Getting started

These instructions will help you install accuknox in a couple of minutes on your K8s clusters. For VM setup, follow this link.

1. Install sample k8s cluster

Local k3s clusterEKS cluster

Install k3s

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC='--flannel-backend=none --disable traefik' sh -s - --write-kubeconfig-mode 644

Make k3s cluster config the default

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
or
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: kubearmor-ub20
  region: us-east-2

nodeGroups:
  - name: ng-1
    amiFamily: "Ubuntu2004"
    privateNetworking: true
    desiredCapacity: 2
    # taint nodes so that application pods are
    # not scheduled until Cilium is deployed.
    taints:
     - key: "node.cilium.io/agent-not-ready"
       value: "true"
       effect: "NoSchedule"
    ssh:
      allow: true
    preBootstrapCommands:
      - "sudo apt install linux-headers-$(uname -r)"

2. Install Daemonsets and Services

curl -s https://raw.githubusercontent.com/accuknox/tools/main/install.sh | bash

This will install all the components.

Output from kubectl get pods -A

NAMESPACE     NAME                                             READY   STATUS      RESTARTS   AGE
kube-system   helm-install-traefik-crd-gwlpt                   0/1     Completed   0          3h17m
kube-system   helm-install-traefik-lzkqg                       0/1     Completed   1          3h17m
kube-system   svclb-traefik-47bc4                              2/2     Running     2          3h9m
kube-system   metrics-server-86cbb8457f-cw9jd                  1/1     Running     1          3h9m
kube-system   local-path-provisioner-7c7846d5f8-kxdxj          1/1     Running     1          3h3m
kube-system   coredns-7448499f4d-qk6pv                         1/1     Running     0          15m
kube-system   traefik-5ffb8d6846-w8clc                         1/1     Running     1          3h3m
kube-system   cilium-operator-6bbdb895b5-ff752                 1/1     Running     0          12m
kube-system   hubble-relay-84999fcb48-8d5ss                    1/1     Running     0          11m
kube-system   cilium-wkgzn                                     1/1     Running     0          11m
explorer      mysql-0                                          1/1     Running     0          10m
kube-system   kubearmor-67jtk                                  1/1     Running     0          8m34s
kube-system   kubearmor-policy-manager-986bd8dbc-4s79d         2/2     Running     0          8m34s
kube-system   kubearmor-host-policy-manager-5bcccfc4f5-gkbck   2/2     Running     0          8m34s
kube-system   kubearmor-relay-645667c695-brzpg                 1/1     Running     0          8m34s
explorer      knoxautopolicy-6bf6c98dbb-pfwt9                  1/1     Running     0          8m20s

We have following installed:

• kubearmor protection engine
• cilium CNI
• Auto policy discovery engine
• MySQL database to keep discovered policies
• Hubble Relay and KubeArmor Relay

3. Install Sample k8s application

Install anyone of the following app or you can try your own k8s app.

Wordpress-Mysql AppOnline Boutique: Google Microservice Demo App

kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/examples/wordpress-mysql/wordpress-mysql-deployment.yaml

Application Reference

kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml

4. Get Auto Discovered Policies

curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash

Sample Output

❯ curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash
{
  "res": "ok"
}
Got 172 cilium policies in file cilium_policies.yaml
{
  "res": "ok"
}
Got 1 kubearmor policies in file kubearmor_policies_default_default_main_ipidmpgu.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_redis_nqnohcbu.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_bujjgiip.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gihaqkqo.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gmlefyvh.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gpcrbwsg.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gvmixduf.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_jimxunhp.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_rxpzliwy.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_sbvldmly.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_uxvdiqid.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_wsglnafl.yaml

5. Applying Auto Discovered Policies on Cluster

These policies can then be applied on the k8s cluster running KubeArmor and Cilium.

• Apply policies using kubectl apply -f checkoutservice.yaml.

Sample Output

kubectl apply -f kubearmor_policies.yaml
kubearmorpolicy.security.kubearmor.com/autopol-explorer-mysql created

• To check KubeArmor policies one can use respective CRD's like ksp(KubeArmorSecurityPolicy CRD), hsp(KubeArmorHostSecurityPolicy CRD) for KubeArmor and cnp(CiliumNetworkPolicy CRD) for Cilium.

Output from kubectl get ksp -A

NAMESPACE         NAME                          AGE
springboot        do-not-allow-exec-from-java   12m
default           ksp-log4j-block               10h
default           allow-only-ls                 26m
wordpress-mysql   ksp-wordpress-block-config    12h

    # Similarly one can use hsp & cnp