88 lines
2.9 KiB
Bash
Executable File
88 lines
2.9 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
apt update
|
|
apt install containerd -y
|
|
systemctl stop containerd
|
|
containerd config default | sed 's/SystemdCgroup.*=.*false/SystemdCgroup = true/g' > /etc/containerd/config.toml
|
|
systemctl start containerd
|
|
systemctl enable containerd
|
|
mkdir -p /etc/containerd
|
|
|
|
|
|
cat <<EOF | sudo tee /etc/modules-load.d/k8s.conf
|
|
overlay
|
|
br_netfilter
|
|
EOF
|
|
|
|
sudo modprobe overlay
|
|
sudo modprobe br_netfilter
|
|
|
|
cat <<EOF | sudo tee /etc/sysctl.d/k8s.conf
|
|
net.bridge.bridge-nf-call-iptables = 1
|
|
net.bridge.bridge-nf-call-ip6tables = 1
|
|
net.ipv4.ip_forward = 1
|
|
EOF
|
|
|
|
sysctl --system
|
|
|
|
apt-get install -y apt-transport-https ca-certificates curl gpg
|
|
mkdir -p /etc/apt/keyrings
|
|
curl -fsSL https://pkgs.k8s.io/core:/stable:/v1.29/deb/Release.key | sudo gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
|
|
echo 'deb [signed-by=/etc/apt/keyrings/kubernetes-apt-keyring.gpg] https://pkgs.k8s.io/core:/stable:/v1.29/deb/ /' | sudo tee /etc/apt/sources.list.d/kubernetes.list
|
|
|
|
sudo apt-get update
|
|
VERSION=1.29.2-1.1
|
|
sudo apt-get install -y kubelet=$VERSION kubeadm=$VERSION kubectl=$VERSION
|
|
sudo apt-mark hold kubelet kubeadm kubectl
|
|
|
|
apt-get install apt-file apparmor-utils auditd etcd-client jq strace -y
|
|
|
|
|
|
# kube-bench
|
|
curl -L https://github.com/aquasecurity/kube-bench/releases/download/v0.7.2/kube-bench_0.7.2_linux_amd64.deb -o kube-bench_0.7.2_linux_amd64.deb
|
|
dpkg -i kube-bench_0.7.2_linux_amd64.deb
|
|
|
|
# trivy
|
|
sudo apt-get install wget apt-transport-https gnupg lsb-release
|
|
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
|
|
echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
|
|
sudo apt-get update
|
|
sudo apt-get install trivy
|
|
|
|
# falco
|
|
curl -fsSL https://falco.org/repo/falcosecurity-packages.asc | \
|
|
sudo gpg --dearmor -o /usr/share/keyrings/falco-archive-keyring.gpg
|
|
echo "deb [signed-by=/usr/share/keyrings/falco-archive-keyring.gpg] https://download.falco.org/packages/deb stable main" | \
|
|
tee -a /etc/apt/sources.list.d/falcosecurity.list
|
|
apt-get update -y
|
|
|
|
# non-eBPF
|
|
#apt install -y dkms make linux-headers-$(uname -r)
|
|
# If you use falcoctl driver loader to build the eBPF probe locally you need also clang toolchain
|
|
#apt install -y clang llvm
|
|
# You can install also the dialog package if you want it
|
|
#apt install -y dialog
|
|
apt-get install -y falco
|
|
|
|
mkdir -p /usr/share/falco/plugins
|
|
|
|
curl -Lo /tmp/falcorules.tar.gz https://download.falco.org/rules/falco-incubating-rules-3.0.1.tar.gz
|
|
(
|
|
cd /etc/falco/rules.d
|
|
tar xvfz /tmp/falcorules.tar.gz
|
|
)
|
|
|
|
if grep ubuntu /etc/os-release
|
|
then
|
|
falcoctl driver config --type ebpf
|
|
falcoctl driver install
|
|
systemctl start falco-bpf
|
|
systemctl enable falco-bpf
|
|
else
|
|
falcoctl driver config --type modern_ebpf
|
|
#falcoctl artifact install k8saudit-rules
|
|
systemctl enable falco-modern-bpf
|
|
systemctl restart falco-modern-bpf
|
|
fi
|
|
|