Get started
In this guide you will learn how to get started with bifrost and how to secure your application. At the end of this guide your application will be running with a security profile tailored to your needs.
Prerequisites
- A Kubernetes cluster.
- A bifrost organization.
- An application to secure, running in the Kubernetes cluster.
Install bifrost-agent
In the bifrost portal, create a new cluster and environment.
In this guide we create two environments: dev
and prod
.
Take note of the environments, since you will refer to it in the following steps.
This will generate an agent key that you will use to install the agent in your Kubernetes cluster.
Then, install the bifrost-agent in your Kubernetes cluster. Replace <AGENT_KEY>
with the agent key.
If using Kubernetes Pod Security Admission, label the namespace to allow the bifrost-agent to run with the required capabilities (AUDIT_READ, MAC_ADMIN, NET_BROADCAST).
You can verify that the agent is running by the number of nodes that should be listed in the bifrost portal. The agent is running as a daemonset, so it should be running on all nodes in your cluster.
Audit your application
After the agent is running, you can start auditing your application by adding the necessary label annotations to your pod. Usually you will add this to a pod template in your deployment. Here we are using alpine as an example:
Now you will see a service in the bifrost portal. Take note of the version, listed in the Versions
tab which will be
needed when generating a security profile.
Exercise your application
To generate a tailored security profile for your application, you need to exercise it so bifrost can learn its behavior. When exercising, the application should be used as it would in production and execute all possible code paths. In this case, we can simply exec in the container and create a file.
Generate a security profile
After exercising your application, you can generate a security profile by using the bifrost API.
First, create an API token in the bifrost portal. This is created on the organization level and is different from the
agent key.
Then, use the following curl command to generate a security profile. Replace <SERVICE_NAME>
with the name of you
service and <SERVICE_VERSION>
with the version of your service. <API_TOKEN>
is the organizational wide token you
created in the portal.
Apply the security profile
A security profile has now been generated based on the behavior of your application. We can update our alpine deployment
to use this security profile. Replace <SECURITY_PROFILE>
with the output from the previous command.
Let’s verify that the security profile is applied by creating some files.
The first command will succeed, while the second fails. This will also trigger an alert which can be seen in the portal.
Hurray! Your have completed the getting started guide for bifrost.