Minikube Cluster

Overview

This user journey guides you to install and verify the compatibility of Cilium on Minikube by applying policies on kubernetes workloads.

Step 1: Clone the Repository

git clone https://github.com/kubearmor/KubeArmor.git

Step 2: Install VirtualBox

cd KubeArmor/contribution/minikube

./install_virtualbox.sh

Note: Once VirtualBox installed, reboot the system.

sudo reboot

Step 3: Install Minikube

cd KubeArmor/contribution/minikube

./install_minikube.sh

./start_minikube.sh

Step 4: Cilium Installation

Install Cilium CLI:

curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/latest/download/cilium-
linux-amd64.tar.gz{,.sha256sum}

sha256sum --check cilium-linux-amd64.tar.gz.sha256sum

sudo tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin

rm cilium-linux-amd64.tar.gz{,.sha256sum}

cilium install

kubectl get pods -n kube-system | grep cilium

cilium status --wait

Cilium Hubble Enable:

cilium hubble enable

Cilium Hubble Verify:

kubectl get pods -n kube-system | grep hubble

Install Hubble CLI Client:

export HUBBLE_VERSION=$(curl -s https://raw.githubusercontent.com/cilium/hubble/master/stable.txt)

curl -L --remote-name-all https://github.com/cilium/hubble/releases/download/$HUBBLE_VERSION/hubble-linux-amd64.tar.gz{,.sha256sum}

sha256sum --check hubble-linux-amd64.tar.gz.sha256sum

sudo tar xzvfC hubble-linux-amd64.tar.gz /usr/local/bin

rm hubble-linux-amd64.tar.gz{,.sha256sum}

Step 5: Getting Alerts/Telemetry from Cilium

Enable port-forwarding for Cilium Hubble relay:

cilium hubble port-forward&

Step 6: Cilium Policy

1. Create a tightfighter & deathstart deployment

cat tightfighter-deathstart-app.yaml

apiVersion: v1
kind: Service
metadata:
 name: deathstar
 labels:
   app.kubernetes.io/name: deathstar
spec:
 type: ClusterIP
 ports:
 - port: 80
 selector:
   org: empire
   class: deathstar
---
apiVersion: apps/v1
kind: Deployment
metadata:
 name: deathstar
 labels:
   app.kubernetes.io/name: deathstar
spec:
 replicas: 2
 selector:
   matchLabels:
     org: empire
     class: deathstar
 template:
   metadata:
     labels:
       org: empire
       class: deathstar
       app.kubernetes.io/name: deathstar
   spec:
     containers:
     - name: deathstar
       image: docker.io/cilium/starwars
---
apiVersion: v1
kind: Pod
metadata:
 name: tiefighter
 labels:
   org: empire
   class: tiefighter
   app.kubernetes.io/name: tiefighter
spec:
 containers:
 - name: spaceship
   image: docker.io/tgraf/netperf
---
apiVersion: v1
kind: Pod
metadata:
 name: xwing
 labels:
   app.kubernetes.io/name: xwing
   org: alliance
   class: xwing
spec:
 containers:
 - name: spaceship
   image: docker.io/tgraf/netperf

kubectl apply -f tightfighter-deathstart-app.yaml

kubectl get pods --show-labels

2. Apply the following policy

cat sample-cilium-ingress-policy.yaml

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
 name: "rule1-egress"
spec:
 description: "L7 policy to restrict access to specific HTTP call"
 endpointSelector:
   matchLabels:
     class: tiefighter
 egress:
 - toPorts:
   - ports:
     - port: "80"
       protocol: TCP
     rules:
       http:
       - method: "POST"
         path: "/v1/request-landing"

kubectl apply -f sample-cilium-ingress-policy.yaml

kubectl get CiliumNetworkPolicy

3. Violating the policy

kubectl get svc

kubectl exec -n default tiefighter -- curl -s -XPOST 10.106.29.11/v1/request-landing

kubectl exec -n default tiefighter -- curl -s -XPOST 10.106.29.11/v1/test

4. Verifying the Cilium Violation logs

hubble observe --pod tiefighter --protocol http