Student:zhy76
Organization: CNCF && KubeArmor
Project: GitHub Actions for KubeArmor
Issue: kubearmor/KubeArmor#1128
Code: https://github.com/kubearmor/kubearmor-action/tree/main
This is my first time participating in GSoC, and I am honored to be selected by CNCF and KubeArmor organization and complete this project within three months.
First of all, I am very grateful to my mentors: Barun Acharya, Ankur Kothiwal, Rahul Jadhav, Anurag, who gave me a lot of help in the project. Their professionalism and patience are worth learning from and it was a wonderful experience to work with them.
During the project, I build a Github Action that visualizes the application's system-level behaviors and network connection changes. For example, which processes are generated by the application and the parent-child relationship between processes, which file access is generated, which network connections are generated, network connection topology, network connection changes, and so on. I think this will greatly help developers identify project problems in advance, ensure the quality of the code, avoid serious consequences, and improve the visibility of the project.
I actively participated in the discussion of the project and determined the final implementation method and effect. The core algorithm of this project is developed based on go language, for which multiple ways to publish GitHub Actions written in Go are compared: Composite actions, Pre-compiled binaries with a shim, Docker containers. I eventually chose to use Composite actions to develop Github Actions written in Go.
Firstly, the mentor created a new code repository called kubearmor-action, I then submitted some PRs for code architecture initialization, implementation of the entire kubearmor-action workflow and optimize the entire workflow.
I have divided the entire workflow into the following parts:
- Setup Go
- Checkout to your repo
- Install a kubernetes cluster
- Install kubearmor components
- Deploy your application
- Check all pods are ready, if not, get reason
- Runs Integration/Tests/Load Generation
- Save the application summary report and Generate visualisation results
- Get the latest summary report file
- Get the visualisation results
- Store the latest summary report file
- Store the visualisation results
- Comment the visualisation results on the PR
- Delete the new application
Related PRs:
- kubearmor/kubearmor-action#8
- kubearmor/kubearmor-action#11
- kubearmor/kubearmor-action#13
- kubearmor/kubearmor-action#14
- kubearmor/kubearmor-action#18
- kubearmor/kubearmor-action#19
- kubearmor/kubearmor-client#346
The most difficult part of the project is the visualization of system and network behavior, which I need to represent in data structures and implement relevant differentiation algorithms.
System visualization algorithm flow:
Network visualization algorithm flow:
Take the sock-shop microservice demo as an example, Visualizations are as follows.
All system behaviors:
All network behaviors:
Filters Pod behavior that contains front-end:
System level:
Network level(Contains changes in network behavior):
Now running through the entire process, we can visualize system behavior and network behavior, which is a great help for Devops. In the future, we can consider adding more interesting features, such as container security issues and cluster security issues that we are currently concerned about. We can consider early detection and resolution of security issues through our Kubeararmor-action component during project development. This also requires support from upstream kubearmor and kubearmor-client.
Also, as the size of the project increases, we need to consider adding more tests.
We also welcome more people to put forward more opinions and expectations for this project.
In this project, I developed a github action application using the Go language, which was able to visualize system and network behavior during development and comment on it in PR.
This is a rare experience for me to complete the development of a whole project on my own. In the project, I learned how to develop a Github Action application, Go language and Shell language development skills, eBPF knowledge, k8s related ingress and egress knowledge, etc. The most difficult part is the algorithmic part of system behavior visualization and network behavior visualization. I need to represent it with data structures and complete the algorithm of network behavior changes. At the same time, because the weekly meetings are full of English dialogue, my English oral expression and listening ability have been greatly improved.
If you want to use the project, you can follow the README to learn how to use.