Architecting your Kubernetes Home Lab
You would like to learn, to test, to demo VMware Carbon Black for containers, but you don’t want to break your K8s production environment, or you don’t have a K8s environment, you need a K8s LAB!
Of course, you can run K8s on your laptop, but if you want to experiment things like, “what are the consequence of this security policy on my containers?”, you definitely need a lab where you can come back to a stable state. For this, the easiest way is to create a virtual environment where you can take snapshots.
Purpose of This Tutorial
This tutorial takes you through the steps to create a K8s security lab in a virtual environment for VMware Carbon Black Cloud for containers. Before you start, you must first set up a virtual machine hypervisor like VMware Workstation on Windows, or VMware Fusion on Mac.
This tutorial is intended for Security and IT administrators and product evaluators who have a basic knowledge of hypervisors, Linux, and Kubernetes. Familiarity with networking and storage in a virtual environment is assumed. Knowledge of other technologies, such as Linux administration and shell commands, is also helpful.
Linux Ubuntu Installation
This section helps you to install and configure Ubuntu in a virtual machine. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
We recommend Ubuntu 22.04 LTS (Long Term Support) Desktop, with the following settings:
|Minimum||Very Comfortable Experience|
During installation, select “minimal installation”
This section helps you to install and configure microK8s in your Ubuntu virtual machine. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
Before you can perform the steps in this exercise, you need to update Ubuntu Linux with latest security updates and install some useful packages.
Open a terminal, and copy/paste the command lines below:
# Update Ubuntu sudo apt-get update sudo apt-get -y upgrade # Useful packages sudo apt install curl vim htop # If you need SSH access to Ubuntu Linux sudo apt install openssh-server
For security reason, don’t login as root but use a user login with sudo access.
In the following steps, you will install microK8s, configure a Linux firewall to allow traffic for K8s, add your user to the group microk8s and enable K8s addons.
# Install microK8s sudo snap install microk8s --classic # Configure Firewall sudo ufw allow in on cni0 sudo ufw allow out on cni0 sudo ufw default allow routed # Join the group sudo usermod -a -G microk8s $USER sudo chown -f -R $USER ~/.kube newgrp microk8s # Enable addons microk8s enable dns dashboard storage
Linux for microK8s Configuration
This section helps you to configure Linux microK8s for a better experience. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
Before you can perform the steps in this exercise, you need to install Ubuntu Linux and microK8s. For security reasons, don’t log in as root but use a user login with Sudo access.
In following steps, you will configure Linux for microK8s, create a kubectl alias, enable kubectl autocompletion and customize prompt.
MicroK8s uses a namespaced kubectl command to prevent conflicts with any existing installs of kubectl. If you don’t have an existing install, it is easier to add an alias (append to ~/.bash_aliases) like this:
echo "alias kubectl='microk8s kubectl'" >>~/.bash_aliases . ~/.bash_aliases # Check your installation kubectl version -o json
echo 'source <(kubectl completion bash)' >>~/.bashrc source ~/.bashrc
Now that these steps have been completed you are now ready to leverage your K8s Lab environment. If you are evaluating or a customer of VMware Carbon Black Container moves to the final section to learn how to install it into your Lab environment.
VMware Carbon Black Cloud Installation
This section helps you to install VMware Carbon Cloud for containers in microK8s. You could also install VMware Carbon Cloud Endpoint in Linux, but it is not the purpose of this document.
Before you can perform the steps in this exercise, you need to install Ubuntu Linux and microK8s.
You need to have access to a VMware Carbon Black instance with at least the "Container Security Essentials" feature enabled:
If you don’t have access to a VMware Carbon Black instance, you can ask a VMware representative to:
- Create a VMware Carbon Black POC environment
VMware Carbon Black for containers installation is in 2 parts:
- Installation of VMware Carbon Black operator in a K8s cluster
- Installation of VMware Carbon Black for container CLI.
CBC Operator Installation
- Fix microK8s path (temporary fix for microK8s, should be resolved mid-May 2022)
# Run this command at install and each time you restart microk8s or you reboot Linux. sudo rm -rf /run/containerd/containerd.sock sudo ln -s /var/snap/microk8s/common/run/containerd.sock /run/containerd/containerd.sock
- Define KUBECTL environment variable in your Linux terminal:
# Run this command before install and uninstall export KUBECTL="microk8s kubectl"
- Login to CBC Containers UI and navigate to Inventory > Kubernetes > K8s Clusters > (Tab Clusters) > Add Cluster
And follow the wizard:
Remark: if an error occurs at first command "curl....", check that you have define KUBECTL as mentioned above, and check that your Kubernetes cluster is ready (kubectl get nodes).
- Login to CB Containers UI and navigate to Inventory > Kubernetes > K8s Clusters > (Tab CLI Config) > Add CLI
- Follow the wizard.
- Make cbctl executable, and copy it in your path:
chmod +x ~/Downloads/cbctl sudo cp ~/Downloads/cbctl /usr/local/bin
- Your Lab is ready!
- Power off Ubuntu Linux and create a snapshot!
microk8s stop poweroff
Use the Snapshot menu on the Workstation toolbar to take a snapshot.
- Choose VM > Snapshot > Take Snapshot.
- Type a name for your snapshot, for example: “K8s Lab ready”
- If you wish, you may type a description for your snapshot...
- Click OK.
Summary and Additional Resources
The following updates were made to this guide:
Description of Changes
Your feedback is valuable.