[k8s] KubeArmor 3. 설치 및 테스트

Seunghyun Moon·2023년 5월 8일
0

KubeArmor

목록 보기
3/3


설치

# cli tool & kubearmor install
curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin && karmor install
 
 
# install discovery engine
curl -o discovery-engine.yaml https://raw.githubusercontent.com/kubearmor/discovery-engine/dev/deployments/k8s/deployment.yaml
kubectl apply -f discovery-engine.yaml

prerequisites

# sample app deploy
git clone https://github.com/kubearmor/KubeArmor.git
 
cd KubeArmor/examples/wordpress-mysql
kubectl apply -f .

테스트

hardening($ karmor recommend)

karmor recommend -n NAMESPACE

recommendable 한 policy를 생성하기위해 policy-template을 업데이트 하고 해당 ns에서 사용되는 이미지를 pull 해옵니다.
karmor recommend

out/ 에 리포트와 recommendable policy를 생성합니다.
karmor recommend 실행 결과

리포트 내용

visibility($ karmor logs)

README.md

정책을 적용하고 alert를 발생시킵니다.

k apply -f  KubeArmor/examples/wordpress-mysql/security-policies/ksp-wordpress-block-process.yaml
 
 
POD_NAME=$(kubectl get pods -n wordpress-mysql -l app=wordpress -o jsonpath='{.items[0].metadata.name}') && kubectl describe -n wordpress-mysql pod $POD_NAME | grep kubearmor-visibility
 
 
k logs
 
 
# in a different terminal
POD_NAME=$(kubectl get pods -n wordpress-mysql -l app=wordpress -o jsonpath='{.items[0].metadata.name}') && kubectl -n wordpress-mysql exec -it $POD_NAME -- bash

stdout 으로 alert이 발생합니다.

behavior($ karmor summary)

https://github.com/kubearmor/KubeArmor/blob/main/getting-started/workload_visibility.md

karmor summary -n wordpress-mysql

네임스페이스 내의 파드에 대한 정보를 보여줍니다.

kubearmor exporter

https://github.com/kubearmor/kubearmor-prometheus-exporter

cd kubearmor-prometheus-exporter/deployments
~/kubearmor-prometheus-exporter/deployments$ kubectl apply -n wordpress-mysql -f exporter-deployment.yaml
 
 
 
cd kubearmor-prometheus-exporter/deployments/prometheus
kubectl create namespace kubearmor
kubectl apply -f prometheus-grafana-deployment.yaml
 
 
 
kubectl -n kubearmor port-forward service/prometheus --address 0.0.0.0 --address :: 9091:9090

profile
I live fullest

0개의 댓글