Ubuntu 20.04
Overview¶
This user journey guides you to install and verify the compatibility of Cilium on Ubuntu 20.04 with 5.13 Kernel Version by applying policies on kubernetes workloads.
Step 1: Install etcd in control plane VM¶
sudo su
apt update
apt-get install etcd
Once etcd installed, configure the following values in /etc/default/etcd as shown below.
vim /etc/default/etcd
ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379
Restart and Check the status of etcd:
service etcd restart
service etcd status
service etcd enable
Step 2: Installing BCC¶
apt install -y bison build-essential cmake flex git libedit-dev \
> libllvm7 llvm-7-dev libclang-7-dev python zlib1g-dev libelf-dev libfl-dev python3-distutils
git clone --depth 1 --branch v0.24.0 https://github.com/iovisor/bcc.git
mkdir bcc/build; cd bcc/build
cmake ..
make
make install
cmake -DPYTHON_CMD=python3 ..
pushd src/python/ && make
make install
Step 3: Install KVM-Service in control plane¶
Pre-requisites: Download & Install Go
Visit Go website for latest version
wget https://go.dev/dl/go1.18.1.linux-amd64.tar.gz
Untar file:
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.18.1.linux-amd64.tar.gz
vim /etc/profile
Paste the below path in /etc/profile:
export PATH=$PATH:/usr/local/go/bin
Run the following command:
source /etc/profile
Note: KVM-Service requires that all the managed VMs should be within the same network.
git clone https://github.com/kubearmor/kvm-service.git
cd kvm-service && git checkout non-k8s
cd src/service/ && make
./kvmservice --non-k8s 2> /dev/null
Note: Let it keep running & continue in new terminal.
Step 4: Install Karmor in control plane¶
curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
Step 5: Onboard VMs using Karmor¶
cat kvmpolicy1.yaml
karmor vm add kvmpolicy1.yaml
karmor vm list
Step 6: Generate Installation scripts for configured VM¶
karmor vm --kvms getscript -v testvm1
Step 7: Execute the Installation script in VM¶
sudo su
apt update
Note: Docker needs to be Installed before runing the script.
apt install docker.io
chmod 666 /var/run/docker.sock
Copy the Generated Installation scripts to appropriate VM:
scp -r testvm1.sh [[email protected]:/path]
chmod +x testvm1.sh
./testvm1.sh
docker ps
Step 8: Apply and Verify Cilium network policy¶
1. Allow connectivity with the control plane (
vim vm-allow-control-plane.yaml
kind: CiliumNetworkPolicy
metadata:
name: "vm-allow-control-plane"
spec:
description: "Policy to allow traffic to kv-store"
nodeSelector:
matchLabels:
name: vm1
egress:
- toCIDR:
- 10.128.0.6/32
toPorts:
- ports:
- port: "2379"
protocol: TCP
karmor vm --kvms policy add vm-allow-control-plane.yaml
Note: With the above mentioned policy enforced in the VM, a user cannot access any port of the vm. SSH connection of port22 gets an error connection refused .
2. For SSH connectivity allow port 22 and 169.254.169.254 port 80
vim vm-allow-ssh.yaml
kind: CiliumNetworkPolicy
metadata:
name: "vm-allow-ssh"
spec:
description: "Policy to allow SSH"
nodeSelector:
matchLabels:
name: vm1
egress:
- toPorts:
- ports:
- port: "22"
protocol: TCP
- toCIDR:
- 169.254.169.254/32
toPorts:
- ports:
- port: "80"
protocol: TCP
karmor vm --kvms policy add vm-allow-ssh.yaml
3. This policy block the DNS access in VM
vim vm-dns-visibility.yaml
kind: CiliumNetworkPolicy
metadata:
name: "vm-dns-visibility"
spec:
description: "Policy to enable DNS visibility"
nodeSelector:
matchLabels:
name: vm1
egress:
- toPorts:
- ports:
- port: "53"
protocol: ANY
rules:
dns:
- matchPattern: "*"
karmor vm --kvms policy add vm-dns-visibility.yaml
4. This policy allow access of “www.google.co.in” alone in VM
vim vm-allow-www-google-co-in.yaml
kind: CiliumNetworkPolicy
metadata:
name: "vm-allow-www.google.co.in"
spec:
description: "Policy to allow traffic to www.google.co.in"
nodeSelector:
matchLabels:
name: vm1
egress:
- toFQDNs:
- matchName: www.google.co.in
toPorts:
- ports:
- port: "80"
protocol: TCP
- port: "443"
protocol: TCP
karmor vm --kvms policy add vm-allow-www-google-co-in.yaml
Step 9: Violating the Policy*¶
curl http://www.google.co.in/
curl https://go.dev/
Verifying policy Violation logs:
docker exec -it cilium hubble observe -f -t policy-verdict