Installing Security-Guard

Here we show how to install Security-Guard in Knative. Security-Guard is an enhancement to knative-Serving and needs to be installed after the Knative-Serving is successfully installed.

Using Security-Guard requires that your cluster will use an enhanced queue-proxy image.

In addition, Security-Guard includes automation for auto-learning a per service Guardian. Auto-learning requires you to deploy a guard-service on your kubernetes cluster. guard-service should be installed in in the knative-serving namespace.

In production you would typically also wish to enable TLS and Token support to protect the queue-proxy communication with the guard-service as described below.

Before you begin

Before installing Security-Guard, learn about Security-Guard

Install steps

To start this tutorial, after installing Knative Serving, run the following procedure to replace your queue-proxy image and deploy a guard-service.

Install from sourceInstall from released images and yamlsInstall using the Knative Operator

  1. Clone the Security-Guard repository using git clone git@github.com:knative-extensions/security-guard.git

  2. Do cd security-guard

  3. Run ko apply -Rf ./config

Use released images to update your system to enable Security-Guard:

  1. Set the feature named queueproxy.mount-podinfo to allowed in the config-features ConfigMap.

    An easy way to do that is using:

    1. kubectl apply -f https://raw.githubusercontent.com/knative-extensions/security-guard/release-0.4/config/deploy/config-features.yaml

  2. Set the deployment parameter queue-sidecar-image to gcr.io/knative-releases/knative.dev/security-guard/cmd/queue in the config-deployment ConfigMap.

    An easy way to do that is using:

    1. kubectl apply -f https://github.com/knative-extensions/security-guard/releases/download/v0.4.0/queue-proxy.yaml

  3. Add the necessary Security-Guard resources to your cluster using:

    1. kubectl apply -f https://raw.githubusercontent.com/knative-extensions/security-guard/release-0.4/config/resources/gateAccount.yaml
    2. kubectl apply -f https://raw.githubusercontent.com/knative-extensions/security-guard/release-0.4/config/resources/serviceAccount.yaml
    3. kubectl apply -f https://raw.githubusercontent.com/knative-extensions/security-guard/release-0.4/config/resources/guardiansCrd.yaml

  4. Deploy guard-service on your system to enable automated learning of micro-rules.

    An easy way to do that is using:

    1. kubectl apply -f https://github.com/knative-extensions/security-guard/releases/download/v0.4.0/guard-service.yaml

Note

The example below shows a case where kourier ingress is used, make the necessary changes when installing with istio or contour.

Example script to install Security-Guard and Serving with Kourier using the Knative Operator.

  1. kubectl apply --filename - <<EOF
  2. apiVersion: v1
  3. kind: Namespace
  4. metadata:
  5.   name: knative-serving
  6. ---
  7. apiVersion: operator.knative.dev/v1beta1
  8. kind: KnativeServing
  9. metadata:
  10.   name: knative-serving
  11.   namespace: knative-serving
  12. spec:
  13.   security:
  14.     securityGuard:
  15.       enabled: true
  16.   ingress:
  17.     kourier:
  18.       enabled: true
  19.   config:
  20.     network:
  21.       ingress.class: "kourier.ingress.networking.knative.dev"
  22. EOF
  24. kubectl apply -f https://raw.githubusercontent.com/knative-extensions/security-guard/release-0.4/config/resources/gateAccount.yaml

Per Namespace Setup

In order to deploy guard protected services in a namespace, provide guard-gate with the necessary permissions on each namespace used:

  1. kubectl apply -f https://raw.githubusercontent.com/knative-extensions/security-guard/release-0.4/config/resources/gateAccount.yaml

Additional Production Configuration

It is recommended to secure the communication between queue-proxy with the guard-service using one of the following methods:

Manual changesUsing scriptsUsing Knative Operator

  1. Add GUARD_SERVICE_TLS=true to the environment of guard-service to enable TLS and server side authentication using a Knative issued certificate. The guard-service will be using the keys in the knative-serving-certs secret of the knative-serving namespace.

  2. Add GUARD_SERVICE_AUTH=true to the environment of guard-service to enable client side authentication using tokens

  3. Set the queue-sidecar-rootca parameter of the config-deployment configmap in the knative-serving namespace to the public key defined under ca-cert.pem key in the knative-serving-certs secret of the knative-serving namespace. This will inform queue-proxy to use TLS and approve the guard-service certificates.

  4. Set queue-sidecar-token-audiences = "guard-service" at the config-deployment configmap in the knative-serving namespace. This will produce a a token with audience guard-service for every queue-proxy instance.

Use the following script to set TLS and Tokens support in guard-service:

  1. echo "Add TLS and Tokens to guard-service"
  2. kubectl patch deployment guard-service -n knative-serving -p '{"spec":{"template":{"spec":{"containers":[{"name":"guard-service","env":[{"name": "GUARD_SERVICE_TLS", "value": "true"}, {"name": "GUARD_SERVICE_AUTH", "value": "true"}]}]}}}}'

Use the following script to set TLS and Tokens support in guard-gates:

  1. echo "Copy the certificate to a temporary file"
  2. ROOTCA="$(mktemp)"
  3. FILENAME=`basename $ROOTCA`
  4. kubectl get secret -n knative-serving knative-serving-certs -o json| jq -r '.data."ca-cert.pem"' | base64 -d >  $ROOTCA
  6. echo "Get the certificate in a configmap friendly form"
  7. CERT=`kubectl create cm config-deployment --from-file $ROOTCA -o json --dry-run=client |jq .data.\"$FILENAME\"`
  9. echo "Add TLS and Tokens to config-deployment configmap"
  10. kubectl patch cm config-deployment -n knative-serving -p '{"data":{"queue-sidecar-token-audiences": "guard-service", "queue-sidecar-rootca": '"$CERT"'}}'
  12. echo "cleanup"
  13. rm  $ROOTCA

Use the following script to read the TLS and Token settings of both guard-service and guard-gates:

  1. echo "Results:"
  2. kubectl get cm config-deployment -n knative-serving -o json|jq '.data'
  3. kubectl get deployment guard-service -n knative-serving -o json|jq .spec.template.spec.containers[0].env

Use the following script to unset TLS and Tokens support in guard-service:

  1. echo "Remove TLS and Tokens from  guard-service deployment"
  2. kubectl patch deployment guard-service -n knative-serving -p '{"spec":{"template":{"spec":{"containers":[{"name":"guard-service","env":[{"name": "GUARD_SERVICE_TLS", "value": "false"}, {"name": "GUARD_SERVICE_AUTH", "value": "false"}]}]}}}}'

Use the following script to unset TLS and Tokens support in guard-gates:

  1. echo "Remove TLS and Tokens from config-deployment configmap"
  2. kubectl patch cm config-deployment -n knative-serving -p '{"data":{"queue-sidecar-token-audiences": "", "queue-sidecar-rootca": ""}}'

Note

The example below shows a case where kourier ingress is used, make the necessary changes when installing with istio or contour.

Example script to install Security-Guard with TLS and Serving with Kourier using the Knative Operator.

  1. kubectl apply --filename - <<EOF
  2. apiVersion: v1
  3. kind: Namespace
  4. metadata:
  5.   name: knative-serving
  6. ---
  7. apiVersion: operator.knative.dev/v1beta1
  8. kind: KnativeServing
  9. metadata:
  10.   name: knative-serving
  11.   namespace: knative-serving
  12. EOF
  14. echo "Waiting for secret to be created (CTRL-C to exit)"
  15. PEM=""
  16. while [[ -z $PEM ]]
  17. do
  18.   echo -n "."
  19.   sleep 1
  20.   DOC=`kubectl get secret -n knative-serving knative-serving-certs -o json 2> /dev/null`
  21.   PEM=`echo $DOC | jq -r '.data."ca-cert.pem"'`
  22. done
  23. echo " Secret found!"
  25. echo "Copy the certificate to file"
  26. ROOTCA="$(mktemp)"
  27. FILENAME=`basename $ROOTCA`
  28. echo $PEM | base64 -d >  $ROOTCA
  30. echo "Create a temporary config-deployment configmap with the certificate"
  31. CERT=`kubectl create cm config-deployment --from-file $ROOTCA -o json --dry-run=client |jq .data.\"$FILENAME\"`
  33. echo "cleanup"
  34. rm $ROOTCA
  36. kubectl apply --filename - <<EOF
  37. apiVersion: operator.knative.dev/v1beta1
  38. kind: KnativeServing
  39. metadata:
  40.   name: knative-serving
  41.   namespace: knative-serving
  42. spec:
  43.   deployments:
  44.   - name: guard-service
  45.     env:
  46.     - container: guard-service
  47.       envVars:
  48.       - name: GUARD_SERVICE_TLS
  49.         value: "true"
  50.       - name: GUARD_SERVICE_AUTH
  51.         value: "true"
  52.   security:
  53.     securityGuard:
  54.       enabled: true
  55.   ingress:
  56.     kourier:
  57.       enabled: true
  58.   config:
  59.     network:
  60.       ingress.class: "kourier.ingress.networking.knative.dev"
  61.     deployment:
  62.       queue-sidecar-rootca: ${CERT}
  63.       queue-sidecar-token-audiences: guard-service
  64. EOF