Skip to content

ScienceSoft-Inc/k8s-container-integrity-mutator

Repository files navigation

GitHub contributors GitHub last commit GitHub issues GitHub forks

Go Kubernetes GitHub

k8s-container-integrity-mutator

This application provides the injection of any patch inside any k8s schemas like sidecar.

When applying a new scheme to a cluster, the application monitors the presence of a " integrity-certificates-injector-sidecar" label and, if available, makes a patch.

Architecture

Statechart diagram

File location: docs/diagrams/mutatorStatechartDiagram.png

Sequence diagram

File location: docs/diagrams/mutatorSequenceDiagram.png

🔨 Installing components

Running minikube

The code only works running inside a pod in Kubernetes. You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using minikube. Example https://minikube.sigs.k8s.io/docs/start/

Install Helm

Before using helm charts you need to install helm on your local machine.
You can find the necessary installation information at this link https://helm.sh/docs/intro/install/

Configuration

To work properly, you first need to set the configuration files:

  • values in the file helm-charts/integrity-injector/values.yaml
  • values in the file helm-charts/demo-app-to-inject/values.yaml

Configuring monitored app at annotations:

  • integrity-monitor.scnsoft.com/inject: "true" - The sidecar injection annotation. If true, sidecar will be injected.
  • <monitoring process name>.integrity-monitor.scnsoft.com/monitoring-paths: etc/nginx,usr/bin - This annotation introduces a process to be monitored and specifies its paths.
  • template:shareProcessNamespace: true

Build docker image:

make docker

Troubleshooting

Sometimes you may find that pod is injected with sidecar container as expected, check the following items:

  1. The pod is in running state with integrity sidecar container injected and no error logs.
  2. Check if the application pod has the correct annotations as described above.

Install integrity injector, demo application and dependencies

Enable syslog support for demo application. Optional.

In order to enable syslog support env SYSLOG_ENABLED should be set to true

export SYSLOG_ENABLED=true

Configure syslog service, host and port

By default, syslog host name is a name of local syslog service rsyslog, to change it, desired host name should be set to SYSLOG_HOST env.

e.g.

export SYSLOG_HOST=desired-host-name

To specify custom syslog port, set SYSLOG_PORT, default port is 514

e.g.

export SYSLOG_PORT=514

Install local syslog server. Optional

make helm-syslog

Install MinIO

The following code will create the minio namespace and install a default MinIO server into it.

make minio-install

Install helm chart with mutator app

make helm-mutator

or via helm

helm install mutator helm-charts/integrity-injector

Install helm chart with demo app

make helm-demo

or through helm

helm install demo-app helm-charts/demo-app-to-inject