Skip to content

MicroK8's Cluster

Overview

This user journey guides you to install and verify the compatibility of Cilium on MicroK8's by applying policies on Kubernetes workloads.

Step 1: Setup MicroK8's

Clone the Repository:

git clone https://github.com/kubearmor/KubeArmor.git

Alt

cd KubeArmor/contribution/microk8s

Run the script to set up MicroK8's Kubernetes:

./install_microk8s.sh
kubectl get all -A

Alt

Step 2: Cilium Install

Install Cilium CLI:

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
cilium install

Above tradition installation method is not working as expected, so installing using Microk8's command.

microk8s enable cilium

Alt

Alt

cilium status 

Alt

Cilium Hubble Enable:

cilium hubble enable

Alt

Cilium Hubble Verify:

kubectl get pods -n kube-system | grep hubble

Alt

Install the Hubble CLI Client:

export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-amd64.tar.gz /usr/local/bin
rm hubble-linux-amd64.tar.gz{,.sha256sum}

Alt

Step 3: Cilium Policy

1. Create a Mysql deployment and Verify it

vi mysql.yaml
apiVersion: v1
kind: Service
metadata:
  name: accuknox-mysql-haproxy
spec:
  ports:
  - port: 3306
  selector:
    app: mysql
  type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: accuknox-mysql
spec:
  selector:
    matchLabels:
      app: mysql
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: mysql
    spec:
      containers:
      - image: mysql:8.0
        name: mysql
        resources:
          requests:
            memory: 100M
            cpu: 100m
      #        ephemeral-storage: 2G
          limits:
            memory: 1500M
            cpu: 1000m
#        ephemeral-storage: 2G
        env:
          # Use secret in real usage
        - name: MYSQL_ROOT_PASSWORD
          value: password
        ports:
        - containerPort: 3306
          name: mysql
        volumeMounts:
        - name: mysql-persistent-storage
          mountPath: /var/lib/mysql
      volumes:
      - name: mysql-persistent-storage
        persistentVolumeClaim:
          claimName: mysql-pv-claim

---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: mysql-pv-volume
  labels:
    type: local
spec:
  storageClassName: standard
  capacity:
    storage: 2Gi
  accessModes:
    - ReadWriteOnce
  hostPath:
    path: "/mnt/data"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: mysql-pv-claim
spec:
  storageClassName: standard
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 2Gi
kubectl apply -f mysql.yaml
kubectl get pods

Alt

kubectl get pods --show-labels

Alt

2. Apply the following policy

vi cnp-mitre-t1571-mysql-ingress.yaml
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: cnp-mitre-t1571-mysql-ingress
  namespace: default        #change default namespace to match your namespace
spec:
  description: "Allow ingress communication only through standard ports of MySQL pods"
  endpointSelector:
    matchLabels:
      app: mysql              # Change label with your own labels
  ingress:
  - toPorts:
    - ports:
      - port: "3306"
        protocol: TCP
      - port: "33060"
        protocol: TCP

3. Apply the policy

kubectl apply -f cnp-mitre-t1571-mysql-ingress.yaml   

Alt

4. Violating the policy

kubectl get pod

Alt

kubectl exec -it <mysql_pod>bash

Alt

5. Deleteing the policy

kubectl delete cnp rule1-ingress
Back to top