Skip to content

Ubuntu 20.04

Overview

This user journey guides you to install and verify the compatibility of Cilium on Ubuntu 20.04 with 5.13 Kernel Version by applying policies on kubernetes workloads.

Step 1: Install etcd in control plane VM

sudo su

apt update

apt-get install etcd

Once etcd installed, configure the following values in /etc/default/etcd as shown below.

vim /etc/default/etcd

ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379

Restart and Check the status of etcd:

service etcd restart

service etcd status

service etcd enable

Alt

Step 2: Installing BCC

apt install -y bison build-essential cmake flex git libedit-dev \
>   libllvm7 llvm-7-dev libclang-7-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils

git clone --depth 1 --branch v0.24.0 https://github.com/iovisor/bcc.git

Alt

mkdir bcc/build; cd bcc/build

cmake ..

make

make install

cmake -DPYTHON_CMD=python3 ..

pushd src/python/ && make

make install

Alt

Step 3: Install KVM-Service in control plane

Pre-requisites: Download & Install Go

Visit Go website for latest version

wget https://go.dev/dl/go1.18.1.linux-amd64.tar.gz

Untar file:

rm -rf /usr/local/go && tar -C /usr/local -xzf go1.18.1.linux-amd64.tar.gz

vim /etc/profile

Paste the below path in /etc/profile:

export PATH=$PATH:/usr/local/go/bin

Run the following command:

source /etc/profile

Note: KVM-Service requires that all the managed VMs should be within the same network.

git clone https://github.com/kubearmor/kvm-service.git 

cd kvm-service && git checkout non-k8s 

cd src/service/ && make 

./kvmservice --non-k8s 2> /dev/null

Alt

Note: Let it keep running & continue in new terminal.

Step 4: Install Karmor in control plane

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin

Alt

Step 5: Onboard VMs using Karmor

cat kvmpolicy1.yaml

Alt

karmor vm add kvmpolicy1.yaml

Alt

karmor vm list

Alt

Step 6: Generate Installation scripts for configured VM

karmor vm --kvms getscript -v testvm1

Alt

Step 7: Execute the Installation script in VM

sudo su 

apt update

Note: Docker needs to be Installed before runing the script. 

apt install docker.io

chmod 666 /var/run/docker.sock

Copy the Generated Installation scripts to appropriate VM: 

scp -r testvm1.sh [[email protected]:/path]

chmod +x testvm1.sh

./testvm1.sh 

docker ps

Alt

Step 8: Apply and Verify Cilium network policy

1. Allow connectivity with the control plane ( and port 2379)

vim vm-allow-control-plane.yaml

kind: CiliumNetworkPolicy
metadata:
  name: "vm-allow-control-plane"
spec:
  description: "Policy to allow traffic to kv-store"
  nodeSelector:
    matchLabels:
      name: vm1
  egress:
  - toCIDR:
    - 10.128.0.6/32
    toPorts:
    - ports:
      - port: "2379"
        protocol: TCP

karmor vm --kvms policy add vm-allow-control-plane.yaml

Alt

Note: With the above mentioned policy enforced in the VM, a user cannot access any port of the vm. SSH connection of port22 gets an error connection refused .

Alt

2. For SSH connectivity allow port 22 and 169.254.169.254 port 80

vim vm-allow-ssh.yaml

kind: CiliumNetworkPolicy
metadata:
  name: "vm-allow-ssh"
spec:
  description: "Policy to allow SSH"
  nodeSelector:
    matchLabels:
      name: vm1
  egress:
  - toPorts:
    - ports:
      - port: "22"
        protocol: TCP
  - toCIDR:
    - 169.254.169.254/32
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP

karmor vm --kvms policy add vm-allow-ssh.yaml

Alt

3. This policy block the DNS access in VM

vim vm-dns-visibility.yaml

kind: CiliumNetworkPolicy
metadata:
  name: "vm-dns-visibility"
spec:
  description: "Policy to enable DNS visibility"
  nodeSelector:
    matchLabels:
      name: vm1
  egress:
  - toPorts:
    - ports:
      - port: "53"
        protocol: ANY
      rules:
        dns:
        - matchPattern: "*"

karmor vm --kvms policy add vm-dns-visibility.yaml

Alt

4. This policy allow access of “www.google.co.in” alone in VM

vim vm-allow-www-google-co-in.yaml

kind: CiliumNetworkPolicy
metadata:
  name: "vm-allow-www.google.co.in"
spec:
  description: "Policy to allow traffic to www.google.co.in"
  nodeSelector:
    matchLabels:
      name: vm1
  egress:
  - toFQDNs:
    - matchName: www.google.co.in
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP
      - port: "443"
        protocol: TCP

karmor vm --kvms policy add vm-allow-www-google-co-in.yaml

Alt

Step 9: Violating the Policy*

curl http://www.google.co.in/

Alt

curl https://go.dev/

Alt

Verifying policy Violation logs: 

docker exec -it cilium hubble observe -f -t policy-verdict

Alt

Back to top