Skip to content

KubeArmor manual tests before releases

Jump to bottom
Ankur Kothiwal edited this page Jan 20, 2023 · 4 revisions

📄 Documenting KubeArmor release tests

The documentation provides the tests for KubeArmor which should be performed before creating a new KubeArmor release.

📜 Environment to be tested:

  • BottleRocket - BPF-LSM
  • GKE COS
    • Apparmor
    • BPF LSM

📜 Things to be tested:

🛡️ Enforcement - Apparmor, BPF-LSM

👀 Observability

Workload: wordpress-mysql Wordpress-mysql deployment
Security policies: KubeArmor/examples/wordpress-mysql/security-policies

For observability apply the respective policies and check karmor logs for corresponding logs.

  • 🛑 Block policy - Expected alert + Block enforcement for the resource mentioned in the policy
  • 🔍 Audit policy - Expected alert but no enforcement
  • 👍 Allow policy - Expect alerts only for the resource(s) not mentioned in the policy
    • Default posture - If it’s set to audit (that’s default) then for an applied Allow policy, we shouldn't be blocking other processes, instead we should get Audit alerts

📈 Performance analysis:

Note down KubeArmor’s CPU and memory usages with and without load. (kubectl top)
This will help us in comparing KubeArmor’s performance among different releases.

Clone this wiki locally