From 83fd09f46f4347ee6db2db176fc35be8308c4309 Mon Sep 17 00:00:00 2001 From: Ved Ratan Date: Wed, 17 Jul 2024 13:34:43 +0530 Subject: [PATCH] added exploit-pfa e2e test Signed-off-by: Ved Ratan --- .../excludename/README.md | 23 ++- .../matchall/README.md | 12 +- .../matchname/README.md | 12 +- tests/e2e/exploit-pfa/create/README.md | 145 ++++++++++++++++++ .../e2e/exploit-pfa/create/chainsaw-test.yaml | 44 +++--- tests/e2e/exploit-pfa/ksp.yaml | 39 +++++ .../e2e/exploit-pfa/nimbus-policy-assert.yaml | 21 +++ tests/e2e/exploit-pfa/np-status-assert.yaml | 16 ++ tests/e2e/exploit-pfa/sib-status-assert.yaml | 13 ++ .../resources/namespaced/exploit-pfa-si.yaml | 12 ++ .../resources/namespaced/expolit-pfa-sib.yaml | 14 ++ 11 files changed, 320 insertions(+), 31 deletions(-) create mode 100644 tests/e2e/exploit-pfa/create/README.md create mode 100644 tests/e2e/exploit-pfa/ksp.yaml create mode 100644 tests/e2e/exploit-pfa/nimbus-policy-assert.yaml create mode 100644 tests/e2e/exploit-pfa/np-status-assert.yaml create mode 100644 tests/e2e/exploit-pfa/sib-status-assert.yaml create mode 100644 tests/e2e/resources/namespaced/exploit-pfa-si.yaml create mode 100644 tests/e2e/resources/namespaced/expolit-pfa-sib.yaml diff --git a/tests/controllers/clustersecurityintentbinding/excludename/README.md b/tests/controllers/clustersecurityintentbinding/excludename/README.md index ff16448c..7e206cf4 100644 --- a/tests/controllers/clustersecurityintentbinding/excludename/README.md +++ b/tests/controllers/clustersecurityintentbinding/excludename/README.md @@ -1,7 +1,13 @@ -# Test: `exclude-names-add-csib` +# Test: `csib-exclude-names-add-update-csib` -1. Add dev, staging, prod ns 2. Adds a csib for excludeNames with dev, staging 3. Update csib for excludeNames with dev, prod, regional 4. Add a ns with name management - this ns is not part of the excludeNames - Add a ns with name regional - this is part of the excludeNames +This test case tests out multiple scenarios. 1. First we add namespaces dev, staging, and prod. Then we create a csib with excludeNames for + dev and staging. This should result in creation of Nimbus policies for all namespaces + except "dev", "staging". +2. Then we update csib for excludeNames with dev, prod, regional. This should result in the + deletion of the the prod nimbus policy +3. Finally, we add a ns with names management, regional. management ns is not part of the excludeNames + while regional is part of the excludeNames. This step should result in creation of nimbus + policy for management ns, and nimbus policy for regional should not be created ## Steps @@ -24,6 +30,7 @@ | 14 | [Verify NimbusPolicy absence in dev namespace](#step-Verify NimbusPolicy absence in dev namespace) | 0 | 1 | 0 | 0 | | 15 | [Verify NimbusPolicy absence in prod namespace](#step-Verify NimbusPolicy absence in prod namespace) | 0 | 1 | 0 | 0 | | 16 | [Verify NimbusPolicy absence in regional namespace](#step-Verify NimbusPolicy absence in regional namespace) | 0 | 1 | 0 | 0 | +| 17 | [Verify NimbusPolicy presence in management](#step-Verify NimbusPolicy presence in management) | 0 | 1 | 0 | 0 | ### Step: `1. Create prod, dev, staging Namespaces` @@ -185,5 +192,15 @@ |:-:|---|:-:|:-:|---| | 1 | `script` | 0 | 0 | *No description* | +### Step: `Verify NimbusPolicy presence in management` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + --- diff --git a/tests/controllers/clustersecurityintentbinding/matchall/README.md b/tests/controllers/clustersecurityintentbinding/matchall/README.md index 26f9c2d4..9129e715 100644 --- a/tests/controllers/clustersecurityintentbinding/matchall/README.md +++ b/tests/controllers/clustersecurityintentbinding/matchall/README.md @@ -1,6 +1,12 @@ -# Test: `multiple-ns-add-csib` - -1. Create prod, dev, staging ns 2. Add security intent 3. Add csib 4. Delete prod namespace 5. Create prod namespace again +# Test: `csib-matchall-ns-add-csib` + +Multiple scenarios are tested here 1. Three namespaces are created - prod, dev, staging - and we create a csib with a + matchAll condition (*). This is supposed to create nimbus policies in all namespaces + except kube-system. +2. Then we delete the prod namespace, and verify that the nimbus policy no longer exists + in that namespace. The nimbus policies in the other namespaces should not be affected. +3. The we create the prod namespace again, and verify that the nimbus policy in prod + namespace is created again. Additionally, the existing nimbus policies are unaffected ## Steps diff --git a/tests/controllers/clustersecurityintentbinding/matchname/README.md b/tests/controllers/clustersecurityintentbinding/matchname/README.md index 5eb82cfb..eba4fc55 100644 --- a/tests/controllers/clustersecurityintentbinding/matchname/README.md +++ b/tests/controllers/clustersecurityintentbinding/matchname/README.md @@ -1,6 +1,12 @@ -# Test: `match-names-add-csib` - -1. Adds a csib for matchNames with dev, staging 2. Delete staging ns 3. Update csib for matchNames with dev, prod +# Test: `csib-match-names-add-update-csib` + +Multiple scenarios are tested here 1. First we create the dev and staging namespaces. Then we add a csib with matchNames with + dev, staging. This should result in creation of nimbus policies in dev, and staging namespaces + only, and not in other namespaces. +2. Then we delete the staging ns, and the nimbus policy in dev should not be affected. Also, no + nimbus policy should be present in prod. +3. Then we update csib for matchNames with dev, prod. This should result in creation of nimbus + policy in prod ns. Also, nimbus policy in dev should also be present. ## Steps diff --git a/tests/e2e/exploit-pfa/create/README.md b/tests/e2e/exploit-pfa/create/README.md new file mode 100644 index 00000000..f304d704 --- /dev/null +++ b/tests/e2e/exploit-pfa/create/README.md @@ -0,0 +1,145 @@ +# Test: `kubearmor-policy-creation-and-validation-exploit-pfa` + +This test validates that creating a `expolit-pfa` SecurityIntent with SecurityIntentBinding generates the expected KubeArmor policy and verifies its effect on a sample test workload. + + +## Steps + +| # | Name | Bindings | Try | Catch | Finally | +|:-:|---|:-:|:-:|:-:|:-:| +| 1 | [Create a SecurityIntent](#step-Create a SecurityIntent) | 0 | 1 | 0 | 0 | +| 2 | [Create a SecurityIntentBinding](#step-Create a SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 3 | [Verify NimbusPolicy creation](#step-Verify NimbusPolicy creation) | 0 | 1 | 0 | 0 | +| 4 | [Verify KubeArmorPolicy creation](#step-Verify KubeArmorPolicy creation) | 0 | 1 | 0 | 0 | +| 5 | [Verify status of created SecurityIntentBinding](#step-Verify status of created SecurityIntentBinding) | 0 | 1 | 0 | 0 | +| 6 | [Verify status of created NimbusPolicy](#step-Verify status of created NimbusPolicy) | 0 | 1 | 0 | 0 | +| 7 | [Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy](#step-Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy) | 0 | 1 | 0 | 0 | +| 8 | [create nginx pod](#step-create nginx pod) | 0 | 1 | 0 | 0 | +| 9 | [verify creation of nginx pod](#step-verify creation of nginx pod) | 0 | 1 | 0 | 0 | +| 10 | [install git inside nginx pod](#step-install git inside nginx pod) | 0 | 1 | 0 | 0 | +| 11 | [move git binary to tmp/ folder](#step-move git binary to tmp/ folder) | 0 | 1 | 0 | 0 | +| 12 | [Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod](#step-Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod) | 0 | 1 | 0 | 0 | + +### Step: `Create a SecurityIntent` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Create a SecurityIntentBinding` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `apply` | 0 | 0 | *No description* | + +### Step: `Verify NimbusPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify KubeArmorPolicy creation` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify status of created SecurityIntentBinding` + +Verify the created SecurityIntentBinding status subresource includes the number and names of bound intents, along with the generated NimbusPolicy name. + + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify status of created NimbusPolicy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `assert` | 0 | 0 | *No description* | + +### Step: `Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `create nginx pod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `verify creation of nginx pod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `install git inside nginx pod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `move git binary to tmp/ folder` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +### Step: `Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod` + +*No description* + +#### Try + +| # | Operation | Bindings | Outputs | Description | +|:-:|---|:-:|:-:|---| +| 1 | `script` | 0 | 0 | *No description* | + +--- + diff --git a/tests/e2e/exploit-pfa/create/chainsaw-test.yaml b/tests/e2e/exploit-pfa/create/chainsaw-test.yaml index 9ac81387..2091b360 100644 --- a/tests/e2e/exploit-pfa/create/chainsaw-test.yaml +++ b/tests/e2e/exploit-pfa/create/chainsaw-test.yaml @@ -4,30 +4,26 @@ apiVersion: chainsaw.kyverno.io/v1alpha1 kind: Test metadata: - name: netpol-kubearmor-adapter-policy-creation and policy testing + name: kubearmor-policy-creation-and-validation-exploit-pfa spec: description: > - This test validates that creating a `dns-manipulation` SecurityIntent with SecurityIntentBinding generates the expected Network Policy and KubeArmor policy and verifies its effect on a sample test workload. + This test validates that creating a `expolit-pfa` SecurityIntent with SecurityIntentBinding generates the expected KubeArmor policy and verifies its effect on a sample test workload. steps: - name: "Create a SecurityIntent" try: - apply: - file: ../../resources/namespaced/dns-manipulation-si.yaml + file: ../../resources/namespaced/exploit-pfa-si.yaml - name: "Create a SecurityIntentBinding" try: - apply: - file: ../../resources/namespaced/dns-manipulation-sib.yaml + file: ../../resources/namespaced/exploit-pfa-sib.yaml - name: "Verify NimbusPolicy creation" try: - assert: file: ../nimbus-policy-assert.yaml - - name: "Verify NetworkPolicy creation" - try: - - assert: - file: ../netpol.yaml - name: "Verify KubeArmorPolicy creation" try: @@ -47,25 +43,18 @@ spec: - assert: file: ../np-status-assert.yaml - - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated Network Policy" - try: - - script: - content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.adapterPolicies}' - check: - (contains($stdout, 'NetworkPolicy/dns-manipulation-binding-dnsmanipulation')): true - - name: "Verify that the corresponding NimbusPolicy status has been updated with the generated KubeArmor Policy" try: - script: - content: kubectl get np -n $NAMESPACE dns-manipulation-binding -o=jsonpath='{.status.adapterPolicies}' + content: kubectl get np -n $NAMESPACE exploit-pfa-binding -o=jsonpath='{.status.adapterPolicies}' check: - (contains($stdout, 'KubeArmorPolicy/dns-manipulation-binding-dnsmanipulation')): true + (contains($stdout, 'KubeArmorPolicy/exploit-pfa-binding-preventexecutionfromtemporlogsfolders')): true - name: "create nginx pod" try: - script: - content: kubectl run nginx --image=nginx --labels="app=nginx" - + content: kubectl create -f https://raw.githubusercontent.com/5GSEC/nimbus/main/docs/attack-emulation/pod.yaml + - name: "verify creation of nginx pod" try: - script: @@ -73,13 +62,24 @@ spec: check: (contains($stdout, 'pod/nginx')): true - - name: "Verify the failure of alter of resolv.conf in nginx pod" + - name: "install git inside nginx pod" + try: + - script: + content: kubectl exec -it nginx -- /bin/bash -c "apt-get update && apt-get install -y git" + + - name: "move git binary to tmp/ folder" + try: + - script: + content: kubectl exec -it nginx -- /bin/bash -c "cp /usr/bin/git /tmp/" + + + - name: "Verify the failure in cloning a repo via git binary in tmp/ folder in nginx pod" try: - script: - content: kubectl get pods -l app=nginx -o name | head -n 1 | xargs -I {} kubectl exec {} -- bash -c "echo 'nameserver 10.96.' > /etc/resolv.conf && cat /etc/resolv.conf" + content: kubectl exec -it nginx -- /bin/bash -c "/tmp/git clone https://github.com/thockin/test.git" check: ($error != null): true - (contains($stderr, 'Permission denied')): true + diff --git a/tests/e2e/exploit-pfa/ksp.yaml b/tests/e2e/exploit-pfa/ksp.yaml new file mode 100644 index 00000000..c50bd710 --- /dev/null +++ b/tests/e2e/exploit-pfa/ksp.yaml @@ -0,0 +1,39 @@ +apiVersion: security.kubearmor.com/v1 +kind: KubeArmorPolicy +metadata: + annotations: + app.kubernetes.io/managed-by: nimbus-kubearmor + name: exploit-pfa-binding-preventexecutionfromtemporlogsfolders + namespace: default + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: NimbusPolicy + name: exploit-pfa-binding +spec: + action: Block + capabilities: {} + file: {} + message: Mitigate the execution of harmful binaries which may result in exploiting + public facing application + network: {} + process: + action: Block + matchDirectories: + - dir: /var/tmp/ + recursive: true + - dir: /tmp/ + recursive: true + - dir: /var/log/ + recursive: true + - dir: /app/logs/ + recursive: true + - dir: /logs/ + recursive: true + - dir: /etc/ + recursive: true + selector: + matchLabels: + app: nginx + syscalls: {} \ No newline at end of file diff --git a/tests/e2e/exploit-pfa/nimbus-policy-assert.yaml b/tests/e2e/exploit-pfa/nimbus-policy-assert.yaml new file mode 100644 index 00000000..9e6cc5dd --- /dev/null +++ b/tests/e2e/exploit-pfa/nimbus-policy-assert.yaml @@ -0,0 +1,21 @@ +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: exploit-pfa-binding + namespace: default + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: exploit-pfa-binding +spec: + rules: + - description: Mitigate the execution of harmful binaries which may result in exploiting + public facing application + id: preventExecutionFromTempOrLogsFolders + rule: + action: Block + selector: + matchLabels: + app: nginx diff --git a/tests/e2e/exploit-pfa/np-status-assert.yaml b/tests/e2e/exploit-pfa/np-status-assert.yaml new file mode 100644 index 00000000..b6dd6cc0 --- /dev/null +++ b/tests/e2e/exploit-pfa/np-status-assert.yaml @@ -0,0 +1,16 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: NimbusPolicy +metadata: + name: exploit-pfa-binding + ownerReferences: + - apiVersion: intent.security.nimbus.com/v1alpha1 + blockOwnerDeletion: true + controller: true + kind: SecurityIntentBinding + name: exploit-pfa-binding +status: + numberOfAdapterPolicies: 1 + status: Created diff --git a/tests/e2e/exploit-pfa/sib-status-assert.yaml b/tests/e2e/exploit-pfa/sib-status-assert.yaml new file mode 100644 index 00000000..6c6b6bd5 --- /dev/null +++ b/tests/e2e/exploit-pfa/sib-status-assert.yaml @@ -0,0 +1,13 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntentBinding +metadata: + name: dns-manipulation-binding +status: + boundIntents: + - exploit-pfa + nimbusPolicy: dns-manipulation-binding + numberOfBoundIntents: 1 + status: Created \ No newline at end of file diff --git a/tests/e2e/resources/namespaced/exploit-pfa-si.yaml b/tests/e2e/resources/namespaced/exploit-pfa-si.yaml new file mode 100644 index 00000000..c1bacb4a --- /dev/null +++ b/tests/e2e/resources/namespaced/exploit-pfa-si.yaml @@ -0,0 +1,12 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntent +metadata: + name: exploit-pfa +spec: + intent: + id: preventExecutionFromTempOrLogsFolders + description: "Mitigate the execution of harmful binaries which may result in exploiting public facing application" + action: Block \ No newline at end of file diff --git a/tests/e2e/resources/namespaced/expolit-pfa-sib.yaml b/tests/e2e/resources/namespaced/expolit-pfa-sib.yaml new file mode 100644 index 00000000..8017d132 --- /dev/null +++ b/tests/e2e/resources/namespaced/expolit-pfa-sib.yaml @@ -0,0 +1,14 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright 2023 Authors of Nimbus + +apiVersion: intent.security.nimbus.com/v1alpha1 +kind: SecurityIntentBinding +metadata: + name: exploit-pfa-binding +spec: + intents: + - name: exploit-pfa + selector: + workloadSelector: + matchLabels: + app: nginx \ No newline at end of file