Minikube Cluster
Overview¶
This user journey guides you to install and verify the compatibility of Cilium on Minikube by applying policies on kubernetes workloads.
Step 1: Clone the Repository¶
git clone https://github.com/kubearmor/KubeArmor.git
Step 2: Install VirtualBox¶
cd KubeArmor/contribution/minikube
./install_virtualbox.sh
Note: Once VirtualBox installed, reboot the system.
sudo reboot
Step 3: Install Minikube¶
cd KubeArmor/contribution/minikube
./install_minikube.sh
./start_minikube.sh
Step 4: Cilium Installation¶
Install Cilium CLI:
curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-
linux-amd64.tar.gz{,.sha256sum}
sha256sum --check cilium-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
rm cilium-linux-amd64.tar.gz{,.sha256sum}
cilium install
kubectl get pods -n kube-system | grep cilium
cilium status --wait
Cilium Hubble Enable:
cilium hubble enable
Cilium Hubble Verify:
kubectl get pods -n kube-system | grep hubble
Install Hubble CLI Client:
export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)
curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz{,.sha256sum}
sha256sum --check hubble-linux-amd64.tar.gz.sha256sum
sudo tar xzvfC hubble-linux-amd64.tar.gz /usr/local/bin
rm hubble-linux-amd64.tar.gz{,.sha256sum}
Step 5: Getting Alerts/Telemetry from Cilium¶
Enable port-forwarding for Cilium Hubble relay:
cilium hubble port-forward&
Step 6: Cilium Policy¶
1. Create a tightfighter & deathstart deployment
cat tightfighter-deathstart-app.yaml
apiVersion: v1
kind: Service
metadata:
name: deathstar
labels:
app.kubernetes.io/name: deathstar
spec:
type: ClusterIP
ports:
- port: 80
selector:
org: empire
class: deathstar
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: deathstar
labels:
app.kubernetes.io/name: deathstar
spec:
replicas: 2
selector:
matchLabels:
org: empire
class: deathstar
template:
metadata:
labels:
org: empire
class: deathstar
app.kubernetes.io/name: deathstar
spec:
containers:
- name: deathstar
image: docker.io/cilium/starwars
---
apiVersion: v1
kind: Pod
metadata:
name: tiefighter
labels:
org: empire
class: tiefighter
app.kubernetes.io/name: tiefighter
spec:
containers:
- name: spaceship
image: docker.io/tgraf/netperf
---
apiVersion: v1
kind: Pod
metadata:
name: xwing
labels:
app.kubernetes.io/name: xwing
org: alliance
class: xwing
spec:
containers:
- name: spaceship
image: docker.io/tgraf/netperf
kubectl apply -f tightfighter-deathstart-app.yaml
kubectl get pods --show-labels
2. Apply the following policy
cat sample-cilium-ingress-policy.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "rule1-egress"
spec:
description: "L7 policy to restrict access to specific HTTP call"
endpointSelector:
matchLabels:
class: tiefighter
egress:
- toPorts:
- ports:
- port: "80"
protocol: TCP
rules:
http:
- method: "POST"
path: "/v1/request-landing"
kubectl apply -f sample-cilium-ingress-policy.yaml
kubectl get CiliumNetworkPolicy
3. Violating the policy
kubectl get svc
kubectl exec -n default tiefighter -- curl -s -XPOST 10.106.29.11/v1/request-landing
kubectl exec -n default tiefighter -- curl -s -XPOST 10.106.29.11/v1/test
4. Verifying the Cilium Violation logs
hubble observe --pod tiefighter --protocol http