설치
# cli tool & kubearmor install
curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin && karmor install
# install discovery engine
curl -o discovery-engine.yaml https://raw.githubusercontent.com/kubearmor/discovery-engine/dev/deployments/k8s/deployment.yaml
kubectl apply -f discovery-engine.yamlprerequisites
- 쿠버네티스 클러스터
- 어플리케이션
- https://github.com/kubearmor/KubeArmor/tree/main/examples
# sample app deploy
git clone https://github.com/kubearmor/KubeArmor.git
cd KubeArmor/examples/wordpress-mysql
kubectl apply -f .테스트
hardening($ karmor recommend)
karmor recommend -n NAMESPACErecommendable 한 policy를 생성하기위해 policy-template을 업데이트 하고 해당 ns에서 사용되는 이미지를 pull 해옵니다.
karmor recommend
out/ 에 리포트와 recommendable policy를 생성합니다.
karmor recommend 실행 결과
리포트 내용
visibility($ karmor logs)
정책을 적용하고 alert를 발생시킵니다.
k apply -f KubeArmor/examples/wordpress-mysql/security-policies/ksp-wordpress-block-process.yaml
POD_NAME=$(kubectl get pods -n wordpress-mysql -l app=wordpress -o jsonpath='{.items[0].metadata.name}') && kubectl describe -n wordpress-mysql pod $POD_NAME | grep kubearmor-visibility
k logs
# in a different terminal
POD_NAME=$(kubectl get pods -n wordpress-mysql -l app=wordpress -o jsonpath='{.items[0].metadata.name}') && kubectl -n wordpress-mysql exec -it $POD_NAME -- bashstdout 으로 alert이 발생합니다.
behavior($ karmor summary)
https://github.com/kubearmor/KubeArmor/blob/main/getting-started/workload_visibility.md
karmor summary -n wordpress-mysql네임스페이스 내의 파드에 대한 정보를 보여줍니다.
kubearmor exporter
https://github.com/kubearmor/kubearmor-prometheus-exporter
cd kubearmor-prometheus-exporter/deployments
~/kubearmor-prometheus-exporter/deployments$ kubectl apply -n wordpress-mysql -f exporter-deployment.yaml
cd kubearmor-prometheus-exporter/deployments/prometheus
kubectl create namespace kubearmor
kubectl apply -f prometheus-grafana-deployment.yaml
kubectl -n kubearmor port-forward service/prometheus --address 0.0.0.0 --address :: 9091:9090
I live fullest