Skip to content

Ubuntu 18.04

Overview

This user journey guides you to install and verify the compatibility of Cilium on Ubuntu 18.04 with 5.4 Kernel Version by applying policies on VM workloads.

Step 1: Install etcd in control plane VM

sudo apt-get install etcd

Once etcd installed, configure the following values in /etc/default/etcd as shown below.

ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379

Restart and check the status of etcd:

sudo service etcd restart
sudo service etcd enable
sudo service etcd status

Alt

Step 2: Install KVM-Service in control plane

Pre-requisites: Download and Install Go

Visit Go Website for Latest Version

wget https://go.dev/dl/go1.18.1.linux-amd64.tar.gz

Untar file:

rm -rf /usr/local/go && tar -C /usr/local -xzf go1.18.1.linux-amd64.tar.gz
vim /etc/profile 

Paste the below path in /etc/profile:

export PATH=$PATH:/usr/local/go/bin

Run the following command:

source /etc/profile 

Clone KVM-Service code and checkout to non-k8s branch:

sudo git clone https://github.com/kubearmor/kvm-service.git

Alt

cd /kvm-service/
sudo git checkout non-k8s

Alt

Navigate to kvm-service/src/service/ and execute the following command to compile KVM-Service code:

make

Alt

Alt

Once compilation is successful, run KVM-Service using the following command:

sudo ./kvmservice --non-k8s 2> /dev/null

Alt

Note: Let keep it running and continue in new terminal.

Step 3: Install Karmor in control plane

Run the following command to Install Karmor utility:

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin

Alt

Step 4: Onboard VMs using Karmor

vim kvmpolicy1.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorVirtualMachine
metadata:
  name: testvm1
  labels:
    name: vm1
    vm: true

Run this command:

karmor vm add kvmpolicy1.yaml

Alt

When a new VM is onboarded, the KVM-Service assigns a new identity to it. To see the list of onboarded VMs, execute the following command.

karmor vm list

Alt

Step 5: Generate Installation scripts for configured VM

karmor vm --kvms getscript -v testvm1

Output:

VM installation script copied to testvm1.sh

Alt

Step 6: Execute the Installation script in Docker Installed VM

Install Docker:

sudo apt-get update
sudo apt install docker.io
sudo systemctl start docker
sudo systemctl enable docker
sudo systemctl status docker

Alt

Comment the following line on the script and save it:

vi testvm1
#sudo docker run --name kubearmor $DOCKER_OPTS $KUBEARMOR_IMAGE      $KUBEARMOR_OPTS

Alt

Execute the Installation script:

Copy the generated installation scripts to appropriate VMs using scp or rsync method and execute the scripts to run Cilium.

The script downloads Cilium Docker images and runs them as containers in each VM. Cilium running in each VM connects to the KVM-Service control plane to register themselves and receive information about other VMs in the cluster, labels, IPs and configured security policies.

Execute the script on worker VM by running the following commands:

sudo su -
chmod 777 testvm1.sh
./testvm1.sh

Alt

Note: Make sure the kvm-service is running on control plane VM & To onboard more worker VM repeat Step 6, Step 7 & Step 8.

You can Verify by running following command,

docker ps

Alt

Step 7: Apply and Verify Cilium network policy

vim port80-allow.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "vm1-allow-http"
spec:
  description: "L4 policy to allow traffic at port 80/TCP"
  nodeSelector:
    matchLabels:
      name: vm1
  ingress:
  - toPorts:
    - ports:
      - port: "80"
        protocol: TCP

Run this command to apply the policy:

karmor vm --kvms policy add port80-allow.yaml

Alt

Note: The policy says.. "ingress, port 80/TCP". This will allow ingress connection to the specified port/protocol. Anything other than that will be denied.

Step 8: Violating the policy

Alt

Output : Unable to SSH the VM via 22 port

Deleting the applied policy:

karmor vm --kvms policy delete port80-allow.yaml

Alt

Output : Now able to do SSH

Back to top