Get started
In this guide you will learn how to get started with bifrost and how to secure your application. At the end of this guide your application will be running with a security profile tailored to your needs.
Prerequisites
- A Kubernetes cluster.
- A bifrost organization.
- An application to secure, running in the Kubernetes cluster.
Install bifrost-agent
In the bifrost portal, create a new cluster and environment.
In this guide we create two environments: dev and prod.
Take note of the environments, since you will refer to it in the following steps.
This will generate an agent key that you will use to install the agent in your Kubernetes cluster.
Then, install the bifrost-agent in your Kubernetes cluster. Replace <AGENT_KEY> with the agent key.
helm install bifrost-agent --create-namespace --namespace bifrost \ --set agent.key=<AGENT_KEY> \ oci://public.ecr.aws/bifrostsec/charts/bifrost-agentIf using Kubernetes Pod Security Admission, label the namespace to allow the bifrost-agent to run with the required capabilities (AUDIT_READ, MAC_ADMIN, NET_BROADCAST).
kubectl label namespace bifrost pod-security.kubernetes.io/enforce=privileged --overwrite=trueYou can verify that the agent is running by the number of nodes that should be listed in the bifrost portal. The agent is running as a daemonset, so it should be running on all nodes in your cluster.
Audit your application
After the agent is running, you can start auditing your application by adding the necessary label annotations to your pod. Usually you will add this to a pod template in your deployment. Here we are using podinfo as an example:
apiVersion: apps/v1kind: Deploymentmetadata: name: podinfospec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: podinfo template: metadata: annotations: environment.bifrost.com/name: dev # The environment you created in the bifrost portal profile.bifrost.com/mode: audit # This will enable audit mode service.bifrost.com/name: podinfo # The name of your application. You will be able to see this in the bifrost portal labels: app.kubernetes.io/name: podinfo bifrost.com/enabled: "true" # Required to use bifrost spec: containers: - image: stefanprodan/podinfo:6.7.1 imagePullPolicy: IfNotPresent name: podinfo ports: - containerPort: 9898 name: http resources: requests: cpu: 1m memory: 16MiNow you will see a service in the bifrost portal.
Lock down your application
We can now redeploy podinfo in enforce mode to prevent undesired behavior. Podinfo will get a security profile based on its behavior during audit mode.
apiVersion: apps/v1kind: Deploymentmetadata: name: podinfospec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: podinfo template: metadata: annotations: environment.bifrost.com/name: dev # The environment you created in the bifrost portal environment.bifrost.com/name: prod # The environment you created in the bifrost portal profile.bifrost.com/mode: audit # This will enable audit mode profile.bifrost.com/mode: enforce # This will enable enforce mode service.bifrost.com/name: podinfo # The name of your application. You will be able to see this in the bifrost portal labels: app.kubernetes.io/name: podinfo bifrost.com/enabled: "true" # Required to use bifrost spec: containers: - image: stefanprodan/podinfo:6.7.1 imagePullPolicy: IfNotPresent name: podinfo ports: - containerPort: 9898 name: http resources: requests: cpu: 1m memory: 16MiLet’s verify that the security profile is applied by triggering an unexpected behavior.
kubectl port-forward $POD_NAME 9898:9898 & sleep 1 && curl http://localhost:9898 && kill %1This will trigger an alert which can be seen in the portal.
Hurray! Your have completed the getting started guide for bifrost.