System requirements:
- OS: ubuntu 18.04+
- CPU: 6+
- RAM: 10+ Gb
# Run OS preparation
curl -s https://gist.githubusercontent.com/velp/151636fe01d8b8e3f9c626b30e3c2bc5/raw/prepare_system.sh | bash -s --
# Run minikube with API server
minikube start --driver=none --cni=cilium --alsologtostderr --apiserver-ips=$(ip route get 8.8.8.8 | awk ' /^[0-9]/ { print $7 }'),$(curl ifconfig.me)
Check the cluster:
root@minikube:~# kubectl get node
NAME STATUS ROLES AGE VERSION
minikube Ready master 8m8s v1.19.2
root@minikube:~# kubectl get pod -n kube-system
NAME READY STATUS RESTARTS AGE
cilium-jtbxn 1/1 Running 0 7m56s
cilium-operator-7c755f4594-dg7sj 1/1 Running 0 7m56s
coredns-f9fd979d6-q6ps6 1/1 Running 0 7m56s
etcd-minikube 1/1 Running 0 8m13s
kube-apiserver-minikube 1/1 Running 0 8m13s
kube-controller-manager-minikube 1/1 Running 0 8m12s
kube-proxy-7fjz6 1/1 Running 0 7m56s
kube-scheduler-minikube 1/1 Running 0 8m12s
storage-provisioner 1/1 Running 0 8m12s
curl -s https://gist.githubusercontent.com/velp/151636fe01d8b8e3f9c626b30e3c2bc5/raw/configure_dns.sh | bash -s --
sudo snap install helm --classic
sudo snap install fluxctl --classic
echo 'source <(kubectl completion bash)' >>~/.bashrc
source ~/.bashrc
curl -s https://gist.githubusercontent.com/velp/151636fe01d8b8e3f9c626b30e3c2bc5/raw/install_ingress.sh | bash -s --
curl -s https://gist.githubusercontent.com/velp/151636fe01d8b8e3f9c626b30e3c2bc5/raw/install_cert-manager.sh | bash -s --
curl -s https://gist.githubusercontent.com/velp/151636fe01d8b8e3f9c626b30e3c2bc5/raw/get_kube_config.sh | bash -s --
Documentation https://docs.cilium.io/en/v1.8/gettingstarted/hubble/
curl -s https://gist.githubusercontent.com/velp/151636fe01d8b8e3f9c626b30e3c2bc5/raw/install_hubble.sh | bash -s --
Documentation https://docs.cilium.io/en/v1.8/gettingstarted/cassandra/
Run cassandra server
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.8/examples/kubernetes-cassandra/cass-sw-app.yaml
Create CiliumNetworkPolicy
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.8/examples/kubernetes-cassandra/cass-sw-security-policy.yaml
Check access from outpost pod
$ kubectl exec -it $(kubectl get pods -l app=empire-outpost -o jsonpath='{.items[0].metadata.name}') -- cqlsh cassandra-svc
$ cqlsh> SELECT * FROM deathstar.scrum_notes;
Unauthorized: Error from server: code=2100 [Unauthorized] message="Request Unauthorized"
Check access from hq pod
$ kubectl exec -it $(kubectl get pods -l app=empire-hq -o jsonpath='{.items[0].metadata.name}') -- cqlsh cassandra-svc
$ cqlsh> SELECT * FROM attendance.daily_records;
loc_id | creation | empire_member_id | present
--------------------------------------+--------------------------------------+--------------------------------------+---------
a855e745-69d8-4159-b8b6-e2bafed8387a | c692ce90-bf57-11e8-98e6-f1a9f45fc4d8 | cee6d956-dbeb-4b09-ad21-1dd93290fa6c | True
<snip>
(12 rows)
Documentation https://docs.cilium.io/en/v1.8/gettingstarted/http/ https://docs.cilium.io/en/latest/policy/visibility/
Run test apps
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.8/examples/minikube/http-sw-app.yaml
Check current cilium policies
# kubectl -n kube-system exec $(kubectl get pods -n kube-system -l "k8s-app=cilium" -o jsonpath='{.items[0].metadata.name}') -- cilium endpoint list | grep "k8s:org" -B4
25 Disabled Disabled 7670 k8s:class=xwing 10.0.0.141 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=alliance
--
44 Disabled Disabled 8407 k8s:class=tiefighter 10.0.0.4 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
--
1625 Disabled Disabled 1061 k8s:class=deathstar 10.0.0.5 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
--
3144 Disabled Disabled 1061 k8s:class=deathstar 10.0.0.126 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
Create policy
kubectl create -f https://raw.githubusercontent.com/cilium/cilium/v1.8/examples/minikube/sw_l3_l4_l7_policy.yaml
Check cilium policies again
# kubectl -n kube-system exec $(kubectl get pods -n kube-system -l "k8s-app=cilium" -o jsonpath='{.items[0].metadata.name}') -- cilium endpoint list | grep "k8s:org" -B4
25 Disabled Disabled 7670 k8s:class=xwing 10.0.0.141 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=alliance
--
44 Disabled Disabled 8407 k8s:class=tiefighter 10.0.0.4 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
--
1625 Enabled Disabled 1061 k8s:class=deathstar 10.0.0.5 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
--
3144 Enabled Disabled 1061 k8s:class=deathstar 10.0.0.126 ready
k8s:io.cilium.k8s.policy.cluster=default
k8s:io.cilium.k8s.policy.serviceaccount=default
k8s:io.kubernetes.pod.namespace=default
k8s:org=empire
Add proxi-visibility
kubectl annotate pod tiefighter io.cilium.proxy-visibility="<Egress/53/UDP/DNS>,<Egress/80/TCP/HTTP>"
kubectl annotate pod xwing io.cilium.proxy-visibility="<Egress/53/UDP/DNS>,<Egress/80/TCP/HTTP>"
Check policies
# allowed L4 request
$ kubectl exec tiefighter -- curl -m 5 -s -v -XPOST deathstar.default.svc.cluster.local/v1/request-landing
* Trying 10.107.91.73...
* TCP_NODELAY set
* Connected to deathstar.default.svc.cluster.local (10.107.91.73) port 80 (#0)
> POST /v1/request-landing HTTP/1.1
> Host: deathstar.default.svc.cluster.local
> User-Agent: curl/7.52.1
> Accept: */*
>
Ship landed
< HTTP/1.1 200 OK
< Content-Type: text/plain
< Date: Tue, 13 Oct 2020 19:46:28 GMT
< Content-Length: 12
<
{ [12 bytes data]
* Curl_http_done: called premature == 0
* Connection #0 to host deathstar.default.svc.cluster.local left intact
# denied L4 request
$ kubectl exec xwing -- curl -m 5 -s -v -XPOST deathstar.default.svc.cluster.local/v1/request-landing
* Trying 10.107.91.73...
* TCP_NODELAY set
* Connection timed out after 5000 milliseconds
* Curl_http_done: called premature == 1
* Closing connection 0
command terminated with exit code 28
# denied L7 request
$ kubectl exec tiefighter -- curl -m 5 -s -v -XPOST deathstar.default.svc.cluster.local/v1/exhaust-port
* Trying 10.107.91.73...
* TCP_NODELAY set
* Connected to deathstar.default.svc.cluster.local (10.107.91.73) port 80 (#0)
> POST /v1/exhaust-port HTTP/1.1
> Host: deathstar.default.svc.cluster.local
> User-Agent: curl/7.52.1
> Accept: */*
>
Access denied
< HTTP/1.1 403 Forbidden
< content-length: 15
< content-type: text/plain
< date: Tue, 13 Oct 2020 19:52:44 GMT
< server: envoy
<
{ [15 bytes data]
* Curl_http_done: called premature == 0
* Connection #0 to host deathstar.default.svc.cluster.local left intact
- https://docs.cilium.io/en/v1.8/gettingstarted/k8s-install-default/
- https://docs.cilium.io/en/v1.8/concepts/security/proxy/envoy/
- https://cilium.io/blog/2018/10/23/cilium-13-envoy-go
- https://docs.cilium.io/en/v1.8/gettingstarted/cassandra/
- https://docs.cilium.io/en/v1.8/gettingstarted/http/
- https://docs.cilium.io/en/v1.8/gettingstarted/hubble/
- https://docs.cilium.io/en/latest/policy/visibility/#proxy-visibility
- https://docs.cilium.io/en/stable/configuration/metrics/