-
Notifications
You must be signed in to change notification settings - Fork 349
KubeArmor manual tests before releases
Rudraksh Pareek edited this page May 19, 2023
·
4 revisions
The documentation provides the tests for KubeArmor which should be performed before creating a new KubeArmor release.
- BottleRocket - BPF-LSM
- GKE COS
- Apparmor
- BPF LSM
🛡️ Enforcement - Apparmor, BPF-LSM
Workload: wordpress-mysql Wordpress-mysql deployment
Security policies: KubeArmor/examples/wordpress-mysql/security-policies
For observability apply the respective policies and check karmor logs
for corresponding logs.
- 🛑 Block policy - Expected alert + Block enforcement for the resource mentioned in the policy
- 🔍 Audit policy -
- If Visibility enabled :- Expected alert but no enforcement
- else :- No alert and no enforcement
- 👍 Allow policy - Expect alerts only for the resource(s) not mentioned in the policy
- Default posture - If it’s set to audit (that’s default) then for an applied Allow policy, we shouldn't be blocking other processes, instead we should get Audit alerts
NOTE: In either case, you'll get alerts only when visibility is enabled
- Default posture - If it’s set to audit (that’s default) then for an applied Allow policy, we shouldn't be blocking other processes, instead we should get Audit alerts
Note down KubeArmor’s CPU and memory usages with and without load. (kubectl top
)
This will help us in comparing KubeArmor’s performance among different releases.