Skip to content

KubeArmor and Cilium on Ubuntu 18.04

Overview

This user journey guides you to install and verify the compatibility of Kuberarmor and Cilium on Ubuntu 18.04 with 5.4 Kernel Version by applying policies on kubernetes workloads.

Step 1: Install etcd in control plane VM

Install pre-requisites:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
sudo apt install bpfcc-tools linux-headers-$(uname -r)
sudo apt-get install linux-headers-generic
sudo apt --fix-broken install
sudo apt-get update

Alt

Alt

Install etcd using below command:

sudo apt-get install etcd

Once etcd is installed, configure the following values in /etc/default/etcd as shown below.

ETCD_LISTEN_CLIENT_URLS=http://0.0.0.0:2379
ETCD_ADVERTISE_CLIENT_URLS=http://0.0.0.0:2379

Restart & check the status of etcd:

sudo service etcd restart
sudo service etcd enable
sudo service etcd status

Alt

Step 2: Installing KubeArmor

Download & Install the latest release of KubeArmor:

wget https://github.com/kubearmor/KubeArmor/releases/download/v0.3.1/kubearmor_0.3.1_linux-amd64.deb && sudo dpkg -i kubearmor_0.3.1_linux-amd64.deb

Alt

Start & check the status of kubearmor:

sudo systemctl start kubearmor
sudo systemctl enable kubearmor
sudo systemctl status kubearmor

Alt

Step 3: Install KVM-Service in control plane

Download & Install Go:

Visit Go website for latest version

wget https://go.dev/dl/go1.18.1.linux-amd64.tar.gz

Untar file:

rm -rf /usr/local/go && tar -C /usr/local -xzf go1.18.1.linux-amd64.tar.gz

Paste the below path in /etc/profile:

vim /etc/profile 
export PATH=$PATH:/usr/local/go/bin

Run the following command:

source /etc/profile 

Clone KVM-Service code and checkout to non-k8s branch:

sudo git clone https://github.com/kubearmor/kvm-service.git

Alt

cd /kvm-service/
sudo git checkout non-k8s

Alt

Navigate to kvm-service/src/service/ and execute the following command to compile KVM-Service code:

make

Alt

Alt

Once compilation is successful, run KVM-Service using the following command:

sudo ./kvmservice --non-k8s 2> /dev/null

Alt

Note: Let keep it running & continue in new terminal.

Step 4: Install Karmor in control plane

Run the following command to install Karmor utility:

curl -sfL https://raw.githubusercontent.com/kubearmor/kubearmor-client/main/install.sh | sudo sh -s -- -b /usr/local/bin

Alt

Step 5: Onboard VMs using Karmor

vim kvmpolicy1.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorVirtualMachine
metadata:
  name: testvm1
  labels:
    name: vm1
    vm: true

Run this command:

karmor vm add kvmpolicy1.yaml

Alt

When a new VM is onboarded, the KVM-Service assigns a new identity to it. To see the list of onboarded VMs, execute the following command.

karmor vm list

Alt

Step 6: Generate installation scripts for configured VM

karmor vm --kvms getscript -v testvm1

Output:

VM installation script copied to testvm1.sh

Alt

Step 7: Execute the installation script in Docker installed VM

Install pre-requisites:

sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 4052245BD4284CDD
echo "deb https://repo.iovisor.org/apt/$(lsb_release -cs) $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/iovisor.list
sudo apt-get update
sudo apt-get install bcc-tools libbcc-examples linux-headers-$(uname -r)
sudo apt install bpfcc-tools linux-headers-$(uname -r)
sudo apt-get install linux-headers-generic
sudo apt --fix-broken install
sudo apt-get update

Install Docker:

sudo apt-get update
sudo apt install docker.io
sudo systemctl start docker
sudo systemctl enable docker
sudo systemctl status docker

Alt

Comment the following line on the script and save it:

vi testvm1
#sudo docker run --name kubearmor $DOCKER_OPTS $KUBEARMOR_IMAGE      $KUBEARMOR_OPTS

Alt

Execute the installation script:

Copy the generated installation scripts to appropriate VMs using scp or rsync method and execute the scripts to run Cilium.

The script downloads Cilium Docker images and runs them as containers in each VM. Cilium running in each VM connects to the KVM-Service control plane to register themselves and receive information about other VMs in the cluster, labels, IPs and configured security policies.

Execute the script on worker VM by running the following commands:

sudo su -
chmod 777 testvm1.sh
./testvm1.sh

Alt

Note: Make sure the kvm-service is running on control plane VM & To onboard more worker VM repeat Step 6, Step 7 & Step 8.

You can verify by running following command,

docker ps

Alt

Step 8: Install Kubearmor on worker VM

Download & Install the latest release of KubeArmor

wget https://github.com/kubearmor/KubeArmor/releases/download/v0.3.1/kubearmor_0.3.1_linux-amd64.deb && sudo dpkg -i kubearmor_0.3.1_linux-amd64.deb

Start & check the status:

sudo systemctl start kubearmor
sudo systemctl enable kubearmor
sudo systemctl status kubearmor

Alt

Step 9: Apply and Verify KubeArmor system policy

1. Apply the policy

vim khp-example-vmname.yaml
apiVersion: security.kubearmor.com/v1
kind: KubeArmorHostPolicy
metadata:
  name: khp-02
spec:
  nodeSelector:
    matchLabels:
      name: vm1
  severity: 5
  file:
    matchPaths:
    - path: /proc/cpuinfo
  action:
    Block

Run this command to apply the policy:

karmor vm --kvms policy add khp-example-vmname.yaml

Alt

Note: With the above mentioned policy enforced in master VM, if a user tries to access /proc/cpuinfo file, user will see permission denied error and karmor log will show the alert log for blocking the file access.

2. Violating the policy

cat /proc/cpuinfo

Alt

3. Deleting the applied policy

karmor vm --kvms policy delete khp-example-vmname.yaml

Step 10: Apply and Verify Cilium network policy

1. Apply the policy

vim port80-allow.yaml
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "vm1-allow-http"
spec:
  description: "L4 policy to allow traffic at port 80/TCP"
  nodeSelector:
    matchLabels:
      name: vm1
  ingress:
  - toPorts:
    - ports:
      - port: "80"
        protocol: TCP

Run this command to apply the policy:

karmor vm --kvms policy add port80-allow.yaml

Alt

Note: The policy says.. "ingress, port 80/TCP". This will allow ingress connection to the specified port/protocol. Anything other than that will be denied.

2. Violating the policy

Alt

Output : Unable to ssh the vm via 22 port

3. Deleting the applied policy

karmor vm --kvms policy delete port80-allow.yaml

Alt

Output : Now able to do ssh

Back to top