KubeArmor
Search…
Development Guide

Development

Note Skip the steps for the vagrant setup if you're directly compiling KubeArmor on the Linux host. Proceed here to setup K8s on the same host by resolving any dependencies.
  • Requirements
    Here is the list of requirements for a Vagrant environment
    Vagrant - v2.2.9
    VirtualBox - v6.1
    Clone the KubeArmor github repository in your system
    $ git clone https://github.com/kubearmor/KubeArmor.git
    Install Vagrant and VirtualBox in your environment, go to the vagrant path and run the setup.sh file
    $ cd KubeArmor/contribution/vagrant
    ~/KubeArmor/contribution/vagrant$ ./setup.sh
    ~/KubeArmor/contribution/vagrant$ sudo reboot
  • VM Setup using Vagrant
    Now, it is time to prepare a VM for development.
    To create a vagrant VM
    ~/KubeArmor/KubeArmor$ make vagrant-up
    Output will show up as ...
    To get into the vagrant VM
    ~/KubeArmor/KubeArmor$ make vagrant-ssh
    Output will show up as ...
    To destroy the vagrant VM
    ~/KubeArmor/KubeArmor$ make vagrant-destroy
    • VM Setup using Vagrant with Ubuntu 21.10 (v5.13)
      To use the recent Linux kernel v5.13 for dev env, you can run make with the NETNEXT flag set to 1 for the respective make option.
      ~/KubeArmor/KubeArmor$ make vagrant-up NETNEXT=1
      You can also make the setting static by changing NETNEXT=0 to NETNEXT=1 in the Makefile.
      ~/KubeArmor/KubeArmor$ vi Makefile

2. Self-managed Kubernetes

  • Requirements
    Here is the list of minimum requirements for self-managed Kubernetes.
    OS - Ubuntu 18.04
    Kubernetes - v1.19
    Docker - 18.09 or Containerd - 1.3.7
    Linux Kernel - v4.15
    LSM - AppArmor
    KubeArmor is designed for Kubernetes environment. If Kubernetes is not setup yet, please refer to Kubernetes installation guide. KubeArmor leverages CRI (Container Runtime Interfaces) APIs and works with Docker or Containerd or CRIO based container runtimes. KubeArmor uses LSMs for policy enforcement; thus, please make sure that your environment supports LSMs (either AppArmor or bpf-lsm). Otherwise, KubeArmor will operate in Audit-Mode with no policy "enforcement" support.
    Alternative Setup
    You can try the following alternative if you face any difficulty in the above Kubernetes (kubeadm) setup.
    Note Please make sure to set up the alternative k8s environment on the same host where the KubeArmor development environment is running.
    • K3s
      You can also develop and test KubeArmor on K3s instead of the self-managed Kubernetes. Please follow the instructions in K3s installation guide.
    • MicroK8s
      You can also develop and test KubeArmor on MicroK8s instead of the self-managed Kubernetes. Please follow the instructions in MicroK8s installation guide.
    • No Support - Docker Desktops
      KubeArmor does not work with Docker Desktops on Windows and macOS because KubeArmor integrates with Linux-kernel native primitives (including LSMs).
  • Development Setup
    In order to install all dependencies, please run the following command.
    $ cd KubeArmor/contribution/self-managed-k8s
    ~/KubeArmor/contribution/self-managed-k8s$ ./setup.sh
    setup.sh will automatically install BCC, Go, Protobuf, and some other dependencies.
    Now, you are ready to develop any code for KubeArmor. Enjoy your journey with KubeArmor.

3. Environment Check

  • Compilation
    Check if KubeArmor can be compiled on your environment without any problems.
    $ cd KubeArmor/KubeArmor
    ~/KubeArmor/KubeArmor$ make
    If you see any error messages, please let us know the issue with the full error messages through KubeArmor's slack.
  • Execution
    In order to directly run KubeArmor in a host (not as a container), you need to run a local proxy in advance.
    $ kubectl proxy &
    Then, run KubeArmor on your environment.
    $ cd KubeArmor/KubeArmor
    ~/KubeArmor/KubeArmor$ make run
  • Annotation controller
    Starting from KubeArmor v0.5 annotations are applied via an annotation controller, the controller code can be found under pkg/KubeArmorAnnotation.
    To install the controller from KubeArmor docker repository run
    $ cd KubeArmor/pkg/KubeArmorAnnotation
    ~/KubeArmor/pkg/KubeArmorAnnotation$ make deploy
    To install the controller (local version) to your cluster run
    $ cd KubeArmor/pkg/KubeArmorAnnotation
    ~/KubeArmor/pkg/KubeArmorAnnotation$ make docker-build deploy
    if you need to setup a local registry to push you image, use docker-registry.sh script under ~/KubeArmor/contribution/local-registry directory

Code Directories

Here, we briefly give you an overview of KubeArmor's directories.
  • Source code for KubeArmor (/KubeArmor)
    KubeArmor/
    BPF - eBPF code for system monitor
    common - Libraries internally used
    config - Configuration loader
    core - The main body (start point) of KubeArmor
    enforcer - Runtime policy enforcer (enforcing security policies into LSMs)
    feeder - gRPC-based feeder (sending audit/system logs to a log server)
    kvmAgent - KubeArmor VM agent
    log - Message logger (stdout)
    monitor - eBPF-based system monitor (mapping process IDs to container IDs)
    policy - gRPC service to manage Host Policies for VM environments
    types - Type definitions
    protobuf/ - Protocol buffer
  • Source code for KubeArmor's custom resource definition (CRD)
    pkg/KubeArmorPolicy/ - KubeArmorPolicy CRD generated by Kube-Builder
    pkg/KubeArmorHostPolicy/ - KubeArmorHostPolicy CRD generated by Kube-Builder
    pkg/KubeArmorAnnotation/ - KubeArmorAnnotation Annotation controller/webhook generated by Kube-Builder
  • Files for testing
    examples/ - Example microservices for testing
    tests/ - Automated test framework for KubeArmor
Export as PDF
Copy link
On this page
Development
1. Vagrant Environment (Recommended)
2. Self-managed Kubernetes
3. Environment Check
Code Directories