This program provides integrity monitoring that checks the container's file system to determine if they have been maliciously modified. If the program detects that files have been modified, updated, added, or compromised, it rolls back the deployment to the previous version. This application consists of two repositories: the integrity-sum and the integrity-mutator .
Repository integrity-sum injects hasher-sidecar into your modules as a sidecar container. sidecar integrity is a golang implementation of a hasher that calculates the checksum of files using various algorithms in kubernetes:
- MD5
- SHA256
- SHA1
- SHA224
- SHA384
- SHA512
- BEE2 (optional)
Repository integrity-mutator implements sidecar container for monitoring.
$ cd path/to/install
$ git clone https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor.git
Initialize and update submodules
$ git submodule init
$ git submodule update --remote
The code only works running inside a pod in Kubernetes.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.
If you do not already have a cluster, you can create one by using minikube.
Example https://minikube.sigs.k8s.io/docs/start/
To deploy app you need to install docker.
Example https://docs.docker.com/engine/install/
Before using helm charts you need to install helm on your local machine.
You can find the necessary installation information at this link https://helm.sh/docs/intro/install/
To work properly, you first need to set the configuration files:
- values in the file
helm-charts/database-to-integrity-sum/values.yaml - values in the file
helm-charts/demo-apps-to-monitor/values.yaml - values in the file
helm-charts/mutator/values.yaml
-
You should go to the README.md in the
./integrity-mutatorproject, set all the configurations and deploy. -
You should go to the README.md in the
./integrity-sumproject project, set all the configurations and deploy. However, you need to go to the"Run application"section and configure the dependencies that are indicated by"Need to install dependencies".
Install helm chart from the project root, for example:
helm install app helm-charts/demo-apps-to-monitor
You can use make function.
make all
Sometimes you may find that pod is injected with sidecar container as expected, check the following items:
- The pod is in running state with
integritysidecar container injected and no error logs. - Check if the application pod has the correct annotations as described above.
This project uses the MIT software license. See full license file