add in cluster tests

Signed-off-by: Achref ben saad <achref9612@gmail.com>
kubearmor · Jul 8, 2022 · 1977832 · 1977832
1 parent b7a0176
commit 1977832
Show file tree

Hide file tree

Showing 3 changed files with 847 additions and 0 deletions.
diff --git a/.github/workflows/ci-test-incluster.yml b/.github/workflows/ci-test-incluster.yml
@@ -0,0 +1,63 @@
+name: run-in-cluster-test
+
+on:
+  push:
+    branches:
+    - "**"
+    paths:
+    - "deployments/annotations/**"
+    - "deployments/generic/**"
+    - "tests/test-scenarios-in-cluster.sh"
+    - ".github/workflows/ci-test-incluster.yml"
+  pull_request:
+    branches: ["*"]
+    paths: 
+    - "deployments/annotations/**"
+    - "deployments/generic/**"
+    - "tests/test-scenarios-in-cluster.sh"
+    - ".github/workflows/ci-test-incluster.yml"
+
+jobs:
+  manifest-test:
+    name: Run basic manifest tests / ${{ matrix.os }} / ${{ matrix.runtime }}
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-latest, ubuntu-18.04]
+        runtime: ["docker", "containerd", "crio"]
+    steps:
+      - name: Kernel version
+        run: uname -r
+
+      - uses: actions/checkout@v2
+
+      - name: Setup Enviroment
+        run: |
+          echo "RUNTIME="$RUNTIME
+          if [ "$RUNTIME" == "docker" ]; then
+            ./contribution/self-managed-k8s/docker/install_docker.sh
+            docker --version
+          elif [ "$RUNTIME" == "crio" ]; then
+            ./contribution/self-managed-k8s/crio/install_crio.sh
+            crio --version
+          fi
+          ./contribution/k3s/install_k3s.sh
+
+          
+      - name: Test manifests
+        run:  ./tests/test-scenarios-in-cluster.sh
+
+      - name: Archive log artifacts
+        if: ${{ failure() }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: kubearmor.logs
+          path: |
+            /tmp/kubearmor.test
+            /tmp/kubearmor.log
+            /tmp/kubearmor.msg
+      
+      - name: Check Results
+        if: ${{ always() }}
+        run: cat /tmp/kubearmor.test
diff --git a/deployments/generic/kubearmor.yaml b/deployments/generic/kubearmor.yaml
@@ -54,6 +54,8 @@ spec:
       containers:
       - image: kubearmor/kubearmor-relay-server:latest
         name: kubearmor-relay-server
+        securityContext:
+          readOnlyRootFilesystem: true
         ports:
         - containerPort: 32767
       nodeSelector:
@@ -103,6 +105,7 @@ spec:
         - containerPort: 32767
         securityContext:
           privileged: true
+          readOnlyRootFilesystem: true
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:
@@ -132,6 +135,8 @@ spec:
         - mountPath: /var/lib/docker
           name: docker-storage-path
           readOnly: true
+        - mountPath: /tmp
+          name: tmp-path
       dnsPolicy: ClusterFirstWithHostNet
       hostNetwork: true
       hostPID: true
@@ -183,6 +188,8 @@ spec:
           path: /var/lib/docker
           type: DirectoryOrCreate
         name: docker-storage-path
+      - emptyDir: {}
+        name: tmp-path
 ---
 apiVersion: v1
 kind: Service
@@ -226,6 +233,8 @@ spec:
         - --v=10
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
         name: kube-rbac-proxy
+        securityContext:
+          readOnlyRootFilesystem: true
         ports:
         - containerPort: 8443
           name: https
@@ -295,6 +304,8 @@ spec:
         - --v=10
         image: gcr.io/kubebuilder/kube-rbac-proxy:v0.5.0
         name: kube-rbac-proxy
+        securityContext:
+          readOnlyRootFilesystem: true
         ports:
         - containerPort: 8443
           name: https