This guide will describe how to use Project Antrea with threat detection engines, in order to provide network-based intrusion detection service to your Pods. In this scenario, Antrea is used for the default Pod network. For the sake of this guide, we will use Suricata as the threat detection engine, but similar steps should apply for other engines as well.
The solution works by configuring a TrafficControl resource applying to specific Pods. Traffic originating from the Pods or destined for the Pods is mirrored, and then inspected by Suricata to provide threat detection. Suricata is configured with IDS mode in this example, but it can also be configured with IPS/inline mode to proactively drop the traffic determined to be malicious.
The general prerequisites are:
- a K8s cluster running a K8s version supported by Antrea.
kubectl
The TrafficControl capability was added in Antrea version 1.7. Therefore, an Antrea version >= v1.7.0 should be used to configure Pod traffic mirroring.
All the required software will be deployed using YAML manifests, and the corresponding container images will be downloaded from public registries.
For detailed information on the Antrea requirements and instructions on how to
deploy Antrea, please refer to getting-started.md.
As of now, the TrafficControl
feature gate is disabled by default, you will
need to enable it like the following command.
To deploy the latest version of Antrea, use:
curl -s https://raw.githubusercontent.com/antrea-io/antrea/main/build/yamls/antrea.yml | \
sed "s/.*TrafficControl:.*/ TrafficControl: true/" | \
kubectl apply -f -
You may also choose a released Antrea version.
To replicate Pod traffic to Suricata for analysis, create a TrafficControl with
the Mirror
action, and set the targetPort
to an OVS internal port that
Suricata will capture traffic from. This cookbook uses tap0
as the port name
and performs intrusion detection for Pods with the app=web
label:
cat <<EOF | kubectl apply -f -
apiVersion: crd.antrea.io/v1alpha2
kind: TrafficControl
metadata:
name: mirror-web-app-to-tap0
spec:
appliedTo:
podSelector:
matchLabels:
app: web
direction: Both
action: Mirror
targetPort:
ovsInternal:
name: tap0
EOF
Suricata supports many possible configuration options, but we will just focus on
the basics in the cookbook. The YAML file for Suricata DaemonSet is included in
the resources directory. The DaemonSet uses the image
jasonish/suricata
from https://github.com/jasonish/docker-suricata.
As the TrafficControl resource configured in the second step mirrors traffic to
tap0
, we run Suricata in the host network and specify the network interface to
tap0
.
spec:
hostNetwork: true
containers:
- name: suricata
image: jasonish/suricata:latest
command:
- /usr/bin/suricata
- -i
- tap0
Suricata uses Signatures (rules) to trigger alerts. We use the default ruleset
installed at /var/lib/suricata/rules
of the image jasonish/suricata
.
The directory /var/log/suricata
contains alert events. We mount the directory
as a hostPath
volume to expose and persist them on the host:
spec:
containers:
- name: suricata
volumeMounts:
- name: host-var-log-suricata
mountPath: /var/log/suricata
volumes:
- name: host-var-log-suricata
hostPath:
path: /var/log/suricata
type: DirectoryOrCreate
To deploy Suricata, run:
kubectl apply -f docs/cookbooks/ids/resources/suricata.yml
To test the IDS functionality, you can create a Pod with the app=web
label,
using the following command:
kubectl create deploy web --image nginx:1.21.6
Let's log into the Node that the test Pod runs on and start tail
to see
updates to the alert log /var/log/suricata/fast.log
:
tail -f /var/log/suricata/fast.log
You can then generate malicious requests to trigger alerts. For ingress traffic, you can fake a web application attack against the Pod with the following command (assuming that the Pod IP is 10.10.2.3):
curl http://10.10.2.3/dlink/hwiz.html
The following output should now be seen in the log:
05/17/2022-04:29:51.717452 [**] [1:2008942:8] ET POLICY Dlink Soho Router Config Page Access Attempt [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.10.2.1:48600 -> 10.10.2.3:80
For egress traffic, you can kubectl exec
into the Pods and generate malicious
requests against external web server with the following command:
kubectl exec deploy/web -- curl -s http://testmynids.org/uid/index.html
The following output should now be seen in the log:
05/17/2022-04:36:46.706373 [**] [1:2013028:6] ET POLICY curl User-Agent Outbound [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 10.10.2.3:55132 -> 65.8.161.92:80
05/17/2022-04:36:46.708833 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 65.8.161.92:80 -> 10.10.2.3:55132