Skip to content
bifrost security

Get started

In this guide you will learn how to get started with bifrost and how to secure your application. At the end of this guide your application will be running with a security profile tailored to your needs.

Prerequisites

  • A Kubernetes cluster.
  • A bifrost organization.
  • An application to secure, running in the Kubernetes cluster.

Install bifrost-agent

In the bifrost portal, create a new cluster and environment. In this guide we create two environments: dev and prod. Take note of the environments, since you will refer to it in the following steps. This will generate an agent key that you will use to install the agent in your Kubernetes cluster. Then, install the bifrost-agent in your Kubernetes cluster. Replace <AGENT_KEY> with the agent key.

Terminal window
helm install bifrost-agent --create-namespace --namespace bifrost \
  --set agent.key=<AGENT_KEY> \
  oci://public.ecr.aws/bifrostsec/charts/bifrost-agent

If using Kubernetes Pod Security Admission, label the namespace to allow the bifrost-agent to run with the required capabilities (AUDIT_READ, MAC_ADMIN, NET_BROADCAST).

Terminal window
kubectl label namespace bifrost pod-security.kubernetes.io/enforce=privileged --overwrite=true

You can verify that the agent is running by the number of nodes that should be listed in the bifrost portal. The agent is running as a daemonset, so it should be running on all nodes in your cluster.

Audit your application

After the agent is running, you can start auditing your application by adding the necessary label annotations to your pod. Usually you will add this to a pod template in your deployment. Here we are using alpine as an example:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: alpine
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: alpine
  template:
    metadata:
      annotations:
        environment.bifrost.com/name: dev # The environment you created in the bifrost portal
        profile.bifrost.com/mode: audit  # This will enable audit mode
        service.bifrost.com/name: alpine # The name of your application. You will be able to see this in the bifrost portal
      labels:
        app.kubernetes.io/name: alpine
        bifrost.com/enabled: "true" # Required to use bifrost
    spec:
      containers:
        - command:
            - sh
            - -c
            - sleep infinity
          image: alpine:3.18.5
          imagePullPolicy: IfNotPresent
          name: alpine
          resources:
            requests:
              cpu: 1m
              memory: 16Mi
      terminationGracePeriodSeconds: 2

Now you will see a service in the bifrost portal. Take note of the version, listed in the Versions tab which will be needed when generating a security profile.

Exercise your application

To generate a tailored security profile for your application, you need to exercise it so bifrost can learn its behavior. When exercising, the application should be used as it would in production and execute all possible code paths. In this case, we can simply exec in the container and create a file.

Terminal window
POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=alpine -o jsonpath="{.items[0].metadata.name}")
kubectl exec $POD_NAME -- touch /allowed.txt

Generate a security profile

After exercising your application, you can generate a security profile by using the bifrost API.

First, create an API token in the bifrost portal. This is created on the organization level and is different from the agent key. Then, use the following curl command to generate a security profile. Replace <SERVICE_NAME> with the name of you service and <SERVICE_VERSION> with the version of your service. <API_TOKEN> is the organizational wide token you created in the portal.

Terminal window
SECURITY_PROFILE=$(curl -X POST "https://portal.bifrostsec.com/api/v2/service/<SERVICE_NAME>/version/<SERVICE_VERSION>/profile" -H "Authorization: Bearer <API_TOKEN>")

Apply the security profile

A security profile has now been generated based on the behavior of your application. We can update our alpine deployment to use this security profile. Replace <SECURITY_PROFILE> with the output from the previous command.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: alpine
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: alpine
  template:
    metadata:
      annotations:
       environment.bifrost.com/name: dev # The environment you created in the bifrost portal
       environment.bifrost.com/name: prod # The environment you created in the bifrost portal
       profile.bifrost.com/mode: audit  # This will enable audit mode
       profile.bifrost.com/mode: enforce  # This will enable enforce mode
       profile.bifrost.com/name: "<SECURITY_PROFILE>"  # The security profile you generated
        service.bifrost.com/name: alpine # The name of your application. You will be able to see this in the bifrost portal
      labels:
        app.kubernetes.io/name: alpine
        bifrost.com/enabled: "true" # Required to use bifrost
    spec:
      containers:
        - command:
            - sh
            - -c
            - sleep infinity
          image: alpine:3.18.5
          imagePullPolicy: IfNotPresent
          name: alpine
          resources:
            requests:
              cpu: 1m
              memory: 16Mi
      terminationGracePeriodSeconds: 2

Let’s verify that the security profile is applied by creating some files.

Terminal window
POD_NAME=$(kubectl get pods -l app.kubernetes.io/name=alpine -o jsonpath="{.items[0].metadata.name}")
kubectl exec $POD_NAME -- touch /allowed.txt
kubectl exec $POD_NAME -- touch /disallowed.txt

The first command will succeed, while the second fails. This will also trigger an alert which can be seen in the portal.

Hurray! Your have completed the getting started guide for bifrost.