added exploit-pfa e2e test

Signed-off-by: Ved Ratan <[email protected]>
5GSEC · Jul 17, 2024 · 83fd09f · 83fd09f
1 parent 1888973
commit 83fd09f
Show file tree

Hide file tree

Showing 11 changed files with 320 additions and 31 deletions.
diff --git a/tests/controllers/clustersecurityintentbinding/excludename/README.md b/tests/controllers/clustersecurityintentbinding/excludename/README.md
@@ -1,7 +1,13 @@
-# Test: `exclude-names-add-csib`
+# Test: `csib-exclude-names-add-update-csib`
 
-1. Add dev, staging, prod ns 2. Adds a csib for excludeNames with dev, staging 3. Update csib for excludeNames with dev, prod, regional 4. Add a ns with name management - this ns is not part of the excludeNames
-   Add a ns with name regional - this is part of the excludeNames
+This test case tests out multiple scenarios.  1. First we add namespaces dev, staging, and prod. Then we create a csib with excludeNames for
+   dev and staging. This should result in creation of Nimbus policies for all namespaces 
+   except "dev", "staging".
+2. Then we update csib for excludeNames with dev, prod, regional. This should result in the
+   deletion of the the prod nimbus policy
+3. Finally, we add a ns with names management, regional. management ns is not part of the excludeNames
+   while regional is part of the excludeNames. This step should result in creation of nimbus 
+   policy for management ns, and nimbus policy for regional should not be created
 
 
 ## Steps
@@ -24,6 +30,7 @@
 | 14 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 |
 | 15 | [Verify NimbusPolicy absence in prod namespace](#step-Verify NimbusPolicy absence in prod namespace) | 0 | 1 | 0 | 0 |
 | 16 | [Verify NimbusPolicy absence in regional namespace](#step-Verify NimbusPolicy absence in regional namespace) | 0 | 1 | 0 | 0 |
+| 17 | [Verify NimbusPolicy presence in management](#step-Verify NimbusPolicy presence in management) | 0 | 1 | 0 | 0 |
 
 ### Step: `1. Create prod, dev, staging Namespaces`
 
@@ -185,5 +192,15 @@
 |:-:|---|:-:|:-:|---|
 | 1 | `script` | 0 | 0 | *No description* |
 
+### Step: `Verify NimbusPolicy presence in management`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `script` | 0 | 0 | *No description* |
+
 ---
 
diff --git a/tests/controllers/clustersecurityintentbinding/matchall/README.md b/tests/controllers/clustersecurityintentbinding/matchall/README.md
@@ -1,6 +1,12 @@
-# Test: `multiple-ns-add-csib`
-
-1. Create prod, dev, staging ns 2. Add security intent 3. Add csib  4. Delete prod namespace 5. Create prod namespace again
+# Test: `csib-matchall-ns-add-csib`
+
+Multiple scenarios are tested here 1. Three namespaces are created - prod, dev, staging - and we create a csib with a 
+  matchAll condition (*). This is supposed to create nimbus policies in all namespaces
+  except kube-system. 
+2. Then we delete the prod namespace, and verify that the nimbus policy no longer exists
+   in that namespace. The nimbus policies in the other namespaces should not be affected.
+3. The we create the prod namespace again, and verify that the nimbus policy in prod
+  namespace is created again. Additionally, the existing nimbus policies are unaffected
 
 
 ## Steps

diff --git a/tests/controllers/clustersecurityintentbinding/matchname/README.md b/tests/controllers/clustersecurityintentbinding/matchname/README.md
@@ -1,6 +1,12 @@
-# Test: `match-names-add-csib`
-
-1. Adds a csib for matchNames with dev, staging 2. Delete staging ns 3. Update csib for matchNames with dev, prod
+# Test: `csib-match-names-add-update-csib`
+
+Multiple scenarios are tested here 1. First we create the dev and staging namespaces. Then we add a csib with matchNames with 
+   dev, staging. This should result in creation of nimbus policies in dev, and staging namespaces
+   only, and not in other namespaces. 
+2. Then we delete the staging ns, and the nimbus policy in dev should not be affected. Also, no
+   nimbus policy should be present in prod.
+3. Then we update csib for matchNames with dev, prod. This should result in creation of nimbus
+  policy in prod ns. Also, nimbus policy in dev should also be present.
 
 
 ## Steps

diff --git a/tests/e2e/exploit-pfa/create/README.md b/tests/e2e/exploit-pfa/create/README.md
@@ -0,0 +1,145 @@
+# Test: `kubearmor-policy-creation-and-validation-exploit-pfa`
+
+This test validates that creating a `expolit-pfa` SecurityIntent with SecurityIntentBinding generates the expected KubeArmor policy and verifies its effect on a sample test workload.
+
+
+## Steps
+
+| # | Name | Bindings | Try | Catch | Finally |
+|:-:|---|:-:|:-:|:-:|:-:|
+| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 |
+| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 |
+| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 |
+| 4 | [Verify KubeArmorPolicy creation](#step-Verify KubeArmorPolicy creation) | 0 | 1 | 0 | 0 |
+| 5 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 |
+| 6 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 |
+| 7 | [Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy](#step-Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy) | 0 | 1 | 0 | 0 |
+| 8 | [create nginx pod](#step-create nginx pod) | 0 | 1 | 0 | 0 |
+| 9 | [verify creation of nginx pod](#step-verify creation of nginx pod) | 0 | 1 | 0 | 0 |
+| 10 | [install git inside nginx pod](#step-install git inside nginx pod) | 0 | 1 | 0 | 0 |
+| 11 | [move git binary to tmp/ folder](#step-move git binary to tmp/ folder) | 0 | 1 | 0 | 0 |
+| 12 | [Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod](#step-Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod) | 0 | 1 | 0 | 0 |
+
+### Step: `Create a SecurityIntent`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `apply` | 0 | 0 | *No description* |
+
+### Step: `Create a SecurityIntentBinding`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `apply` | 0 | 0 | *No description* |
+
+### Step: `Verify NimbusPolicy creation`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `assert` | 0 | 0 | *No description* |
+
+### Step: `Verify KubeArmorPolicy creation`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `assert` | 0 | 0 | *No description* |
+
+### Step: `Verify status of created SecurityIntentBinding`
+
+Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents,  along with the generated NimbusPolicy name.
+
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `assert` | 0 | 0 | *No description* |
+
+### Step: `Verify status of created NimbusPolicy`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `assert` | 0 | 0 | *No description* |
+
+### Step: `Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `script` | 0 | 0 | *No description* |
+
+### Step: `create nginx pod`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `script` | 0 | 0 | *No description* |
+
+### Step: `verify creation of nginx pod`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `script` | 0 | 0 | *No description* |
+
+### Step: `install git inside nginx pod`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `script` | 0 | 0 | *No description* |
+
+### Step: `move git binary to tmp/ folder`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `script` | 0 | 0 | *No description* |
+
+### Step: `Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod`
+
+*No description*
+
+#### Try
+
+| # | Operation | Bindings | Outputs | Description |
+|:-:|---|:-:|:-:|---|
+| 1 | `script` | 0 | 0 | *No description* |
+
+---
+
diff --git a/tests/e2e/exploit-pfa/create/chainsaw-test.yaml b/tests/e2e/exploit-pfa/create/chainsaw-test.yaml
@@ -4,30 +4,26 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: netpol-kubearmor-adapter-policy-creation and policy testing
+  name: kubearmor-policy-creation-and-validation-exploit-pfa
 spec:
   description: >
-   This test validates that creating a `dns-manipulation` SecurityIntent with SecurityIntentBinding generates the expected Network Policy and KubeArmor policy and verifies its effect on a sample test workload.
+   This test validates that creating a `expolit-pfa` SecurityIntent with SecurityIntentBinding generates the expected KubeArmor policy and verifies its effect on a sample test workload.
   steps:
     - name: "Create a SecurityIntent"
       try:
         - apply:
-            file: ../../resources/namespaced/dns-manipulation-si.yaml
+            file: ../../resources/namespaced/exploit-pfa-si.yaml
 
     - name: "Create a SecurityIntentBinding"
       try:
         - apply:
-            file: ../../resources/namespaced/dns-manipulation-sib.yaml
+            file: ../../resources/namespaced/exploit-pfa-sib.yaml
 
     - name: "Verify NimbusPolicy creation"
       try:
         - assert:
             file: ../nimbus-policy-assert.yaml
 
-    - name: "Verify NetworkPolicy creation"
-      try:
-        - assert:
-            file: ../netpol.yaml
 
     - name: "Verify KubeArmorPolicy creation"
       try:
@@ -47,39 +43,43 @@ spec:
         - assert:
             file: ../np-status-assert.yaml
 
-    - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated Network Policy"
-      try:
-      - script:
-          content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.adapterPolicies}'
-          check: 
-            (contains($stdout, 'NetworkPolicy/dns-manipulation-binding-dnsmanipulation')): true
-
     - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy"
       try:
       - script:
-          content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.adapterPolicies}'
+          content: kubectl get np -n $NAMESPACE exploit-pfa-binding -o=jsonpath='{.status.adapterPolicies}'
           check: 
-            (contains($stdout, 'KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation')): true
+            (contains($stdout, 'KubeArmorPolicy/exploit-pfa-binding-preventexecutionfromtemporlogsfolders')): true
 
     - name: "create nginx pod"
       try:
         - script:
-            content: kubectl run nginx --image=nginx --labels="app=nginx"
-      
+            content: kubectl create -f https://raw.githubusercontent.com/5GSEC/nimbus/main/docs/attack-emulation/pod.yaml
+
     - name: "verify creation of nginx pod"
       try:
       - script:
           content: kubectl get pods -l app=nginx -o name
           check:
             (contains($stdout, 'pod/nginx')): true
 
-    - name: "Verify the failure of alter of resolv.conf in nginx pod"
+    - name: "install git inside nginx pod"
+      try:
+        - script:
+            content: kubectl exec -it nginx -- /bin/bash -c "apt-get update && apt-get install -y git"
+
+    - name: "move git binary to tmp/ folder"
+      try:
+        - script:
+            content: kubectl exec -it nginx -- /bin/bash -c "cp /usr/bin/git /tmp/"      
+
+
+    - name: "Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod"
       try:
       - script:
-          content: kubectl get pods -l app=nginx -o name | head -n 1 | xargs -I {} kubectl exec {} -- bash -c "echo 'nameserver 10.96.' > /etc/resolv.conf && cat /etc/resolv.conf"
+          content: kubectl exec -it nginx -- /bin/bash -c "/tmp/git clone https://github.com/thockin/test.git"
           check:
             ($error != null): true
-            (contains($stderr, 'Permission denied')): true
+
 
 
 

diff --git a/tests/e2e/exploit-pfa/ksp.yaml b/tests/e2e/exploit-pfa/ksp.yaml
@@ -0,0 +1,39 @@
+apiVersion: security.kubearmor.com/v1
+kind: KubeArmorPolicy
+metadata:
+  annotations:
+    app.kubernetes.io/managed-by: nimbus-kubearmor
+  name: exploit-pfa-binding-preventexecutionfromtemporlogsfolders
+  namespace: default
+  ownerReferences:
+  - apiVersion: intent.security.nimbus.com/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: NimbusPolicy
+    name: exploit-pfa-binding
+spec:
+  action: Block
+  capabilities: {}
+  file: {}
+  message: Mitigate the execution of harmful binaries which may result in exploiting
+    public facing application
+  network: {}
+  process:
+    action: Block
+    matchDirectories:
+    - dir: /var/tmp/
+      recursive: true
+    - dir: /tmp/
+      recursive: true
+    - dir: /var/log/
+      recursive: true
+    - dir: /app/logs/
+      recursive: true
+    - dir: /logs/
+      recursive: true
+    - dir: /etc/
+      recursive: true
+  selector:
+    matchLabels:
+      app: nginx
+  syscalls: {}
diff --git a/tests/e2e/exploit-pfa/nimbus-policy-assert.yaml b/tests/e2e/exploit-pfa/nimbus-policy-assert.yaml
@@ -0,0 +1,21 @@
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: NimbusPolicy
+metadata:
+  name: exploit-pfa-binding
+  namespace: default
+  ownerReferences:
+  - apiVersion: intent.security.nimbus.com/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: SecurityIntentBinding
+    name: exploit-pfa-binding
+spec:
+  rules:
+  - description: Mitigate the execution of harmful binaries which may result in exploiting
+      public facing application
+    id: preventExecutionFromTempOrLogsFolders
+    rule:
+      action: Block
+  selector:
+    matchLabels:
+      app: nginx
diff --git a/tests/e2e/exploit-pfa/np-status-assert.yaml b/tests/e2e/exploit-pfa/np-status-assert.yaml
@@ -0,0 +1,16 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright 2023 Authors of Nimbus
+
+apiVersion: intent.security.nimbus.com/v1alpha1
+kind: NimbusPolicy
+metadata:
+  name: exploit-pfa-binding
+  ownerReferences:
+    - apiVersion: intent.security.nimbus.com/v1alpha1
+      blockOwnerDeletion: true
+      controller: true
+      kind: SecurityIntentBinding
+      name: exploit-pfa-binding
+status:
+  numberOfAdapterPolicies: 1
+  status: Created