MicroK8's Cluster
Overview¶
This user journey guides you to install and verify the compatibility of Kuberarmor on MicroK8's by applying policies on kubernetes workloads.
Step 1: Setup MicroK8's¶
Clone the Repository:
git clone https://github.com/kubearmor/KubeArmor.git
cd KubeArmor/contribution/microk8s
Run the script to set up MicroK8's Kubernetes:
./install_microk8s.sh
kubectl get all -A
Step 2: Setup KubeArmor¶
Install Karmor CLI:
curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
karmor install
Karmor Verify:
kubectl get pods -n kube-system | grep kubearmor
Step 3: Create KubeArmor policy¶
1. Create nginx deployment
kubectl create deployment nginx --image nginx
kubectl get pods --show-labels
2. Apply the following policy
-
KubeArmor is an open source software that enables you to protect your cloud workload at run-time.
vi ksp-block-untrusted-shell-execution.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
name: ksp-block-untrusted-shell-execution
namespace: default # Change your namespace
spec:
tags : ["MITRE","D3fend","Execution","Unix Shell"]
message: "Bash shells have been accessed"
selector:
matchLabels:
app: nginx
process:
severity: 2 # Higher severity for processes
matchPaths:
- path: /bin/bash
- path: /bin/sh
- path: /usr/bin/bash
- path: /usr/bin/env
- path: /usr/bin/shell
- path: /bin/ksh
- path: /etc/init.d
- path: /dev/tty
- path: /bin/zsh
- path: /bin/tcsh
- path: /bin/csh
action: Block
file:
severity: 10 # lowest severity for processes invoked as child process of bash
matchPaths:
- path: /bin/bash
- path: /bin/sh
- path: /usr/bin/bash
- path: /usr/bin/env
- path: /usr/bin/shell
- path: /bin/ksh
- path: /etc/init.d
- path: /dev/tty
- path: /bin/zsh
- path: /bin/tcsh
- path: /bin/csh
fromSource:
- path: /bin/bash
action: Audit
3. Apply the policy
kubectl apply -f ksp-block-untrusted-shell-execution.yaml
Note: Policy will work based on matched labels Ex:(app: nginx)
kubectl get pods
4. Violating the policy
kubectl exec -it <Pod Name> -- bash
5. run sh, env commands for policy violation
Note: Kubearmor is working, we can't run the commands, which we have blocked in the policy..
Step 4: Getting Alerts/Telemetry from KubeArmor¶
1. Kubearmor SVC port forward to Monitor the logs
kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767
2. Verifying policy Violation logs
karmor log