- Installation
- Create local test environment (Dynamic Auditing)
- Before Installing Alcide kAudit
- Installation Examples
- Access Alcide kAudit From Outside The Cluster
- Integration with Hashicorp Vault
- EKS
- GKE
- AKS
- Kubernetes Webhook
- Kubernetes Dynamic Auditing (AuditSink)
Usage: make [options] [target] ...
Generate:
generate-aks Generate AKS installation
generate-all Generate All Deployment targets
generate-eks Generate EKS installation
generate-gke Generate GKE installation
generate-k8s Generate Audit Sink installation
generate-k8s-webhook Generate Audit Sink installation
Install:
get-linux-deps Dependencies Linux
Misc:
help Show this help
Test:
create-kind-cluster KIND
create-minikube-cluster Minikube
Kubernetes KIND
kind create cluster --config hack/kind-config.yaml --image kindest/node:v1.16.4 --name kaudit-v1.16 minikube start --memory=6g --cpus=4 \
--extra-config=apiserver.audit-dynamic-configuration=true \
--extra-config=apiserver.feature-gates=DynamicAuditing=true \
--extra-config=apiserver.runtime-config=auditregistration.k8s.io/v1alpha1=true - Download helm 3
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 && \ chmod 700 get_helm.sh && \ ./get_helm.sh
- Make sure you have the Image registry pull secret key from Alcide
helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set k8s.mode="webhook" --set image.pullSecretToken="YourAlcideToken"helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set image.pullSecretToken="YourAlcideToken"or use the interactive wizard to generate a YAML:
deploy/install/kaudit-deployment-wizard.shAnd than run:
kubectl port-forward -n alcide-kaudit svc/kaudit-mycluster 7000:443Point your browser to https://localhost:7000
Notes:
- You should have a DNS entry that points to the cluster
- By default self-signed certificates are generated
- See chart values.yaml on how to use external certificates
- The default domain in this example: secops.mycompany.com
- Use
--set ingress.subDomain="yourdomain.com"to customise the sub-domain used to expose your Alcide kAudit analyzer(s).
kind create cluster --config hack/kind-config.yaml --image kindest/node:v1.16.4 --name kaudit-v1.16helm upgrade -i kaudit-ingress stable/nginx-ingress --namespace alcide-kaudit --set controller.daemonset.useHostPort=true --set controller.service.enabled=false --set controller.kind="DaemonSet" --set controller.ingressClass="kaudit-ingress"helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set ingress.enable=trueTest that Alcide kAudit is exposed through
curl -D- -k https://localhost:443/ -H 'Host: kaudit-mycluster.secops.mycompany.com'See Vault Agent Injector guide here
kubectl -n demo exec -ti vault-0 /bin/sh
cat <<EOF > /home/vault/kaudit-policy.hcl
path "secret/data/alcide/kaudit-*" {
capabilities = ["read"]
}
EOFvault policy write kaudit /home/vault/kaudit-policy.hcl
kubectl -n demo exec -ti vault-0 /bin/sh
vault auth enable kubernetes
vault write auth/kubernetes/config \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crtNote how kAudit is installed into the cluster:
- namespace
- service account
vault write auth/kubernetes/role/kaudit-mycluster \
bound_service_account_names=alcide-k8s-kaudit-mycluster \
bound_service_account_namespaces=alcide-kaudit \
policies=kaudit \
ttl=1hCreate a vault secret for the kAudit instance being deployed:
vault kv put secret/alcide/kaudit-mycluster \
token='' \
prometheusToken='' \
gkeToken='' \
aksConnectionString='' \
awsSecretAccessKey='somesecret'
- Download helm 3
- Make sure you have the Image registry key from Alcide
Interactive wizard:
deploy/install/kaudit-deployment-wizard.shVault Agent Injector
helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set vault.mode="agent-inject"Vault
helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set vault.mode="vault"