TANZU EMBEDDED HARBOR (사전 테스트)
- TANZU EMBEDDED HARBOR ADMIN 패스 워드
- TANZU EMBEDDED HARBOR 인증서를 TKG에 등록
- JUMP HOST에서 HORBOR인증서를 신뢰된 인증서로 설정
사전 필요 구성
Docker v18.09+ DOCKER 설치 참고 링크
GNU Make
git
Helm3 kubeapps를 활용하여 UI에서 HELM 차트 사용하기
OpenSSL https://github.com/OpenVPN/easy-rsa.git
TKG에 POD 구성을 하려면 아래 구성 필요 참고 링크
아래는 TKG로 구성 하게 될 경우 사용, 만약 NATIVE K8S 구성시에는 필요 없음
kubectl create clusterrolebinding default-tkg-admin-privileged-binding --clusterrole=psp:vmware-system-privileged --group=system:authenticated
필요 라이브러리 설치
apt install git make make-guile -y
NAP 설치
인증서 생성
cd /var/tmp
k create ns ingress-nginx
git clone https://github.com/OpenVPN/easy-rsa.git
cd easy-rsa/easyrsa3/
./easyrsa init-pki
./easyrsa build-ca
WILD 인증서 생성
./easyrsa gen-req wildcard
./easyrsa sign-req server wildcard
secret 생성
openssl rsa -in /var/tmp/easy-rsa/easyrsa3/pki/private/wildcard.key -out /var/tmp/easy-rsa/easyrsa3/pki/private/wildcard-unencrypted.key
kubectl create secret tls wildcard-tls --key /var/tmp/easy-rsa/easyrsa3/pki/private/wildcard-unencrypted.key --cert /var/tmp/easy-rsa/easyrsa3/pki/issued/wildcard.crt -n ingress-nginx
k get secret -n ingress-nginx
cd /var/tmp
git clone https://github.com/nginxinc/kubernetes-ingress/
helm repo add nginx-stable https://helm.nginx.com/stable
cd /var/tmp/kubernetes-ingress/deployments/helm-chart
git checkout v1.11.3
REGISTRY=<registry IP or FQDN> ## harbor IP or FQDN
NS=<your namespace> ## 설치할 Namespace ingress-nginx
예시
REGISTRY=10.253.106.46
NS=ingress-nginx미리 Harbor에 ingress-nginx project 생성이 되어 있어야함 (TANZU는 ADMIN P/W 확인 필요)
NGINX 라이센스를 신청 하면 30일간 무료로 사용 가능
라이센스 /var/tmp/kubernetes-ingress 폴더에 저장
cd /var/tmp/kubernetes-ingress
make debian-image-nap-plus PREFIX=$REGISTRY/$NS/nginx-plus-ingress TARGET=container
위와 같이 진행이 되며 완료가 되면 docker에 이미지가 들어가 있는 것을 확인 할 수 있다.
docker images
docker login {harbor IP OR FQDN}
예시
docker login 10.253.106.46
만약 harbor이미지를 넣을 경우 harbor 접속하는 방법이 IP가 아닌 FQDN일 경우 tag를 다시 붙여 주면 된다
아래와 같은 방법으로 TAG를 변경후 Harbor에 이미지 업로드, 또는 IP로 되어 있으면 변경 없이 PUSH 해주면 됨
docker tag {IMAGE ID} 10.253.106.46/ingress-nginx/nginx-plus-ingress
make push PREFIX=$REGISTRY/$NS/nginx-plus-ingress
예시
make push PREFIX=$REGISTRY/$NS/nginx-plus-ingress
HARBOR에 이미지가 업로드가 되었는지 확인
Harbor Secret 생성
kubectl create secret generic regcred --from-file=.dockerconfigjson=$HOME/.docker/config.json --type=kubernetes.io/dockerconfigjson -n ingress-nginx
NGINX 실행
cd deployments/helm-chart
cp values-plus.yaml values-plus.yaml.origvi values-plus.yaml
controller:
replicaCount: 1
nginxplus: true
image:
repository: 10.253.106.46/ingress-nginx/nginx-plus-ingress
tag: "1.11.3"
service:
externalTrafficPolicy: Cluster
appprotect:
## Enable the App Protect module in the Ingress Controller.
enable: true
wildcardTLS:
## The base64-encoded TLS certificate for every Ingress host that has TLS enabled but no secret specified.
## If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection.
cert: ""
## The base64-encoded TLS key for every Ingress host that has TLS enabled but no secret specified.
## If the parameter is not set, for such Ingress hosts NGINX will break any attempt to establish a TLS connection.
key: ""
## The secret with a TLS certificate and key for every Ingress host that has TLS enabled but no secret specified.
## The value must follow the following format: `<namespace>/<name>`.
## Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters.
## Format: <namespace>/<secret_name>
secret: ingress-nginx/wildcard-tls
serviceAccount:
## The name of the service account of the Ingress controller pods. Used for RBAC.
## Autogenerated if not set or set to "".
name: ingress-nginx
## The name of the secret containing docker registry credentials.
## Secret must exist in the same namespace as the helm release.
imagePullSecretName: "regcred"
HELM 실행
kubectl apply -f https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/nginx-psp.yaml
helm install ingress-nginx nginx-stable/nginx-ingress -f values-plus.yaml -n ingress-nginx
확인
kubectl -n ingress-nginx get all
NAP 테스트
파일 다운로드 후 실행
kubectl create ns test
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/cafe-rbac.yaml
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/cafe.yaml
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/cafe-ingress.yaml
k apply -f cafe-rbac.yaml -n test
k apply -f cafe.yaml -n testvi cafe-ingress.yaml (인증서 만들었던 Domain으로 변경)
k apply -f cafe-ingress.yaml -n testingress 확인
k get ingress -n test 
POSTMAN으로 확인
SYSLOG 구성
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/syslog-rbac.yaml
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/syslog.yaml
k apply -f syslog-rbac.yaml -n ingress-nginx
k apply -f syslog.yaml -n ingress-nginx
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/ap-apple-uds.yaml
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/ap-dataguard-alarm-policy.yaml
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/ap-logconf.yaml
k apply -f ap-apple-uds.yaml -n test
k apply -f ap-dataguard-alarm-policy.yaml -n test
k apply -f ap-logconf.yaml -n test
wget https://raw.githubusercontent.com/f5devcentral/f5-bd-tanzu-tkg-nginxplus/main/cafe-ingress-ap.yamlsyslog ip 확인
k get pod -n ingress-nginx -o wide
SYSLOG_IP=10.101.196.7
vi cafe-ingress-ap.yaml
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cafe-ingress
annotations:
appprotect.f5.com/app-protect-policy: "test/dataguard-alarm"
appprotect.f5.com/app-protect-enable: "True"
appprotect.f5.com/app-protect-security-log-enable: "True"
appprotect.f5.com/app-protect-security-log: "test/logconf"
appprotect.f5.com/app-protect-security-log-destination: "syslog:server=SYSLOG:514"
spec:
ingressClassName: nginx # use only with k8s version >= 1.18.0
tls:
- hosts:
- cafe.vcf.local ## 인증서와 동일한 도메인으로 변경
rules:
- host: cafe.vcf.local ## 인증서와 동일한 도메인으로 변경
http:
paths:
- path: /tea
backend:
serviceName: tea-svc
servicePort: 80
- path: /coffee
backend:
serviceName: coffee-svc
servicePort: 80
sed -e "s/SYSLOG/$SYSLOG_IP/" cafe-ingress-ap.yaml > cafe-ingress-ap-syslog.yaml
kubectl apply -n test -f cafe-ingress-ap-syslog.yaml
k get ingress -n test
syslog pod name 확인
k get pod -n ingress-nginx
syslog를 통해서 차단 메시지를 확인 할 수 있음
kubectl -n ingress-nginx exec -it syslog-65d847447d-ghbvq -- tail -f /var/log/messages동일하게 postman을 활용
아래와 같이 reject이 뜨는 것을 확인 할 수 있으며
캡처는 잘 보이지 않지만 아래와 같이 Attack의 대한 로그를 확인 할 수 있음
로그 내용
Jun 14 14:54:54 ingress-nginx-ingress-5d575b8bb7-zthhm ASM:attack_type="Non-browser Client,Brute Force Attack,JSON Parser Attack",blocking_exception_reason="N/A",date_time="2021-06-14 14:54:54",dest_port="443",ip_client="192.168.2.1",is_truncated="false",method="POST",policy_name="dataguard-alarm",protocol="HTTPS",request_status="blocked",response_code="0",severity="Critical",sig_cves="N/A",sig_ids="300000000",sig_names="Apple_medium_acc [Fruits]",sig_set_names="{apple_sigs}",src_port="52497",sub_violations="N/A",support_id="13786170582400656411",threat_campaign_names="N/A",unit_hostname="ingress-nginx-ingress-5d575b8bb7-zthhm",uri="/coffee",violation_rating="3",vs_name="24-cafe.vcf.local:9-/coffee",x_forwarded_for_header_value="N/A",outcome="REJECTED",outcome_reason="SECURITY_WAF_VIOLATION",violations="Attack signature detected,Malformed JSON data,Bot Client Detected",violation_details="<?xml version='1.0' encoding='UTF-8'?><BAD_MSG><violation_masks><block>10000000200c00-3030430000070</block><alarm>2477f0ffcbbd0fea-8003f35cb000007c</alarm><learn>200000-20</learn><staging>0-0</staging></violation_masks><request-violations><violation><viol_index>42</viol_index><viol_name>VIOL_ATTACK_SIGNATURE</viol_name><context>request</context><sig_data><sig_id>300000000</sig_id><blocking_mask>7</blocking_mask><kw_data><buffer>YXBwbGU=</buffer><offset>0</offset><length>5</length></kw_data></sig_data></violation><violation><viol_index>52</viol_index><viol_name>VIOL_JSON_MALFORMED</viol_name><context>URL</context><object_data><object>L2NvZmZlZQ==</object><object_pattern>*</object_pattern></object_data><staging>0</staging><content_profile_data><type>JSON</type><content_id>14</content_id><content_profile_id>4</content_profile_id><content_profile_name>Default</content_profile_name><buffer>YQ==</buffer><index>0</index><location>element value</location><error_code>12</error_code><specific_desc>Malformed document</specific_desc><fault_detail>Illegal character encountered - json syntax error</fault_detail></content_profile_data></violation></request-violations></BAD_MSG>",bot_signature_name="Postman",bot_category="HTTP Library",bot_anomalies="N/A",enforced_bot_anomalies="N/A",client_class="Untrusted Bot",request="POST /coffee HTTP/1.1\r\nContent-Type: application/json\r\nUser-Agent: PostmanRuntime/7.28.0\r\nAccept: /\r\nPostman-Token: 06a81dfb-49d4-4564-a051-5871d13c6432\r\nHost: cafe.vcf.local\r\nAccept-Encoding: gzip, deflate, br\r\nConnection: keep-alive\r\nContent-Length: 5\r\n\r\napple"
logstash yaml 파일 수정 필요
vi logstash_test.yaml
PORT를 5144로 변경
아래와 같이 output을 elasticsearch 및 index 변경 필요
ingress 설정에서 syslog server 를 logstash cluster IP로 설정
k edit ingress cafe-ingress -n testsyslog:server= {logstash로 변경}
예시
syslog:server=10.101.182.155:5144
해당 파일 KIBANA에 IMPORT
mkdir -p /var/tmp/kibana
cp false-positive-dashboards.ndjson /var/tmp/kibana
cp overview-dashboard.ndjson /var/tmp/kibanaKIBANA IMPORT
KIBANA_URL= {FQDN or IP}
예시
cd /var/tmp
KIBANA_URL=http://kibana.vcf.local:5601
jq -s . kibana/overview-dashboard.ndjson | jq '{"objects": . }' | \
curl -k --location --request POST "$KIBANA_URL/api/kibana/dashboards/import" \
--header 'kbn-xsrf: true' \
--header 'Content-Type: text/plain' -d @- \
| jq
jq -s . kibana/false-positives-dashboards.ndjson | jq '{"objects": . }' | \
curl -k --location --request POST "$KIBANA_URL/api/kibana/dashboards/import" \
--header 'kbn-xsrf: true' \
--header 'Content-Type: text/plain' -d @- \
| jq완료되면 KIBANA에서 아래와 같이 index patterns (waf-logs-*) 추가 된 것을 확인 할 수 있음
DASHBOARD도 생성 된 것을 확인 할 수 있음
'VMware > TANZU' 카테고리의 다른 글
| (DK) HARBOR EMBEDDED HARBOR ADMIN PASSWORD CHECK (0) | 2021.06.19 |
|---|---|
| (DK) TANZU EMBEDDED HARBOR ENABLE (0) | 2021.06.19 |
| (DK) kubeapps를 활용하여 UI에서 HELM 차트 사용하기 (0) | 2021.06.15 |
| (DK) TANZU TKG 배포 (0) | 2021.06.15 |
| (DK) VMWARE TANZU NSXT TANZU Integration (0) | 2021.05.15 |
