This program provides integrity monitoring that checks file or directory of container to determine whether or not they have been tampered with or corrupted.
k8s-container-integrity-monitor, which is a type of change auditing, verifies and validates these files by comparing them to the stored data in the database.
If program detects that files have been altered, updated, added or compromised, it rolls back deployments to a previous version.
k8s-container-integrity-monitor injects a hasher container with Integrity-sum app to your pods with the "hasher-certificates-injector-sidecar" label.
Integrity-sum app is the implementation of a hash calculation in golang, which monitors the checksum of files using different algorithms in Kubernetes:
- MD5
- SHA256
- SHA1
- SHA224
- SHA384
- SHA512
$ cd path/to/install
$ git clone https://github.com/ScienceSoft-Inc/k8s-container-integrity-monitor.git
Initialize and update submodules
$ git submodule init
$ git submodule update
The code only works running inside a pod in Kubernetes.
You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster.
If you do not already have a cluster, you can create one by using minikube.
Example https://minikube.sigs.k8s.io/docs/start/
To deploy app you need to install docker.
Example https://docs.docker.com/engine/install/
Before using helm charts you need to install helm on your local machine.
You can find the necessary installation information at this link https://helm.sh/docs/intro/install/
To work properly, you first need to set the configuration files:
- values in the file
helm-charts/database-to-integrity-sum/values.yaml - values in the file
helm-charts/demo-apps-to-monitor/values.yaml - values in the file
helm-charts/mutator/values.yaml
- Minikube start
minikube start
- You should go to the README.md (Generate certificates) in the
./k8s-container-integrity-mutatorproject and set all the settings and certificates.
cd integrity-mutator
Set certificates.
You need to go to the file patch-json-command.json
and change "envFrom":"secretRef":"name": "release db name and secret name"
where release db name and secret name = will be release name db-variable value secretName in the file helm-charts/database-to-integrity-sum/values.yaml
Move patch-json-command to mutator directory:
cd ./..
cp patch-json-command.json integrity-mutator/
Download the named modules into the module cache
go mod download
Build docker images mutator:
eval $(minikube docker-env)
cd integrity-mutator
docker build -t mutator .
or
eval $(minikube docker-env)
docker build -t mutator -f integrity-mutator/Dockerfile .
Install helm chart from the project root, for example:
helm install mutator helm-charts/mutator
- You need to install the database using helm charts from the project root.
Update the on-disk dependencies to mirror Chart.yaml.
helm dependency update helm-charts/database-to-integrity-sum
Install helm chart from the project root, for example:
helm install db helm-charts/database-to-integrity-sum
- You should go to the
./integrity-sumproject and set environment variables in.envfile.
Download the named modules into the module cache
go mod download
Build docker images hasher:
eval $(minikube docker-env)
cd integrity-sum
docker build -t hasher .
or
eval $(minikube docker-env)
docker build -t hasher -f integrity-sum/Dockerfile .
Install helm chart from the project root, for example:
helm install app helm-charts/demo-apps-to-monitor
You can use make function.
Runs all necessary cleaning targets and dependencies for the project according your OS:
make all-darwin
make all-linux
make all-windows
Remove an installed Helm deployments and stop minikube:
make stop
Sometimes you may find that pod is injected with sidecar container as expected, check the following items:
- The pod is in running state with
hasher-sidecarsidecar container injected and no error logs. - Check if the application demo-pod has he correct labels
hasher-certificates-injector-sidecar: "true"and installedmain-process-name.
This project uses the MIT software license. See full license file