Skip to content

Latest commit

 

History

History
217 lines (154 loc) · 5.92 KB

README.md

File metadata and controls

217 lines (154 loc) · 5.92 KB

Test Alcide kAudit Chart

Alcide Code-to-production secutiry

Installation

  • EKS
  • GKE
  • AKS
  • Kubernetes Webhook
  • Kubernetes Dynamic Auditing (AuditSink)

In the Makefile

Usage: make [options] [target] ...

Generate:
  generate-aks                  Generate AKS installation
  generate-all                  Generate All Deployment targets
  generate-eks                  Generate EKS installation
  generate-gke                  Generate GKE installation
  generate-k8s                  Generate Audit Sink installation
  generate-k8s-webhook          Generate Audit Sink installation

Install:
  get-linux-deps                Dependencies Linux

Misc:
  help                          Show this help

Test:
  create-kind-cluster           KIND
  create-minikube-cluster       Minikube

Create local test environment (Dynamic Auditing)

Kubernetes KIND

kind create cluster --config hack/kind-config.yaml --image kindest/node:v1.16.4 --name kaudit-v1.16

Minikube

	minikube start --memory=6g --cpus=4 \
        --extra-config=apiserver.audit-dynamic-configuration=true \
        --extra-config=apiserver.feature-gates=DynamicAuditing=true \
        --extra-config=apiserver.runtime-config=auditregistration.k8s.io/v1alpha1=true  

Before Installing Alcide kAudit

  • Download helm 3
    curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 && \
    chmod 700 get_helm.sh && \
    ./get_helm.sh
  • Make sure you have the Image registry pull secret key from Alcide

Installation Examples

Kubernetes Webhook

helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set k8s.mode="webhook" --set image.pullSecretToken="YourAlcideToken"

Kubernetes AuditSink

helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set image.pullSecretToken="YourAlcideToken"

or use the interactive wizard to generate a YAML:

deploy/install/kaudit-deployment-wizard.sh

And than run:

kubectl port-forward -n alcide-kaudit svc/kaudit-mycluster  7000:443

Point your browser to https://localhost:7000

Access Alcide kAudit From Outside The Cluster

Kubernetes Ingress Controller

Notes:

  • You should have a DNS entry that points to the cluster
  • By default self-signed certificates are generated
  • See chart values.yaml on how to use external certificates
  • The default domain in this example: secops.mycompany.com
  • Use --set ingress.subDomain="yourdomain.com" to customise the sub-domain used to expose your Alcide kAudit analyzer(s).

Create KIND Cluster

kind create cluster --config hack/kind-config.yaml --image kindest/node:v1.16.4 --name kaudit-v1.16

Install Kubernetes Ingress Controller

helm upgrade -i kaudit-ingress stable/nginx-ingress --namespace alcide-kaudit --set controller.daemonset.useHostPort=true --set controller.service.enabled=false --set controller.kind="DaemonSet" --set controller.ingressClass="kaudit-ingress"

Install Alcide kAudit

helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set ingress.enable=true

Test that Alcide kAudit is exposed through

curl  -D-  -k https://localhost:443/  -H 'Host: kaudit-mycluster.secops.mycompany.com'

Integration with Hashicorp Vault

See Vault Agent Injector guide here

Create kAudit Vault Policy

kubectl -n demo exec -ti vault-0 /bin/sh
cat <<EOF > /home/vault/kaudit-policy.hcl
path "secret/data/alcide/kaudit-*" {
  capabilities = ["read"]
}
EOF
vault policy write kaudit /home/vault/kaudit-policy.hcl

Vault Kubernetes Integration

kubectl -n demo exec -ti vault-0 /bin/sh

vault auth enable kubernetes

vault write auth/kubernetes/config \
   token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
   kubernetes_host=https://${KUBERNETES_PORT_443_TCP_ADDR}:443 \
   kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt

Configure kAudit in Vault

Note how kAudit is installed into the cluster:

  • namespace
  • service account
vault write auth/kubernetes/role/kaudit-mycluster \
   bound_service_account_names=alcide-k8s-kaudit-mycluster \
   bound_service_account_namespaces=alcide-kaudit \
   policies=kaudit \
   ttl=1h

Create a vault secret for the kAudit instance being deployed:

 vault kv put secret/alcide/kaudit-mycluster \
    token=''  \
    prometheusToken=''  \
    gkeToken='' \
    aksConnectionString=''  \
    awsSecretAccessKey='somesecret'

Install Alcide kAudit

  • Download helm 3
  • Make sure you have the Image registry key from Alcide

Interactive wizard:

deploy/install/kaudit-deployment-wizard.sh

Helm (v3 and onward)

Vault Agent Injector

helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set vault.mode="agent-inject"

Vault

helm upgrade -i kaudit deploy/charts/kaudit --set clusterName="mycluster" --set vault.mode="vault"