Skip to content

K3's Cluster

Overview

This user journey guides you to install and verify the compatibility of Kuberarmor on K3's by applying policies on Kubernetes workloads.

Step 1: Install K3's on Linux

curl -sfL https://get.k3s.io | INSTALL_K3S_EXEC='--flannel-backend=none --disable traefik' sh -s - --write-kubeconfig-mode 644

Alt

export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
systemctl status k3s

Alt

which kubectl ; kubectl get nodes

Alt

Step 2: Install Karmor

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
karmor install

Alt

Karmor verify

kubectl get pods -n kube-system | grep kubearmor

Alt

Step 3: Kubearmor Policy - Audit

3.1 Create a nginx deployment

kubectl create deployment nginx --image nginx
kubectl get pods --show-labels

Alt

1. Process Level

vim nginx-kubearmor-ppolicy-a.yaml 
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy-pa
 # namespace: k3-test # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  process:
    severity: 3
    matchPaths:
      - path: /usr/bin/touch
      - path: /bin/rm
      - path: /bin/chmod
      - path: /usr/sbin/nginx
  action: Audit

Apply the policy

kubectl apply -f nginx-kubearmor-ppolicy-a.yaml  
kubectl get ksp

Alt

Note: Policy will work based on matched labels Ex: (app: nginx)

Violating the Policy

kubectl exec -it nginx-8f458dc5b-shshr -- bash

Alt

Policy violation logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

karmor log

Alt

Alt

Alt

2. File Level

vim nginx-kubearmor-fpolicy-a.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy-fa
 # namespace: k3-test # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  file:
    severity: 3
    matchPaths:
      - path: /etc/fstab
  action: Audit

Apply the policy

kubectl apply -f nginx-kubearmor-fpolicy-a.yaml 
kubectl get ksp

Alt

Note: Policy will work based on matched labels Ex: (app: nginx)

Violating the Policy

kubectl exec -it nginx-8f458dc5b-shshr -- bash

Alt

Policy violation logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

karmor log

Alt

3. Directory Level

vim nginx-kubearmor-dpolicy-a.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy-da
 # namespace: k3-test # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  file:
    severity: 3
    matchDirectories:
      - dir: /boot/
        recursive: true
  action: Audit

Apply the policy

kubectl apply -f nginx-kubearmor-dpolicy-a.yaml
kubectl get ksp

Alt

Note: Policy will work based on matched labels Ex: (app: nginx)

Violating the Policy

kubectl exec -it nginx-8f458dc5b-shshr -- bash

Alt

Policy violation logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

karmor log

Alt

Step 4: Kubearmor Policy - Block

1. Process Level

vim nginx-kubearmor-ppolicy-b.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy-pb
 # namespace: k3-test # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  process:
    severity: 3
    matchPaths:
      - path: /usr/bin/touch
      - path: /bin/rm
      - path: /bin/chmod
      - path: /usr/sbin/nginx
  action: Block

Apply the policy

kubectl apply -f nginx-kubearmor-ppolicy-b.yaml  
kubectl get ksp

Alt

Note: Policy will work based on matched labels Ex: (app: nginx)

Violating the Policy

kubectl exec -it nginx-8f458dc5b-shshr -- bash

Alt

Policy violation logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

karmor log

Alt

Alt

2. File Level

vim nginx-kubearmor-fpolicy-b.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy-fb
 # namespace: k3-test # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  file:
    severity: 3
    matchPaths:
      - path: /etc/fstab
  action: Block

Apply the policy

kubectl apply -f nginx-kubearmor-fpolicy-b.yaml 
kubectl get ksp

Alt

Note: Policy will work based on matched labels Ex: (app: nginx)

Violating the Policy

kubectl exec -it nginx-8f458dc5b-shshr -- bash

Alt

Policy violation logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

karmor log

Alt

3. Directory Level

vim nginx-kubearmor-dpolicy-b.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: nginx-kubearmor-policy-db
 # namespace: k3-test # Change your namespace
spec:
  selector:
    matchLabels:
      app: nginx # use your own label here
  file:
    severity: 3
    matchDirectories:
      - dir: /boot/
        recursive: true
  action: Block

Apply the policy

kubectl apply -f nginx-kubearmor-dpolicy-b.yaml
kubectl get ksp

Alt

Note: Policy will work based on matched labels Ex: (app: nginx)

Violating the Policy

kubectl exec -it nginx-8f458dc5b-shshr -- bash

Alt

Policy violation logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

karmor log

Alt

Back to top