AccuKnox in Kubernetes

For today’s post I’ve been wanting to cover more open-source tools that can assist your production operations suite. Enter policy enforcement tool known as AccuKnox.

What is AccuKnox?

In a nutshell this tool provides policy enforcement and the components that make up this tool are capable of using with Cilium as CNI and adds a few extra features

  • SPIFFE based identity solution – this follows the SPIRE reference and implements the changes in Cilium control plane.
  • Policy Audit/Staging which allows a user to validate the impact of policy before enforcing it (think of this as testing your policy prior to rollout).

Much more is covered in the documentation check it out https://help.accuknox.com/open-source/open-source-accuknox/.

Let’s get the installation going and see how it works

Assuming you have your cluster up and running I’m running 1.26 on this specific demo.

curl -sfL http://get.kubearmor.io/ | sudo sh -s -- -b /usr/local/bin

Then let’s run the following commands

# Install KubeArmor
karmor install

# Install Discovery-Engine
kubectl apply -f https://raw.githubusercontent.com/kubearmor/discovery-engine/dev/deployments/k8s/deployment.yaml

If you ran the commands correctly your output should look similar with a few nice emoji’s. After this you can run a kubectl command to reveal our pods.

kubectl get pods -A

Everything is up and running! Outside of the initialization so we can continue from here.

kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/examples/wordpress-mysql/wordpress-mysql-deployment.yaml

If you have a simple application you want to test it you can deploy your own as well this is a sample application reflected in the documentation

Photo Credit AccuKnox Documentation

You can run a few commands in the CLI to get familiar with the utility I ran the following command

karmor summary

If we scroll further our output shows more in-depth information on egress/ingress you can see processes that are running as well this is really insightful to pinpoint your workloads process and configuration.

We will run the following YAML from the Case Scenario #2

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  name: ksp-wordpress-block-config
  namespace: wordpress-mysql
spec:
  severity: 10
  selector:
    matchLabels:
      app: wordpress
  file:
    matchPaths:
      - path: /var/www/html/wp-config.php
        fromSource:
          - path: /bin/cat
  action: Block

Key is to Execute inside MySQL pod before APPLYING POLICY.

kubectl exec -it mysql-<your numbers> -n wordpress-mysql -- bash
cat /var/www/html/wp-config.php

Now we can apply our policy

kubectl apply -f <your-yaml file>

Walla! While this is a simple use-case that can be expanded we can see this is a important part is specific to areas of your application you want restricted by policy this can enforce that and so much more. Let’s say we want Recommended Policies you can the following

karmor recommend --namespace wordpress-mysql --labels app=wordpress

The output should look similar to the below screenshot give this some time as it works through in the background.

We now have policies that are listed for our workload

This is pretty extensive based on our wordpress we also have references to the specific policy in the “Tags” section.

Another feature we can use is the Auto-Discovered policies

karmor discover -n wordpress-mysql -l "app=wordpress" -f yaml

Monitoring and Tuning AccuKnox to Achieve Maximum Efficiency.

To ensure that your Kubernetes workflow is running smoothly and efficiently, it is important to monitor and tune AccuKnox regularly. By monitoring the performance of your workflows, you can identify bottlenecks and make necessary adjustments to improve efficiency. Additionally, tuning AccuKnox can help you fine-tune your workflows for optimal performance.

In this subsection, we will cover some tips for monitoring and tuning AccuKnox for maximum efficiency:

Monitoring:

– Use metrics and logs to monitor the performance of your workflows and identify bottlenecks.

– Set up alerts to notify you of any issues with your workflows so that you can take action quickly.

– Use tools like Grafana or Prometheus to visualize data from metrics and logs for easy analysis.

Tuning:

– Make sure that all parameters are properly configured before starting a workflow.

– Experiment with different values for parameters to find the optimal settings for your environment.

– Use profiling tools to identify areas where AccuKnox is spending excessive time or resources.

Conclusion

Many tools exist in the open-source domain but what makes this stand out is the ease of use relatively good documentation with more examples of use-cases that you can apply immediately I have yet to attempt the SaaS based version I’d imagine it would open a UI/UX that might be robust of what we are utilizing in the command line. As always you are only limited by what you are not experimenting with but to avoid vendor-lock in you’ll likely want to consider this in your tool set.