MicroK8's Cluster
Overview¶
This user journey guides you to install and verify the compatibility of Cilium on MicroK8's by applying policies on kubernetes workloads.
Step 1: Setup MicroK8's¶
Clone the Repository:
git clone https://github.com/kubearmor/KubeArmor.git
cd KubeArmor/contribution/microk8s
Run the script to set up MicroK8's Kubernetes:
./install_microk8s.sh
kubectl get all -A
Step 2: Cilium Install¶
Install Cilium CLI:
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
cilium install
Above tradition installation method is not working as expected, so installing using Microk8's command.
microk8s enable cilium
cilium status
Cilium Hubble Enable:
cilium hubble enable
Cilium Hubble Verify:
kubectl get pods -n kube-system | grep hubble
Install the Hubble CLI Client:
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-amd64.tar.gz /usr/local/bin
rm hubble-linux-amd64.tar.gz{,.sha256sum}
Step 3: Cilium Policy¶
1. Create a Mysql deployment and Verify it
vi mysql.yaml
apiVersion: v1
kind: Service
metadata:
name: accuknox-mysql-haproxy
spec:
ports:
- port: 3306
selector:
app: mysql
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: accuknox-mysql
spec:
selector:
matchLabels:
app: mysql
strategy:
type: Recreate
template:
metadata:
labels:
app: mysql
spec:
containers:
- image: mysql:8.0
name: mysql
resources:
requests:
memory: 100M
cpu: 100m
# ephemeral-storage: 2G
limits:
memory: 1500M
cpu: 1000m
# ephemeral-storage: 2G
env:
# Use secret in real usage
- name: MYSQL_ROOT_PASSWORD
value: password
ports:
- containerPort: 3306
name: mysql
volumeMounts:
- name: mysql-persistent-storage
mountPath: /var/lib/mysql
volumes:
- name: mysql-persistent-storage
persistentVolumeClaim:
claimName: mysql-pv-claim
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: mysql-pv-volume
labels:
type: local
spec:
storageClassName: standard
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/mnt/data"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mysql-pv-claim
spec:
storageClassName: standard
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
kubectl apply -f mysql.yaml
kubectl get pods
kubectl get pods --show-labels
2. Apply the following policy
vi cnp-mitre-t1571-mysql-ingress.yaml
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: cnp-mitre-t1571-mysql-ingress
namespace: default #change default namespace to match your namespace
spec:
description: "Allow ingress communication only through standard ports of MySQL pods"
endpointSelector:
matchLabels:
app: mysql # Change label with your own labels
ingress:
- toPorts:
- ports:
- port: "3306"
protocol: TCP
- port: "33060"
protocol: TCP
3. Apply the policy
kubectl apply -f cnp-mitre-t1571-mysql-ingress.yaml
4. Violating the policy
kubectl get pod
kubectl exec -it <mysql_pod>bash
5. Deleteing the policy
kubectl delete cnp rule1-ingress