Blog
  • Welcome to egonzalez blog
  • Software Supply Chain Security
    • Software Supply Chain Security: Why It Matters
    • Software Supply Chain Security: A Technical Deep Dive
    • SLSA and the Software Supply Chain Security: Time to Get Serious
  • Hacking
    • Index
      • Hack the box writeups
        • Dyplesher HTB writeup
        • Fatty HTB writeup
        • Oouch HTB writeup
        • Sauna HTB writeup
      • Python Vulnerabilities
        • Data Deserialization
          • Pickle
          • XML
          • YAML
      • Hacking cheatsheet
  • DevSecOps
    • Index
      • Gitlab CI minikube development environment
      • Gerrit review minikube
      • Gerrit and gitlab replication and CI job hooks on k8s
      • Vault integration with Gitlab CI
      • Gitlab CI template for DefectDojo
      • Falco real time runtime thread detection on k8s
      • Zarf - Airgap deployment in kubernetes
      • OWASP Dependency-track
      • OpenDaylight in a Docker
      • To conditional or to skip, that's the Ansible question
      • Spacewalk Red Hat Satellite v5 in a Docker container PoC
      • Ansible INI file module
  • OpenStack
    • Index
      • OpenStack tacker and service function chaining sfc with kolla
      • Deploy OpenStack designate with kolla-ansible
      • OpenStack keystone zero downtime upgrade process newton to ocata
      • Midonet integration with OpenStack Mitaka
      • OpenStack kolla deployment
      • Magnum in RDO OpenStack Liberty
      • Nova VNC flows under the hood
      • Ceph Ansible baremetal deployment
      • Rally OpenStack benchmarking with Docker
      • OpenStack affinity/anti-affinity groups
      • Migrate keystone v2.0 to keystone v3 OpenStack
      • Neutron DVR OpenStack Liberty
      • OpenStack segregation with availability zones and host aggregates
      • Nova Docker driver
      • Murano in RDO OpenStack manual installation
      • Ceph RadosGW admin Ops
      • Multiple store locations for glance images
      • List all tenants belonging an user
      • Load balancer as a service OpenStack LbaaS
      • OpenStack nova API start error
      • Delete OpenStack neutron networks
Powered by GitBook
On this page

Was this helpful?

  1. DevSecOps
  2. Index

Zarf - Airgap deployment in kubernetes

Zarf is a free and open-source tool that enables declarative creation & distribution of software into air-gapped/constrained/standalone environments.

Zarf provides a way to package and deploy software in a way that is repeatable, secure, and reliable.

Install Zarf CLI

ZARF_VERSION=$(curl -sIX HEAD https://github.com/zarf-dev/zarf/releases/latest | grep -i ^location: | grep -Eo 'v[0-9]+.[0-9]+.[0-9]+')

curl -sL "https://github.com/zarf-dev/zarf/releases/download/${ZARF_VERSION}/zarf_${ZARF_VERSION}_Linux_amd64" -o zarf
chmod +x zarf

Download init package

When init this will deploy a registry and a couple more pods into the destination cluster

zarf tools download-init
zarf init --confirm

In this guide we will deploy falco for real time threat detection in kuberentes, config files are an example. Adapt to your needs.

Create a file zarf.yaml with the following data, images can be found with a command later on this guide

kind: ZarfPackageConfig
metadata:
  name: falco
  version: 4.20.1
  description: |
    "A Zarf Package that deploys Falco Security for real time runtime threat detection"
components:
  - name: falco
    description: |
      "Deploys the falcosecurity falco chart into the cluster"
    required: true
    charts:
      - name: falco
        url: https://falcosecurity.github.io/charts
        version: 4.20.1
        namespace: falco
        valuesFiles:
          - values.yaml
    images:
      - docker.io/falcosecurity/falco-driver-loader:0.40.0
      - docker.io/falcosecurity/falco:0.40.0-debian
      - docker.io/falcosecurity/falcoctl:0.11.0
      # Cosign artifacts for images - falco - falco
      - index.docker.io/falcosecurity/falco-driver-loader:sha256-8bb7b51adf6598c5d9c90d2f3e55724212e6282afbd26f0ba428db9c0c417fbf.sig
      - index.docker.io/falcosecurity/falco:sha256-bfa486ca137359e90401f6121e52065e99bff44a949c02229fd0df467386fcaa.sig
      - index.docker.io/falcosecurity/falcoctl:sha256-4b590b9c49a881a55f6c3121c235057951418d726a9c43c4e1dbe3a5fcf358d3.sig
      - index.docker.io/falcosecurity/falcoctl:sha256-4b590b9c49a881a55f6c3121c235057951418d726a9c43c4e1dbe3a5fcf358d3.att

This command will output the list of images to include into zarf.yaml

zarf dev find-images

Generate a values.yml with the configuration you need, in this example I'm adding a custom rule for testing

customRules:
  custom-rules.yaml: |-
    - rule: id_usage
      desc: id usage
      condition: >
        evt.type = execve and
        evt.dir = < and
        container.id != host and 
        proc.name = id    
      output: >
        id command is used 
        (user=%user.name container_id=%container.id container_name=%container.name 
        shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline)    
      priority: CRITICAL

Validate there is no errors in the config files.

zarf dev lint .

Generate a tar file with the images and config

zarf package create . --confirm

Deploy the package into the cluster, this will push images into local registry and invoke helm to deploy the resources in the chart.

zarf package deploy zarf-package-falco-amd64-4.20.1.tar.zst  --confirm
PreviousFalco real time runtime thread detection on k8sNextOWASP Dependency-track

Last updated 4 days ago

Was this helpful?