml new file mode 100644 index 00000000..bfb20bb2 --- /dev/null +++ b/tests/e2e/dns-manipulation/netpol.yaml @@ -0,0 +1,31 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-netpol + name: dns-manipulation-binding-dnsmanipulation + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: NimbusPolicy + name: dns-manipulation-binding +spec: + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + podSelector: + matchLabels: + app: nginx + policyTypes: + - Egress diff --git a/tests/e2e/dns-manipulation/nimbus-policy-assert.yaml b/tests/e2e/dns-manipulation/nimbus-policy-assert.yaml new file mode 100644 index 00000000..8868dfab --- /dev/null +++ b/tests/e2e/dns-manipulation/nimbus-policy-assert.yaml @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: dns-manipulation-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: dns-manipulation-binding + # Since UID is not predictable so don't add it. +spec: + rules: + - description: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + id: dnsManipulation + rule: + action: Block + selector: + matchLabels: + app: nginx diff --git a/tests/e2e/dns-manipulation/np-status-assert.yaml b/tests/e2e/dns-manipulation/np-status-assert.yaml new file mode 100644 index 00000000..56a2ad94 --- /dev/null +++ b/tests/e2e/dns-manipulation/np-status-assert.yaml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: NimbusPolicy +metadata: + name: dns-manipulation-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: dns-manipulation-binding +status: + numberOfAdapterPolicies: 2 + status: Created diff --git a/tests/e2e/dns-manipulation/sib-status-assert.yaml b/tests/e2e/dns-manipulation/sib-status-assert.yaml new file mode 100644 index 00000000..fc6d1f14 --- /dev/null +++ b/tests/e2e/dns-manipulation/sib-status-assert.yaml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: dns-manipulation-binding +status: + boundIntents: + - dns-manipulation + nimbusPolicy: dns-manipulation-binding + numberOfBoundIntents: 1 + status: Created diff --git a/tests/e2e/dns-manipulation/update/README.md b/tests/e2e/dns-manipulation/update/README.md new file mode 100644 index 00000000..0473c677 --- /dev/null +++ b/tests/e2e/dns-manipulation/update/README.md @@ -0,0 +1,111 @@ +# Test: `netpol-kubearmor-adapter-policy-updation` + +This test validates that direct updates to the generated adapter's policies are discarded, to maintain consistency and prevent unintended modifications. + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify NetworkPolicy creation](#step-Verify NetworkPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify KubearmorPolicy creation](#step-Verify KubearmorPolicy creation) | 0 | 1 | 0 | 0 | +| 6 | [Update existing Netpol](#step-Update existing Netpol) | 0 | 1 | 0 | 0 | +| 7 | [Verify discarding of the changes made in netpol](#step-Verify discarding of the changes made in netpol) | 0 | 1 | 0 | 0 | +| 8 | [Update existing KubearmorPolicy](#step-Update existing KubearmorPolicy) | 0 | 1 | 0 | 0 | +| 9 | [Verify discarding of the changes made in KubeArmorPolicy](#step-Verify discarding of the changes made in KubeArmorPolicy) | 0 | 1 | 0 | 0 | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify NetworkPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify KubearmorPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Update existing Netpol` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify discarding of the changes made in netpol` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Update existing KubearmorPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify discarding of the changes made in KubeArmorPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/dns-manipulation/update/chainsaw-test.yaml b/tests/e2e/dns-manipulation/update/chainsaw-test.yaml new file mode 100644 index 00000000..492f7029 --- /dev/null +++ b/tests/e2e/dns-manipulation/update/chainsaw-test.yaml @@ -0,0 +1,56 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: chainsaw.kyverno.io/v1alpha1 +kind: Test +metadata: + name: netpol-kubearmor-adapter-policy-updation +spec: + description: > + This test validates that direct updates to the generated adapter's policies are discarded, to maintain consistency and prevent unintended modifications. + steps: + - name: "Create a SecurityIntent" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-si.yaml + + - name: "Create a SecurityIntentBinding" + try: + - apply: + file: ../../resources/namespaced/dns-manipulation-sib.yaml + + - name: "Verify NimbusPolicy creation" + try: + - assert: + file: ../nimbus-policy-assert.yaml + + - name: "Verify NetworkPolicy creation" + try: + - assert: + file: ../netpol.yaml + + - name: "Verify KubearmorPolicy creation" + try: + - assert: + file: ../ksp.yaml + + - name: "Update existing NetworkPolicy" + try: + - apply: + file: ../updated-netpol.yaml + + - name: "Verify discarding of the changes made in NetworkPolicy" + try: + - assert: + file: ../netpol.yaml + + + - name: "Update existing KubearmorPolicy" + try: + - apply: + file: ../updated-ksp.yaml + + - name: "Verify discarding of the changes made in KubeArmorPolicy" + try: + - assert: + file: ../ksp.yaml diff --git a/tests/e2e/dns-manipulation/updated-ksp.yaml b/tests/e2e/dns-manipulation/updated-ksp.yaml new file mode 100644 index 00000000..29e27846 --- /dev/null +++ b/tests/e2e/dns-manipulation/updated-ksp.yaml @@ -0,0 +1,22 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-kubearmor + name: dns-manipulation-binding-dnsmanipulation +spec: + action: Block + capabilities: {} + file: + matchPaths: + - path: /etc/resolv.conf + readOnly: true + message: An adversary can manipulate DNS requests to redirect network traffic + and potentially reveal end user activity. + network: {} + process: {} + selector: + matchLabels: + env: backend + syscalls: {} + \ No newline at end of file diff --git a/tests/e2e/dns-manipulation/updated-netpol.yaml b/tests/e2e/dns-manipulation/updated-netpol.yaml new file mode 100644 index 00000000..e5a8388f --- /dev/null +++ b/tests/e2e/dns-manipulation/updated-netpol.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-netpol + name: dns-manipulation-binding-dnsmanipulation +spec: + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + podSelector: + matchLabels: + env: backend + policyTypes: + - Egress \ No newline at end of file diff --git a/tests/e2e/resources/namespaced/dns-manipulation-si.yaml b/tests/e2e/resources/namespaced/dns-manipulation-si.yaml new file mode 100644 index 00000000..03c63fe9 --- /dev/null +++ b/tests/e2e/resources/namespaced/dns-manipulation-si.yaml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntent +metadata: + name: dns-manipulation +spec: + intent: + id: dnsManipulation + description: "An adversary can manipulate DNS requests to redirect network traffic and potentially reveal end user activity." + action: Block + severity: Medium diff --git a/tests/e2e/resources/namespaced/dns-manipulation-sib.yaml b/tests/e2e/resources/namespaced/dns-manipulation-sib.yaml new file mode 100644 index 00000000..cd2f5ac6 --- /dev/null +++ b/tests/e2e/resources/namespaced/dns-manipulation-sib.yaml @@ -0,0 +1,17 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1 +kind: SecurityIntentBinding +metadata: + name: dns-manipulation-binding +spec: + intents: + - name: dns-manipulation + selector: + any: + - resources: + kind: Pod + namespace: default + matchLabels: + app: nginx