K8Guard
- About K8Guard
- How tos:
- Legal
About
Name
- K8Guard is auditing system for kuberentes, It is pronounced like Kate Guard. like a guardian angel for your kubernetes clusters. it is open source and developed by Target Corp.
Features
- Discovers violations in a kubernetes cluster.
- Notifies and warns the namespace owners before doing hard actions. (via email or chat)
- Ceans up the violating entities.
- Generates report and metrics of violations and actions.
- Provides an API for integration.
- Highly configurable for different needs.
Violations Examples
- Invalid Image Size (5 GB image)
- Invalid Image Repo (Download image from a shady repo in internet?)
- Extra Capabilities (change UID and PID?)
- Privileged Mode (admin rights on the container?)
- Host Volumes Mounted (mount the kubernetes file system on your container?)
- Single Replica Deployment (Didn't read 12-factor?)
- Invalid Ingress (Have * in your ingress? Or a bad word?)
Microservices
- Discover: Finds violations
- Action: Notifies violators and does action on them.
- Report: Generates human readable/searchable reports of the violations and actions.
Requirements
- System level token for a Kubernetes cluster.
Optional:
- A Kafka topic. (only if you need the action service)
- A Cassandra keyspace. (only if you want to use action and report service)
- Prometheus Server (only if you need metrics and grafana dashboards)
First Time Developer Setup
-
Install Go and Setup your setup your
$GOPATH
. -
First clone this repo this way:
mkdir -p $GOPATH/src/github.com/k8guard/ cd $GOPATH/src/github.com/k8guard/ git clone https://github.com/k8guard/k8guard-start-from-here.git cd $GOPATH/src/github.com/k8guard/k8guard-start-from-here
-
k8guard-start-from-here folder is your where you wanna be, when run this project.
-
Run developer-setup:
make developer-setup
-
Hint 1: The above steps will clone other repos (k8guardlibs, k8guard-discover, k8guard-action, k8guard-report), and install golang tools (glide, goimport) for you, and also will setup the pre-commits hooks. note: it uses brew to install glide for only for mac users currently.
-
Hint 2:
Makefile
is your friend and it is better than this documentation. take a look at the Makefile in the root of this folder, to undrestand all the commands you need.
-
Build Before Deploy
-
To Build all the micro-services:
make build-all
- Hint: you can build each micro-service individually if you don't wanna build all of them:
make build-discover
make build-action
make build-report
- Hint: you can build each micro-service individually if you don't wanna build all of them:
Deploy
You can choose to either deploy in minikube or run in in docker-compose. all batteries are included (kafka, cassandra, memcached)
Run in docker-compose
-
Config : edit
.env
andenv-creds
files. (default values should work fine.) -
Bring the core (cassandra, kafka, memcached):
make up-core
-
Bring up action, in a new terminal run:
make up-action
-
Bring up discover, in a new terminal run:
make up-discover
-
To bring up action, in a new terminal run:
make up-action
-
Open the Discover api url in the browser:
http://localhost:3000
-
Open the Report service url in the browser:
http://localhost:3001
Clean up docker-compose
-
To clean the docker-compose
make clean
-
Hint alternatively, you can clean individual services:
make clean-action
make clean-discover
make clean-report
make clean-core
Run in minikube
Make sure you have installed minkube and edit the config maps and secrets inside the minikube folder for each service, and follow these steps:
minikube start --kubernetes-version v1.5.1
eval $(minikube docker-env)
make deploy-minikube
Give it a couple minutes. and hit the service urls:
-
Get discover service url:
minikube service k8guard-discover-service
-
Get report service url:
minikube service k8guard-report-service
Clean up minikube
To delete the deployment in minikube:
make clean-minikube