Skip to content

MicroK8's Cluster

Overview

This user journey guides you to install and verify the compatibility of Kuberarmor on MicroK8's by applying policies on Kubernetes workloads.

Step 1: Setup MicroK8's

Clone the Repository:

git clone https://github.com/kubearmor/KubeArmor.git

Alt

cd KubeArmor/contribution/microk8s

Run the script to set up MicroK8's Kubernetes:

./install_microk8s.sh
kubectl get all -A

Alt

Step 2: Setup KubeArmor

Install Karmor CLI:

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin
karmor install

Alt

Karmor Verify:

kubectl get pods -n kube-system | grep kubearmor

Alt

Step 3: Create KubeArmor policy

1. Create nginx deployment

kubectl create deployment nginx --image nginx
kubectl get pods --show-labels

Alt

2. Apply the following policy

vi ksp-block-untrusted-shell-execution.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-block-untrusted-shell-execution
  namespace: default # Change your namespace
spec:
  tags : ["MITRE","D3fend","Execution","Unix Shell"] 
  message: "Bash shells have been accessed"
  selector:
    matchLabels:
      app: nginx
  process:
    severity: 2 # Higher severity for processes 
    matchPaths:
    - path: /bin/bash
    - path: /bin/sh
    - path: /usr/bin/bash
    - path: /usr/bin/env
    - path: /usr/bin/shell
    - path: /bin/ksh
    - path: /etc/init.d      
    - path: /dev/tty 
    - path: /bin/zsh
    - path: /bin/tcsh
    - path: /bin/csh
    action: Block   
  file:
    severity: 10  # lowest severity for processes invoked as child process of bash
    matchPaths:
    - path: /bin/bash
    - path: /bin/sh
    - path: /usr/bin/bash
    - path: /usr/bin/env
    - path: /usr/bin/shell
    - path: /bin/ksh
    - path: /etc/init.d      
    - path: /dev/tty 
    - path: /bin/zsh
    - path: /bin/tcsh
    - path: /bin/csh
      fromSource:
      - path: /bin/bash
    action: Audit

3. Apply the policy

kubectl apply -f ksp-block-untrusted-shell-execution.yaml  

Note: Policy will work based on matched labels Ex:(app: nginx)

kubectl get pods

Alt

4. Violating the policy

kubectl exec -it <Pod Name> -- bash 

5. run sh, env commands for policy violation

Alt

Note: Kubearmor is working, we can't run the commands, which we have blocked in the policy..

Step 4: Getting Alerts/Telemetry from KubeArmor

1. Kubearmor SVC port forward to Monitor the logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

Alt

2. Verifying policy Violation logs

karmor log

Alt

Back to top