Ubuntu 18.04
Overview¶
This user journey guides you to install and verify the compatibility of Cilium on Ubuntu 18.04 with 5.4 Kernel Version by applying policies on VM workloads.
Step 1: Install etcd in control plane VM¶
sudo apt-get install etcd
Once etcd installed, configure the following values in /etc/default/etcd as shown below.
ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379
Restart and check the status of etcd:
sudo service etcd restart
sudo service etcd enable
sudo service etcd status
Step 2: Install KVM-Service in control plane¶
Pre-requisites: Download and Install Go
Visit Go Website for Latest Version
wget https://go.dev/dl/go1.18.1.linux-amd64.tar.gz
Untar file:
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.18.1.linux-amd64.tar.gz
vim /etc/profile
Paste the below path in /etc/profile:
export PATH=$PATH:/usr/local/go/bin
Run the following command:
source /etc/profile
Clone KVM-Service code and checkout to non-k8s branch:
sudo git clone https://github.com/kubearmor/kvm-service.git
cd /kvm-service/
sudo git checkout non-k8s
Navigate to kvm-service/src/service/ and execute the following command to compile KVM-Service code:
make
Once compilation is successful, run KVM-Service using the following command:
sudo ./kvmservice --non-k8s 2> /dev/null
Note: Let keep it running and continue in new terminal.
Step 3: Install Karmor in control plane¶
Run the following command to Install Karmor utility:
curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
Step 4: Onboard VMs using Karmor¶
vim kvmpolicy1.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorVirtualMachine
metadata:
name: testvm1
labels:
name: vm1
vm: true
Run this command:
karmor vm add kvmpolicy1.yaml
When a new VM is onboarded, the KVM-Service assigns a new identity to it. To see the list of onboarded VMs, execute the following command.
karmor vm list
Step 5: Generate Installation scripts for configured VM¶
karmor vm --kvms getscript -v testvm1
Output:
VM installation script copied to testvm1.sh
Step 6: Execute the Installation script in Docker Installed VM¶
Install Docker:
sudo apt-get update
sudo apt install docker.io
sudo systemctl start docker
sudo systemctl enable docker
sudo systemctl status docker
Comment the following line on the script and save it:
vi testvm1
#sudo docker run --name kubearmor $DOCKER_OPTS $KUBEARMOR_IMAGE $KUBEARMOR_OPTS
Execute the Installation script:
Copy the generated installation scripts to appropriate VMs using scp or rsync method and execute the scripts to run Cilium.
The script downloads Cilium Docker images and runs them as containers in each VM. Cilium running in each VM connects to the KVM-Service control plane to register themselves and receive information about other VMs in the cluster, labels, IPs and configured security policies.
Execute the script on worker VM by running the following commands:
sudo su -
chmod 777 testvm1.sh
./testvm1.sh
Note: Make sure the kvm-service is running on control plane VM & To onboard more worker VM repeat Step 6, Step 7 & Step 8.
You can Verify by running following command,
docker ps
Step 7: Apply and Verify Cilium network policy¶
vim port80-allow.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "vm1-allow-http"
spec:
description: "L4 policy to allow traffic at port 80/TCP"
nodeSelector:
matchLabels:
name: vm1
ingress:
- toPorts:
- ports:
- port: "80"
protocol: TCP
Run this command to apply the policy:
karmor vm --kvms policy add port80-allow.yaml
Note: The policy says.. "ingress, port 80/TCP". This will allow ingress connection to the specified port/protocol. Anything other than that will be denied.
Step 8: Violating the policy¶
Output : Unable to SSH the VM via 22 port
Deleting the applied policy:
karmor vm --kvms policy delete port80-allow.yaml
Output : Now able to do SSH