KubeArmor: Deployment Guide
Deployment Steps for KubeArmor & kArmor CLI
1. Download and install karmor CLI
curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
2. Install KubeArmor
It is assumed that the k8s cluster is already present/reachable and the user has rights to create service-accounts and cluster-role-bindings.
3. Deploying sample app and policies
kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/master/examples/multiubuntu/multiubuntu-deployment.yaml
kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/master/examples/multiubuntu/security-policies/ksp-group-1-proc-path-block.yaml
This sample policy blocks execution of sleep
command in ubuntu-1 pods.
c. Simulate policy violation
$ kubectl -n multiubuntu exec -it POD_NAME_FOR_UBUNTU_1 -- bash
# sleep 1
(Permission Denied)
Substitute POD_NAME_FOR_UBUNTU_1 with the actual pod name from kubectl get pods -n multiubuntu
.
4. Getting Alerts/Telemetry from KubeArmor
a. Enable port-forwarding for KubeArmor relay
kubectl port-forward -n kube-system svc/kubearmor 32767:32767
b. Observing logs using karmor cli
- Google Kubernetes Engine (GKE) Container Optimized OS (COS)
- GKE Ubuntu image
- Amazon Elastic Kubernetes Service (EKS)
- Self-managed (on-prem) k8s
- Local k8s engines (microk8s, k3s, minikube)