Architecting your Kubernetes Home Lab

Overview

Introduction

You would like to learn, to test, to demo VMware Carbon Black for containers, but you don’t want to break your K8s production environment, or you don’t have a K8s environment, you need a K8s LAB!

Of course, you can run K8s on your laptop, but if you want to experiment things like, “what are the consequence of this security policy on my containers?”, you definitely need a lab where you can come back to a stable state. For this, the easiest way is to create a virtual environment where you can take snapshots.

Purpose of This Tutorial

This tutorial takes you through the steps to create a K8s security lab in a virtual environment for VMware Carbon Black Cloud for containers. Before you start, you must first set up a virtual machine hypervisor like VMware Workstation on Windows, or VMware Fusion on Mac.

Audience

This tutorial is intended for Security and IT administrators and product evaluators who have a basic knowledge of hypervisors, Linux, and Kubernetes. Familiarity with networking and storage in a virtual environment is assumed. Knowledge of other technologies, such as Linux administration and shell commands, is also helpful.

Linux Ubuntu Installation

Introduction

This section helps you to install and configure Ubuntu in a virtual machine. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the steps in this exercise, you must install VMware Workstation or VMware Fusion or any hypervisor available for your laptop.

Procedure

Download ISO from Ubuntu's page: https://releases.ubuntu.com/22.04/

We recommend Ubuntu 22.04 LTS (Long Term Support) Desktop, with the following settings:

Minimum Very Comfortable Experience
  • 2 processors
  • Disk: 20GB
  • Mem: 4GB
  • Network: NAT
  • 4 processors
  • Disk: 30GB
  • Mem: 6GB
  • Network: NAT

During installation, select “minimal installation”

microK8s Installation

Introduction

This section helps you to install and configure microK8s in your Ubuntu virtual machine. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the steps in this exercise, you need to update Ubuntu Linux with latest security updates and install some useful packages.

Open a terminal, and copy/paste the command lines below:

# Update Ubuntu
sudo apt-get update
sudo apt-get -y upgrade

# Useful packages
sudo apt install curl vim htop

# If you need SSH access to Ubuntu Linux
sudo apt install openssh-server

For security reason, don’t login as root but use a user login with sudo access.

Procedure

In the following steps, you will install microK8s, configure a Linux firewall to allow traffic for K8s, add your user to the group microk8s and enable K8s addons.

# Install microK8s
sudo snap install microk8s --classic

# Configure Firewall
sudo ufw allow in on cni0
sudo ufw allow out on cni0
sudo ufw default allow routed

# Join the group
sudo usermod -a -G microk8s $USER
sudo chown -f -R $USER ~/.kube
newgrp microk8s

# Enable addons
microk8s enable dns dashboard storage

Linux for microK8s Configuration

Introduction

This section helps you to configure Linux microK8s for a better experience. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.

Prerequisites

Before you can perform the steps in this exercise, you need to install Ubuntu Linux and microK8s. For security reasons, don’t log in as root but use a user login with Sudo access. 

Procedure

In following steps, you will configure Linux for microK8s, create a kubectl alias, enable kubectl autocompletion and customize prompt.

Create kubectl alias

MicroK8s uses a namespaced kubectl command to prevent conflicts with any existing installs of kubectl. If you don’t have an existing install, it is easier to add an alias (append to ~/.bash_aliases) like this:

echo "alias kubectl='microk8s kubectl'" >>~/.bash_aliases
. ~/.bash_aliases
 
# Check your installation
kubectl version -o json

Enable autocompletion of kubectl command

echo 'source <(kubectl completion bash)' >>~/.bashrc
source ~/.bashrc

Now that these steps have been completed you are now ready to leverage your K8s Lab environment. If you are evaluating or a customer of VMware Carbon Black Container moves to the final section to learn how to install it into your Lab environment.

VMware Carbon Black Cloud Installation

Introduction

This section helps you to install VMware Carbon Cloud for containers in microK8s. You could also install VMware Carbon Cloud Endpoint in Linux, but it is not the purpose of this document.

Prerequisites

Before you can perform the steps in this exercise, you need to install Ubuntu Linux and microK8s.

You need to have access to a VMware Carbon Black instance with at least the "Container Security Essentials" feature enabled:

image-20220307120053-1

 

If you don’t have access to a VMware Carbon Black instance, you can ask a VMware representative to:

-         Create a VMware Carbon Black POC environment

OR

-         Invite you to the Testdrive experience: https://pathfinder.vmware.com/activity/testdrive_container_security

Procedure

VMware Carbon Black for containers installation is in 2 parts:

  1. Installation of VMware Carbon Black operator in a K8s cluster
  2. Installation of VMware Carbon Black for container CLI.

 

CBC Operator Installation

  1. Fix microK8s path (temporary fix for microK8s, should be resolved mid-May 2022)
    # Run this command at install and each time you restart microk8s or you reboot Linux.
    sudo rm -rf /run/containerd/containerd.sock
    sudo ln -s /var/snap/microk8s/common/run/containerd.sock /run/containerd/containerd.sock
  2. Define KUBECTL environment variable in your Linux terminal:
    # Run this command before install and uninstall
    export KUBECTL="microk8s kubectl"
  3. Login to CBC Containers UI and navigate to Inventory > Kubernetes > K8s Clusters > (Tab Clusters) > Add Cluster

And follow the wizard:

image-20220317094955-1

Remark: if an error occurs at first command "curl....", check that you have define KUBECTL as mentioned above, and check that your Kubernetes cluster is ready (kubectl get nodes).

CBC CLI Installation

  1. Login to CB Containers UI and navigate to Inventory > Kubernetes > K8s Clusters > (Tab CLI Config) > Add CLI
  2. Follow the wizard.
  3. Make cbctl executable, and copy it in your path:
chmod +x ~/Downloads/cbctl
sudo cp ~/Downloads/cbctl /usr/local/bin

Finalize Lab

  1. Your Lab is ready!
  2. Power off Ubuntu Linux and create a snapshot!
microk8s stop
poweroff

Use the Snapshot menu on the Workstation toolbar to take a snapshot.

  1. Choose VM > Snapshot > Take Snapshot.
  2. Type a name for your snapshot, for example: “K8s Lab ready”
  3. If you wish, you may type a description for your snapshot...
  4. Click OK.

 

Summary and Additional Resources

Additional Resources

For more information about Containers Labs or CBC Containers, you can explore the following resources:

Changelog

The following updates were made to this guide:

Date

Description of Changes

2021/10/13
  • First release
2022/03/07
  • Runtime security feature (Container security Advanced)
  • Use KUBECTL environment variable to install CBC operator on microk8s
2022/04/04
  • Temporary fix for CBC with microK8s: Add a symbolic link to /run/containerd/containerd.sock
2022/05/03
  • Use Ubuntu 22.04 instead of 20.04.

Feedback

Your feedback is valuable.

To comment on this paper, contact VMware Security Tech Zone Team at techzone-sbu@vmware.com .

Filter Tags

VMware Carbon Black Cloud Container Document Proof Of Concept Advanced Architect