MicroK8's Cluster

Overview

This user journey guides you to install and verify the compatibility of Kuberarmor on MicroK8's by applying policies on kubernetes workloads.

Step 1: Setup MicroK8's

Clone the Repository:

git clone https://github.com/kubearmor/KubeArmor.git

cd KubeArmor/contribution/microk8s

Run the script to set up MicroK8's Kubernetes:

./install_microk8s.sh

kubectl get all -A

Step 2: Setup KubeArmor

Install Karmor CLI:

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin

karmor install

Karmor Verify:

kubectl get pods -n kube-system | grep kubearmor

Step 3: Create KubeArmor policy

1. Create nginx deployment

kubectl create deployment nginx --image nginx

kubectl get pods --show-labels

2. Apply the following policy

• KubeArmor is an open source software that enables you to protect your cloud workload at run-time.

• To learn more about KubeArmor

vi ksp-block-untrusted-shell-execution.yaml

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-block-untrusted-shell-execution
  namespace: default # Change your namespace
spec:
  tags : ["MITRE","D3fend","Execution","Unix Shell"] 
  message: "Bash shells have been accessed"
  selector:
    matchLabels:
      app: nginx
  process:
    severity: 2 # Higher severity for processes 
    matchPaths:
    - path: /bin/bash
    - path: /bin/sh
    - path: /usr/bin/bash
    - path: /usr/bin/env
    - path: /usr/bin/shell
    - path: /bin/ksh
    - path: /etc/init.d      
    - path: /dev/tty 
    - path: /bin/zsh
    - path: /bin/tcsh
    - path: /bin/csh
    action: Block   
  file:
    severity: 10  # lowest severity for processes invoked as child process of bash
    matchPaths:
    - path: /bin/bash
    - path: /bin/sh
    - path: /usr/bin/bash
    - path: /usr/bin/env
    - path: /usr/bin/shell
    - path: /bin/ksh
    - path: /etc/init.d      
    - path: /dev/tty 
    - path: /bin/zsh
    - path: /bin/tcsh
    - path: /bin/csh
      fromSource:
      - path: /bin/bash
    action: Audit

3. Apply the policy

kubectl apply -f ksp-block-untrusted-shell-execution.yaml  

Note: Policy will work based on matched labels Ex:(app: nginx)

kubectl get pods

4. Violating the policy

kubectl exec -it <Pod Name> -- bash 

5. run sh, env commands for policy violation

Note: Kubearmor is working, we can't run the commands, which we have blocked in the policy..

Step 4: Getting Alerts/Telemetry from KubeArmor

1. Kubearmor SVC port forward to Monitor the logs

kubectl port-forward -n kube-system svc/kubearmor --address 0.0.0.0 --address :: 32767:32767

2. Verifying policy Violation logs

karmor log