Skip to content

Getting started

These instructions will help you install accuknox in a couple of minutes on your K8s clusters. For VM setup, follow this link.

1. Install sample k8s cluster

Install k3s

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC='--flannel-backend=none --disable traefik' sh -s - --write-kubeconfig-mode 644

Make k3s cluster config the default

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
or
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: kubearmor-ub20
  region: us-east-2

nodeGroups:
  - name: ng-1
    amiFamily: "Ubuntu2004"
    privateNetworking: true
    desiredCapacity: 2
    # taint nodes so that application pods are
    # not scheduled until Cilium is deployed.
    taints:
     - key: "node.cilium.io/agent-not-ready"
       value: "true"
       effect: "NoSchedule"
    ssh:
      allow: true
    preBootstrapCommands:
      - "sudo apt install linux-headers-$(uname -r)"

2. Install Daemonsets and Services

curl -s https://raw.githubusercontent.com/accuknox/tools/main/install.sh | bash

This will install all the components.

Output from kubectl get pods -A

NAMESPACE NAME READY STATUS RESTARTS AGE kube-system helm-install-traefik-crd-gwlpt 0/1 Completed 0 3h17m kube-system helm-install-traefik-lzkqg 0/1 Completed 1 3h17m kube-system svclb-traefik-47bc4 2/2 Running 2 3h9m kube-system metrics-server-86cbb8457f-cw9jd 1/1 Running 1 3h9m kube-system local-path-provisioner-7c7846d5f8-kxdxj 1/1 Running 1 3h3m kube-system coredns-7448499f4d-qk6pv 1/1 Running 0 15m kube-system traefik-5ffb8d6846-w8clc 1/1 Running 1 3h3m kube-system cilium-operator-6bbdb895b5-ff752 1/1 Running 0 12m kube-system hubble-relay-84999fcb48-8d5ss 1/1 Running 0 11m kube-system cilium-wkgzn 1/1 Running 0 11m explorer mysql-0 1/1 Running 0 10m kube-system kubearmor-67jtk 1/1 Running 0 8m34s kube-system kubearmor-policy-manager-986bd8dbc-4s79d 2/2 Running 0 8m34s kube-system kubearmor-host-policy-manager-5bcccfc4f5-gkbck 2/2 Running 0 8m34s kube-system kubearmor-relay-645667c695-brzpg 1/1 Running 0 8m34s explorer knoxautopolicy-6bf6c98dbb-pfwt9 1/1 Running 0 8m20s

We have following installed:

* kubearmor protection engine
* cilium CNI
* Auto policy discovery engine
* MySQL database to keep discovered policies
* Hubble Relay and KubeArmor Relay

3. Install Sample k8s application

Install anyone of the following app or you can try your own k8s app.

kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/examples/wordpress-mysql/wordpress-mysql-deployment.yaml

Application Reference

```
kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/master/release/kubernetes-manifests.yaml
```

4. Get Auto Discovered Policies

curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash
Sample Output

❯ curl -s https://raw.githubusercontent.com/accuknox/tools/main/get_discovered_yamls.sh | bash { "res": "ok" } Got 172 cilium policies in file cilium_policies.yaml { "res": "ok" } Got 1 kubearmor policies in file kubearmor_policies_default_default_main_ipidmpgu.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_redis_nqnohcbu.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_bujjgiip.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gihaqkqo.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gmlefyvh.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gpcrbwsg.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_gvmixduf.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_jimxunhp.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_rxpzliwy.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_sbvldmly.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_uxvdiqid.yaml Got 1 kubearmor policies in file kubearmor_policies_default_default_server_wsglnafl.yaml

5. Applying Auto Discovered Policies on Cluster

These policies can then be applied on the k8s cluster running KubeArmor and Cilium.

  • Apply policies using kubectl apply -f checkoutservice.yaml.
Sample Output

kubectl apply -f kubearmor_policies.yaml kubearmorpolicy.security.kubearmor.com/autopol-explorer-mysql created

  • To check KubeArmor policies one can use respective CRD's like ksp(KubeArmorSecurityPolicy CRD), hsp(KubeArmorHostSecurityPolicy CRD) for KubeArmor and cnp(CiliumNetworkPolicy CRD) for Cilium.
Output from kubectl get ksp -A
NAMESPACE NAME AGE
springboot do-not-allow-exec-from-java 12m
default ksp-log4j-block 10h
default allow-only-ls 26m
wordpress-mysql ksp-wordpress-block-config 12h

        # Similarly one can use hsp & cnp
    ```
Back to top