Make sure you have the following installed:
- Kubernetes v1.9.2+
- kubectl
- helm
- openssl
- GnuPG
- Google Cloud account with billing enabled
- Google Cloud SDK (gcloud)
Note: you will be charged for running on GCP. See Free Tier for information on how to try out GCP. Contributions of the examples running on other k8s engines are welcome!
NOTE: The steps described in this section will install Grafeas and Kritis charts to the default
k8s namespace.
-
Check out your fork of the Kritis repository by following these instructions. Then, navigate to the standalone folder:
cd ${GOPATH}/src/github.com/grafeas/kritis/docs/standalone
-
Set up GCP project where Kubernetes Engine API is enabled. You'll need to create a new project by following the prompts at Google Cloud Console: New Project. For convenience, save the project ID as an environment variable and set up the GKE cluster.
PROJECT=<project ID assigned to you> gcloud config set project $PROJECT gcloud components update gcloud config set compute/zone us-central1-a gcloud container clusters create kritis-test --num-nodes=2 gcloud container clusters get-credentials kritis-test
For more documentation, see Kubernetes Engine: Creating a Cluster.
-
Create and upload the Service Account Key:
gcloud iam service-accounts create kritis-ca-admin \ --display-name "Kritis Service Account" gcloud iam service-accounts keys create gac.json \ --iam-account kritis-ca-admin@${PROJECT}.iam.gserviceaccount.com kubectl create secret generic gac-ca-admin --from-file=gac.json
-
Set up Helm:
./setup_helm.sh
-
Install Grafeas to the cluster with the following script. The script will also generate TLS certificates that the Grafeas server uses.
WARNING: Make sure to set
Common Name
tografeas-server
when prompted during the certificate creation../setup_grafeas.sh
You can ensure that Grafeas is running:
kubectl get pods NAME READY STATUS RESTARTS AGE grafeas-server-64b74cf696-6vb4b 1/1 Running 0 16s
-
Install Kritis to your cluster:
./setup_kritis.sh
You can ensure that Kritis is running:
kubectl get pods NAME READY STATUS RESTARTS AGE kritis-postinstall 0/1 Completed 0 3m kritis-predelete 0/1 Completed 0 18h kritis-preinstall 0/1 Completed 0 3m kritis-validation-hook-576dbb55c6-752nq 1/1 Running 0 3m
-
No policies are defined, so a pod is admitted by default, due to the admit-all fallback policy:
kubectl apply -f pod.yaml
You should get
pod/java created
in response. -
GenericAttestationPolicy
is set, but no attestation exists for the pod in Grafeas:./no_attestation.sh
You will get
Error from server: error when creating "pod.yaml": admission webhook "kritis-validation-hook.grafeas.io" denied the request: image gcr.io/kritis-tutorial/java-with-vulnz@sha256:<hash> is not attested
in response.You can check the reason the pod creation was rejected by looking at the Kritis logs:
kubectl logs -l app=kritis-validation-hook
You'll find
No attestations found for image gcr.io/kritis-tutorial/java-with-vulnz@sha256:<hash>.
message in the logs. -
Create a valid attestation and ensure this pod is now admitted.
To get the external IP address of the Grafeas server, run:
kubectl get svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE grafeas-server LoadBalancer 10.31.248.62 35.232.9.51 443:31212/TCP 11m ...
Create an entry in your local
/etc/hosts
, to mapEXTERNAL-IP
to the service name:35.232.9.51 grafeas-server
Create a combined PEM certificate to talk directly to the standalone Grafeas server by running the command below. You'll want to make sure the export and import passwords match. Ensure you memorize your PEM passphrase as well when prompted.
./combined_cert.sh
Now, create the attestation and see that the pod is admitted:
./attestation_created.sh
You should get
pod/java created
in response and see the following inkubectl logs -l app=kritis-validation-hook
:admission.go:124] handling pod java in... admission.go:245] Reviewing images for &Pod{ObjectMeta:k8s_io_apimachinery_pkg_apis_meta_v1.ObjectMeta{Name:java,GenerateName:,Namespace:default,SelfLink:,UID:98a55b42-b87e-11e9-bd23-42010a80011e,ResourceVersion:,Generation:0,CreationTimestamp:2019-08-06 19:15:47 +0000 UTC,DeletionTimestamp:<nil>,DeletionGracePeriodSeconds:nil,Labels:map[string]string{},Annotations:map[string]string{kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{},"name":"java","namespace":"default"},"spec":{"containers":[{"image":"gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a","name":"java","ports":[{"containerPort":80}]}]}} ... admission.go:264] Found 1 Generic Attestation Policies review.go:72] Check if gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a has valid Attestations. ... strategy.go:51] Image gcr.io/kritis-tutorial/java-with-vulnz@sha256:358687cfd3ec8e1dfeb2bf51b5110e4e16f6df71f64fba01986f720b2fcba68a has one or more valid attestation(s) ...
To delete the Kritis and Grafeas, run:
./cleanup.sh
The first command in the script will delete Kritis helm chart and kick off the kritis-predelete
pod, which deletes the CertificateSigningRequest, TLS Secret, and Webhooks created during installation. You may view the status using:
kubectl get pods kritis-predelete
And the logs using:
kubectl logs kritis-predelete
Most resources created by Kritis will be deleted from your cluster once this Pod has reached Completed
status. The second command in the script will delete the remaining resources.
The last command in the script will delete the Grafeas helm chart.