add secu

Signed-off-by: Louis Labeyrie <labeyrielouis@gmail.com>
2026-04-27 15:29:07 +02:00
parent 5760eab56a
commit 1e24ec3243
10 changed files with 1501 additions and 125 deletions
--- a/partie-01-installation/04-install-cilium.sh
+++ b/partie-01-installation/04-install-cilium.sh
@@ -0,0 +1,176 @@
+#!/bin/bash
+# Partie 1 - Installation du CNI Cilium + Hubble + Tetragon
+# À exécuter sur le nœud MASTER
+# Remplace Flannel : Cilium apporte NetworkPolicy L7, chiffrement WireGuard,
+# observabilité Hubble et runtime security Tetragon.
+
+set -e
+
+CILIUM_VERSION="1.17.3"
+CILIUM_CLI_VERSION="v0.18.4"
+TETRAGON_VERSION="1.4.0"
+
+APISERVER_IP=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | grep -oP '(?<=https://)[^:]+')
+
+echo "=== Installation Cilium ${CILIUM_VERSION} + Hubble + Tetragon ${TETRAGON_VERSION} ==="
+echo "API server : ${APISERVER_IP}:6443"
+echo ""
+
+# --- Cilium CLI ---
+echo "Installation du CLI Cilium ${CILIUM_CLI_VERSION}..."
+CILIUM_CLI_ARCH="amd64"
+CILIUM_CLI_TAR="cilium-linux-${CILIUM_CLI_ARCH}.tar.gz"
+CILIUM_CLI_URL="https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/${CILIUM_CLI_TAR}"
+CILIUM_CLI_SHA_URL="${CILIUM_CLI_URL}.sha256sum"
+
+curl -L --fail "$CILIUM_CLI_URL" -o "/tmp/${CILIUM_CLI_TAR}"
+curl -L --fail "$CILIUM_CLI_SHA_URL" -o "/tmp/${CILIUM_CLI_TAR}.sha256sum"
+
+cd /tmp
+sha256sum --check "${CILIUM_CLI_TAR}.sha256sum" || {
+    echo "ERREUR: checksum cilium-cli invalide. Abandon."
+    exit 1
+}
+cd -
+
+tar -xzf "/tmp/${CILIUM_CLI_TAR}" -C /tmp cilium
+sudo mv /tmp/cilium /usr/local/bin/cilium
+sudo chmod +x /usr/local/bin/cilium
+rm -f "/tmp/${CILIUM_CLI_TAR}" "/tmp/${CILIUM_CLI_TAR}.sha256sum"
+echo "  ✓ cilium CLI installé"
+
+# --- Helm repos ---
+echo "Ajout des repos Helm..."
+helm repo add cilium https://helm.cilium.io/ 2>/dev/null || helm repo update cilium
+helm repo update
+
+# --- Cilium ---
+echo ""
+echo "Installation de Cilium ${CILIUM_VERSION}..."
+echo "  Options : kubeProxyReplacement + WireGuard + Hubble + policyEnforcementMode=default"
+echo ""
+
+helm upgrade --install cilium cilium/cilium \
+    --version "${CILIUM_VERSION}" \
+    --namespace kube-system \
+    --set kubeProxyReplacement=true \
+    --set k8sServiceHost="${APISERVER_IP}" \
+    --set k8sServicePort=6443 \
+    --set encryption.enabled=true \
+    --set encryption.type=wireguard \
+    --set hubble.enabled=true \
+    --set hubble.relay.enabled=true \
+    --set hubble.ui.enabled=true \
+    --set policyEnforcementMode=default \
+    --set nodeinit.enabled=true \
+    --set ipam.mode=kubernetes \
+    --wait --timeout=10m
+
+echo ""
+echo "Attente que Cilium soit opérationnel..."
+cilium status --wait --wait-duration=5m
+
+echo ""
+echo "✓ Cilium opérationnel"
+
+# --- Tetragon ---
+echo ""
+echo "Installation de Tetragon ${TETRAGON_VERSION}..."
+echo "  Tetragon = observabilité runtime eBPF profonde (syscalls, fichiers, réseau)"
+
+helm upgrade --install tetragon cilium/tetragon \
+    --version "${TETRAGON_VERSION}" \
+    --namespace kube-system \
+    --set tetragon.exportFilename="/var/log/tetragon/tetragon.log" \
+    --wait --timeout=5m
+
+echo ""
+echo "Application des TracingPolicies de base..."
+
+# Surveiller toutes les exécutions de processus (détecte les shells lancés dans des containers,
+# les outils de reconnaissance, les tentatives d'escalade)
+kubectl apply -f - <<'EOF'
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: monitor-process-exec
+spec:
+  kprobes:
+  - call: "sys_execve"
+    syscall: true
+    args:
+    - index: 0
+      type: "string"
+    - index: 1
+      type: "string_array"
+EOF
+
+# Surveiller les accès aux fichiers sensibles du cluster et de l'hôte
+kubectl apply -f - <<'EOF'
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: monitor-sensitive-file-access
+spec:
+  kprobes:
+  - call: "sys_openat"
+    syscall: true
+    args:
+    - index: 1
+      type: "string"
+    selectors:
+    - matchArgs:
+      - index: 1
+        operator: "Prefix"
+        values:
+        - "/etc/kubernetes"
+        - "/var/lib/etcd"
+        - "/run/secrets/kubernetes.io"
+        - "/proc/1/"
+EOF
+
+echo "  ✓ TracingPolicies appliquées"
+
+# --- NetworkPolicy deny-all par défaut ---
+echo ""
+echo "Application de la NetworkPolicy deny-all dans le namespace default..."
+
+kubectl apply -f - <<'EOF'
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: default
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
+EOF
+
+echo "  ✓ NetworkPolicy deny-all appliquée (namespace: default)"
+
+# --- Vérifications ---
+echo ""
+echo "=== Vérifications ==="
+echo ""
+echo "1. Statut Cilium:"
+cilium status
+echo ""
+echo "2. Pods Tetragon:"
+kubectl get pods -n kube-system -l app.kubernetes.io/name=tetragon
+echo ""
+echo "3. TracingPolicies:"
+kubectl get tracingpolicies 2>/dev/null || echo "  (CRD TracingPolicy en cours d'initialisation)"
+echo ""
+echo "4. Nœuds (doivent être Ready):"
+kubectl get nodes
+echo ""
+echo "✓ Cilium + Hubble + Tetragon installés avec succès!"
+echo ""
+echo "Accès à Hubble UI (depuis le master) :"
+echo "  kubectl port-forward -n kube-system svc/hubble-ui 8080:80 &"
+echo "  Puis ouvrir http://localhost:8080"
+echo ""
+echo "Logs Tetragon en temps réel :"
+echo "  kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f | jq '.'"