177 lines
4.9 KiB
Bash
Executable File
177 lines
4.9 KiB
Bash
Executable File
#!/bin/bash
|
|
# Partie 1 - Installation du CNI Cilium + Hubble + Tetragon
|
|
# À exécuter sur le nœud MASTER
|
|
# Remplace Flannel : Cilium apporte NetworkPolicy L7, chiffrement WireGuard,
|
|
# observabilité Hubble et runtime security Tetragon.
|
|
|
|
set -e
|
|
|
|
CILIUM_VERSION="1.17.3"
|
|
CILIUM_CLI_VERSION="v0.18.4"
|
|
TETRAGON_VERSION="1.4.0"
|
|
|
|
APISERVER_IP=$(kubectl config view --minify -o jsonpath='{.clusters[0].cluster.server}' | grep -oP '(?<=https://)[^:]+')
|
|
|
|
echo "=== Installation Cilium ${CILIUM_VERSION} + Hubble + Tetragon ${TETRAGON_VERSION} ==="
|
|
echo "API server : ${APISERVER_IP}:6443"
|
|
echo ""
|
|
|
|
# --- Cilium CLI ---
|
|
echo "Installation du CLI Cilium ${CILIUM_CLI_VERSION}..."
|
|
CILIUM_CLI_ARCH="amd64"
|
|
CILIUM_CLI_TAR="cilium-linux-${CILIUM_CLI_ARCH}.tar.gz"
|
|
CILIUM_CLI_URL="https://github.com/cilium/cilium-cli/releases/download/${CILIUM_CLI_VERSION}/${CILIUM_CLI_TAR}"
|
|
CILIUM_CLI_SHA_URL="${CILIUM_CLI_URL}.sha256sum"
|
|
|
|
curl -L --fail "$CILIUM_CLI_URL" -o "/tmp/${CILIUM_CLI_TAR}"
|
|
curl -L --fail "$CILIUM_CLI_SHA_URL" -o "/tmp/${CILIUM_CLI_TAR}.sha256sum"
|
|
|
|
cd /tmp
|
|
sha256sum --check "${CILIUM_CLI_TAR}.sha256sum" || {
|
|
echo "ERREUR: checksum cilium-cli invalide. Abandon."
|
|
exit 1
|
|
}
|
|
cd -
|
|
|
|
tar -xzf "/tmp/${CILIUM_CLI_TAR}" -C /tmp cilium
|
|
sudo mv /tmp/cilium /usr/local/bin/cilium
|
|
sudo chmod +x /usr/local/bin/cilium
|
|
rm -f "/tmp/${CILIUM_CLI_TAR}" "/tmp/${CILIUM_CLI_TAR}.sha256sum"
|
|
echo " ✓ cilium CLI installé"
|
|
|
|
# --- Helm repos ---
|
|
echo "Ajout des repos Helm..."
|
|
helm repo add cilium https://helm.cilium.io/ 2>/dev/null || helm repo update cilium
|
|
helm repo update
|
|
|
|
# --- Cilium ---
|
|
echo ""
|
|
echo "Installation de Cilium ${CILIUM_VERSION}..."
|
|
echo " Options : kubeProxyReplacement + WireGuard + Hubble + policyEnforcementMode=default"
|
|
echo ""
|
|
|
|
helm upgrade --install cilium cilium/cilium \
|
|
--version "${CILIUM_VERSION}" \
|
|
--namespace kube-system \
|
|
--set kubeProxyReplacement=true \
|
|
--set k8sServiceHost="${APISERVER_IP}" \
|
|
--set k8sServicePort=6443 \
|
|
--set encryption.enabled=true \
|
|
--set encryption.type=wireguard \
|
|
--set hubble.enabled=true \
|
|
--set hubble.relay.enabled=true \
|
|
--set hubble.ui.enabled=true \
|
|
--set policyEnforcementMode=default \
|
|
--set nodeinit.enabled=true \
|
|
--set ipam.mode=kubernetes \
|
|
--wait --timeout=10m
|
|
|
|
echo ""
|
|
echo "Attente que Cilium soit opérationnel..."
|
|
cilium status --wait --wait-duration=5m
|
|
|
|
echo ""
|
|
echo "✓ Cilium opérationnel"
|
|
|
|
# --- Tetragon ---
|
|
echo ""
|
|
echo "Installation de Tetragon ${TETRAGON_VERSION}..."
|
|
echo " Tetragon = observabilité runtime eBPF profonde (syscalls, fichiers, réseau)"
|
|
|
|
helm upgrade --install tetragon cilium/tetragon \
|
|
--version "${TETRAGON_VERSION}" \
|
|
--namespace kube-system \
|
|
--set tetragon.exportFilename="/var/log/tetragon/tetragon.log" \
|
|
--wait --timeout=5m
|
|
|
|
echo ""
|
|
echo "Application des TracingPolicies de base..."
|
|
|
|
# Surveiller toutes les exécutions de processus (détecte les shells lancés dans des containers,
|
|
# les outils de reconnaissance, les tentatives d'escalade)
|
|
kubectl apply -f - <<'EOF'
|
|
apiVersion: cilium.io/v1alpha1
|
|
kind: TracingPolicy
|
|
metadata:
|
|
name: monitor-process-exec
|
|
spec:
|
|
kprobes:
|
|
- call: "sys_execve"
|
|
syscall: true
|
|
args:
|
|
- index: 0
|
|
type: "string"
|
|
- index: 1
|
|
type: "string_array"
|
|
EOF
|
|
|
|
# Surveiller les accès aux fichiers sensibles du cluster et de l'hôte
|
|
kubectl apply -f - <<'EOF'
|
|
apiVersion: cilium.io/v1alpha1
|
|
kind: TracingPolicy
|
|
metadata:
|
|
name: monitor-sensitive-file-access
|
|
spec:
|
|
kprobes:
|
|
- call: "sys_openat"
|
|
syscall: true
|
|
args:
|
|
- index: 1
|
|
type: "string"
|
|
selectors:
|
|
- matchArgs:
|
|
- index: 1
|
|
operator: "Prefix"
|
|
values:
|
|
- "/etc/kubernetes"
|
|
- "/var/lib/etcd"
|
|
- "/run/secrets/kubernetes.io"
|
|
- "/proc/1/"
|
|
EOF
|
|
|
|
echo " ✓ TracingPolicies appliquées"
|
|
|
|
# --- NetworkPolicy deny-all par défaut ---
|
|
echo ""
|
|
echo "Application de la NetworkPolicy deny-all dans le namespace default..."
|
|
|
|
kubectl apply -f - <<'EOF'
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: default-deny-all
|
|
namespace: default
|
|
spec:
|
|
podSelector: {}
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
EOF
|
|
|
|
echo " ✓ NetworkPolicy deny-all appliquée (namespace: default)"
|
|
|
|
# --- Vérifications ---
|
|
echo ""
|
|
echo "=== Vérifications ==="
|
|
echo ""
|
|
echo "1. Statut Cilium:"
|
|
cilium status
|
|
echo ""
|
|
echo "2. Pods Tetragon:"
|
|
kubectl get pods -n kube-system -l app.kubernetes.io/name=tetragon
|
|
echo ""
|
|
echo "3. TracingPolicies:"
|
|
kubectl get tracingpolicies 2>/dev/null || echo " (CRD TracingPolicy en cours d'initialisation)"
|
|
echo ""
|
|
echo "4. Nœuds (doivent être Ready):"
|
|
kubectl get nodes
|
|
echo ""
|
|
echo "✓ Cilium + Hubble + Tetragon installés avec succès!"
|
|
echo ""
|
|
echo "Accès à Hubble UI (depuis le master) :"
|
|
echo " kubectl port-forward -n kube-system svc/hubble-ui 8080:80 &"
|
|
echo " Puis ouvrir http://localhost:8080"
|
|
echo ""
|
|
echo "Logs Tetragon en temps réel :"
|
|
echo " kubectl logs -n kube-system -l app.kubernetes.io/name=tetragon -f | jq '.'"
|