Architecting your Kubernetes Home Lab
Overview
Introduction
You would like to learn, to test, to demo VMware Carbon Black for containers, but you don’t want to break your K8s production environment, or you don’t have a K8s environment, you need a K8s LAB!
Of course, you can run K8s on your laptop, but if you want to experiment things like, “what are the consequence of this security policy on my containers?”, you definitely need a lab where you can come back to a stable state. For this, the easiest way is to create a virtual environment where you can take snapshots.
Purpose of This Tutorial
This tutorial takes you through the steps to create a K8s security lab in a virtual environment for VMware Carbon Black Cloud for containers. Before you start, you must first set up a virtual machine hypervisor like VMware Workstation on Windows, or VMware Fusion on Mac.
Audience
This tutorial is intended for Security and IT administrators and product evaluators who have a basic knowledge of hypervisors, Linux, and Kubernetes. Familiarity with networking and storage in a virtual environment is assumed. Knowledge of other technologies, such as Linux administration and shell commands, is also helpful.
Linux Ubuntu Installation
Introduction
This section helps you to install and configure Ubuntu in a virtual machine. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
Prerequisites
Before you can perform the steps in this exercise, you must install VMware Workstation or VMware Fusion or any hypervisor available for your laptop.
Procedure
Download ISO from Ubuntu's page: https://releases.ubuntu.com/22.04/
We recommend Ubuntu 22.04 LTS (Long Term Support) Desktop, with the following settings:
Minimum | Very Comfortable Experience |
---|---|
|
|
Warning: with only 2 CPUs, CBC will not be able to start.
During installation, select “minimal installation”
microK8s Installation
Introduction
This section helps you to install and configure microK8s in your Ubuntu virtual machine. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
Prerequisites
Before you can perform the steps in this exercise, you need to update Ubuntu Linux with latest security updates and install some useful packages.
Open a terminal, and copy/paste the command lines below:
# Update Ubuntu
sudo apt-get update
sudo apt-get -y upgrade
# Useful packages
sudo apt install curl vim htop git
# If you need SSH access to Ubuntu Linux
sudo apt install openssh-server
For security reason, don’t login as root but use a user login with sudo access.
Procedure
In the following steps, you will install microK8s, configure a Linux firewall to allow traffic for K8s, add your user to the group microk8s and enable K8s addons.
# Install microK8s
sudo snap install microk8s --classic
# Configure Firewall
sudo ufw allow in on cni0
sudo ufw allow out on cni0
sudo ufw default allow routed
# Join the group
sudo usermod -a -G microk8s $USER
sudo chown -f -R $USER ~/.kube
newgrp microk8s
# Enable addons
microk8s enable dns dashboard storage
Linux for microK8s Configuration
Introduction
This section helps you to configure Linux microK8s for a better experience. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
Prerequisites
Before you can perform the steps in this exercise, you need to install Ubuntu Linux and microK8s. For security reasons, don’t log in as root but use a user login with Sudo access.
Procedure
In following steps, you will configure Linux for microK8s, create a kubectl alias, enable kubectl autocompletion and customize prompt.
Create kubectl alias
MicroK8s uses a namespaced kubectl command to prevent conflicts with any existing installs of kubectl. If you don’t have an existing install, it is easier to add an alias (append to ~/.bash_aliases) like this:
echo "alias kubectl='/snap/bin/microk8s kubectl'" >>~/.bash_aliases
. ~/.bash_aliases
# Check your installation
kubectl version -o json
Enable autocompletion of kubectl command
echo 'source <(kubectl completion bash)' >>~/.bashrc
source ~/.bashrc
Now that these steps have been completed you are now ready to leverage your K8s Lab environment. If you are evaluating or a customer of VMware Carbon Black Container moves to the final section to learn how to install it into your Lab environment.
VMware Carbon Black Cloud Installation
Introduction
This section helps you to install VMware Carbon Cloud for containers in microK8s. You could also install VMware Carbon Cloud Endpoint in Linux, but it is not the purpose of this document.
Prerequisites
Before you can perform the steps in this exercise, you need to install Ubuntu Linux and microK8s.
You need to have access to a VMware Carbon Black instance with at least the "Container Security Essentials" feature enabled:
If you don’t have access to a VMware Carbon Black instance, you can ask a VMware representative to:
- Create a VMware Carbon Black POC environment
OR
- Invite you to the Testdrive experience: https://pathfinder.vmware.com/activity/testdrive_container_security
Procedure
VMware Carbon Black for containers installation is in 2 parts:
- Installation of VMware Carbon Black operator in a K8s cluster
- Installation of VMware Carbon Black for container CLI.
CBC Operator Installation
- Define KUBECTL environment variable in your Linux terminal:
# Run this command before install and uninstall export KUBECTL="microk8s kubectl"
- Login to CBC Containers UI and navigate to Inventory > Kubernetes > K8s Clusters > (Tab Clusters) > Add Cluster
And follow the wizard:
Remark: if an error occurs at first command "curl....", check that you have define KUBECTL as mentioned above, and check that your Kubernetes cluster is ready (kubectl get nodes).
- Login to CB Containers UI and navigate to Inventory > Kubernetes > K8s Clusters > (Tab CLI Config) > Add CLI
- Follow the wizard.
- Make cbctl executable, and copy it in your path:
chmod +x ~/Downloads/cbctl sudo cp ~/Downloads/cbctl /usr/local/bin
- Enable autocompletion of cbctl command
echo 'source <(cbctl completion bash)' >>~/.bashrc source ~/.bashrc
- Your Lab is ready!
- Power off Ubuntu Linux and create a snapshot!
microk8s stop
poweroff
Use the Snapshot menu on the Workstation toolbar to take a snapshot.
- Choose VM > Snapshot > Take Snapshot.
- Type a name for your snapshot, for example: “K8s Lab ready”
- If you wish, you may type a description for your snapshot...
- Click OK.
Summary and Additional Resources
Additional Resources
- Container Security FAQ
- Mastering Carbon Black Containers Activity Path
- MicroK8s Installation Tutorial
- MicroK8s Documentation
Changelog
The following updates were made to this guide:
Date |
Description of Changes |
2021/10/13 |
|
2022/03/07 |
|
2022/04/04 |
|
2022/05/03 |
|
2022/06/17 |
|
2022/06/20 |
|
2022/06/28 |
|
Feedback
Your feedback is valuable.
To comment on this paper, contact VMware Security Tech Zone Team at techzone-sbu@vmware.com .