EKS Amazon Linux 2

Overview¶

This user journey guides you to install and verify the compatibility of Kuberarmor on EKS Amazon Linux 2 by applying policies on Kubernetes workloads.

Note: As of now KubeArmor for EKS Amazon Linux 2 will only Support for Audit mode. In the upcoming updates it will also support Enforcements, such as Allow and Block.

Step 1: Create a EKS-Cluster using AWS Console¶

Alt

Once the nodegroup is created, Install EKS CTL, AWS CLI, Helm tools

aws configure

Alt

eksctl get cluster

aws eks --region us-west-1 update-kubeconfig --name eks-amazon-kubearmor

Alt

kubectl get nodes

kubectl get svc

Alt

Step 2: Karmor Install¶

Install Karmor CLI:

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin

Alt

karmor install

karmor version

Alt

Karmor Verify:

kubectl get pods -n kube-system | grep kubearmor

Alt

Step 3: Kubearmor Policy on Process Level¶

1. Create a nginx deployment

kubectl create deployment nginx --image nginx

Alt

kubectl get pods --show-labels

Alt

2. Explore the Policy

cat nginx-kubearmor-policy.yaml

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy
 # namespace: accuknox-agents # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  process:
    severity: 3
    matchPaths:
      - path: /usr/bin/touch
      - path: /bin/rm
      - path: /bin/chmod
      - path: /usr/sbin/nginx
  action: Audit

Alt

3. Apply the Policy

kubectl apply -f nginx-kubearmor-policy.yaml

kubectl get kubeArmorPolicy

Alt

Note: Policy will work based on matched labels. Ex: (app: nginx)

4. Violating the Policy

kubectl exec -it nginx-6799fc88d8-qdnfq -- bash

Alt

5. Kubearmor SVC port forward to Monitor the logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

6. Verifying policy Violation logs

karmor log

Alt

Step 4: Kubearmor Policy on File Level¶

1. Explore the policy

cat nginx-kubearmor-policy.yaml

 apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy
 # namespace: accuknox-agents # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  file:
    severity: 3
    matchPaths:
      - path: /etc/fstab
  action: Audit

2. Apply the policy

kubectl apply -f nginx-kubearmor-policy.yaml

Alt

Note: Policy will work based on matched labels. Ex: (app: nginx)

3. Violating the policy

kubectl exec -it nginx-6799fc88d8-qdnfq -- bash

Alt

4. Kubearmor SVC port forward to Monitor the logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

5. Verify the policy violation log

karmor log

Step 5: Kubearmor Policy on Directory level¶

1. Explore the policy

cat nginx-kubearmor-policy.yaml

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy
 # namespace: accuknox-agents # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  file:
    severity: 3
    matchDirectories:
      - dir: /boot/
        recursive: true
  action: Audit

Alt

2. Apply the policy

kubectl apply -f nginx-kubearmor-policy.yaml

Alt

Note: Policy will work based on matched labels. Ex: (app: tomcat)

3. Violating the policy

kubectl exec -it nginx-6799fc88d8-qdnfq -- bash

Alt

4. Kubearmor SVC port forward to Monitor the logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

5. Verify policy violation log

karmor log

Alt

For Log Based Alerts¶

You can visit our Enterprise version

Alt