Getting started
These instructions will help you install accuknox in a couple of minutes on your K8s clusters. For VM setup, follow this link.
1. Install sample k8s cluster¶
Install k3s
curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC='--flannel-backend=none --disable traefik' sh -s - --write-kubeconfig-mode 644
Make k3s cluster config the default
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
or
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: kubearmor-ub20
region: us-east-2
nodeGroups:
- name: ng-1
amiFamily: "Ubuntu2004"
privateNetworking: true
desiredCapacity: 2
# taint nodes so that application pods are
# not scheduled until Cilium is deployed.
taints:
- key: "node.cilium.io/agent-not-ready"
value: "true"
effect: "NoSchedule"
ssh:
allow: true
preBootstrapCommands:
- "sudo apt install linux-headers-$(uname -r)"
2. Install Daemonsets and Services¶
curl -s https://raw.githubusercontent.com/accuknox/tools/main/install.sh | bash
Output from kubectl get pods -A
NAMESPACE NAME READY STATUS RESTARTS AGE
kube-system helm-install-traefik-crd-gwlpt 0/1 Completed 0 3h17m
kube-system helm-install-traefik-lzkqg 0/1 Completed 1 3h17m
kube-system svclb-traefik-47bc4 2/2 Running 2 3h9m
kube-system metrics-server-86cbb8457f-cw9jd 1/1 Running 1 3h9m
kube-system local-path-provisioner-7c7846d5f8-kxdxj 1/1 Running 1 3h3m
kube-system coredns-7448499f4d-qk6pv 1/1 Running 0 15m
kube-system traefik-5ffb8d6846-w8clc 1/1 Running 1 3h3m
kube-system cilium-operator-6bbdb895b5-ff752 1/1 Running 0 12m
kube-system hubble-relay-84999fcb48-8d5ss 1/1 Running 0 11m
kube-system cilium-wkgzn 1/1 Running 0 11m
explorer mysql-0 1/1 Running 0 10m
kube-system kubearmor-67jtk 1/1 Running 0 8m34s
kube-system kubearmor-policy-manager-986bd8dbc-4s79d 2/2 Running 0 8m34s
kube-system kubearmor-host-policy-manager-5bcccfc4f5-gkbck 2/2 Running 0 8m34s
kube-system kubearmor-relay-645667c695-brzpg 1/1 Running 0 8m34s
explorer knoxautopolicy-6bf6c98dbb-pfwt9 1/1 Running 0 8m20s
We have following installed:
- kubearmor protection engine
- cilium CNI
- Auto policy discovery engine
- MySQL database to keep discovered policies
- Hubble Relay and KubeArmor Relay
3. Install Sample k8s application¶
Install anyone of the following app or you can try your own k8s app.
kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/examples/wordpress-mysql/wordpress-mysql-deployment.yaml
kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
4. Get Auto Discovered Policies¶
curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash
Sample Output
❯ curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash
{
"res": "ok"
}
Got 172 cilium policies in file cilium_policies.yaml
{
"res": "ok"
}
Got 1 kubearmor policies in file kubearmor_policies_default_default_main_ipidmpgu.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_redis_nqnohcbu.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_bujjgiip.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gihaqkqo.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gmlefyvh.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gpcrbwsg.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gvmixduf.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_jimxunhp.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_rxpzliwy.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_sbvldmly.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_uxvdiqid.yaml
Got 1 kubearmor policies in file kubearmor_policies_default_default_server_wsglnafl.yaml
5. Applying Auto Discovered Policies on Cluster¶
These policies can then be applied on the k8s cluster running KubeArmor and Cilium.
- Apply policies using
kubectl apply -f checkoutservice.yaml
.
Sample Output
kubectl apply -f kubearmor_policies.yaml
kubearmorpolicy.security.kubearmor.com/autopol-explorer-mysql created
- To check KubeArmor policies one can use respective CRD's like
ksp
(KubeArmorSecurityPolicy CRD),hsp
(KubeArmorHostSecurityPolicy CRD) for KubeArmor andcnp
(CiliumNetworkPolicy CRD) for Cilium.
Output from kubectl get ksp -A
NAMESPACE NAME AGE
springboot do-not-allow-exec-from-java 12m
default ksp-log4j-block 10h
default allow-only-ls 26m
wordpress-mysql ksp-wordpress-block-config 12h
# Similarly one can use hsp & cnp