Rocky8.6安装部署k8s安全平台hummerrisk
一、准备虚机
规格:4vcpu 8G 100G Rocky8.6
二、安装部署
参考文档:https://mp.weixin.qq.com/s/bKkSj7iMJYRhiTIuDzim4Q
官方文档:https://docs.hummerrisk.com/
安装过程
yum install -y yum-utils device-mapper-persistent-data lvm2
yum-config-manager --add-repo https://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum install docker-ce -y
systemctl enable --now docker
下载安装包并解压
wget https://github.com/HummerRisk/installer/releases/download/v0.3.1/hummerrisk-installer-v0.3.1.tar.gz
tar -xf hummerrisk-installer-v0.3.1.tar.gz
[root@easzlab-hummerrisk-01 hummerrisk-installer-v0.3.1]# ./install.sh ██╗ ██╗██╗ ██╗███╗ ███╗███╗ ███╗███████╗██████╗ ██████╗ ██╗███████╗██╗ ██╗ ██║ ██║██║ ██║████╗ ████║████╗ ████║██╔════╝██╔══██╗██╔══██╗██║██╔════╝██║ ██╔╝ ███████║██║ ██║██╔████╔██║██╔████╔██║█████╗ ██████╔╝██████╔╝██║███████╗█████╔╝ ██╔══██║██║ ██║██║╚██╔╝██║██║╚██╔╝██║██╔══╝ ██╔══██╗██╔══██╗██║╚════██║██╔═██╗ ██║ ██║╚██████╔╝██║ ╚═╝ ██║██║ ╚═╝ ██║███████╗██║ ██║██║ ██║██║███████║██║ ██╗ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚══════╝╚═╝ ╚═╝ Version: v0.3.1 >>> 'Install and Configure Docker' 1. 'Install Docker' 'complete' 2. 'Start Docker' Created symlink /etc/systemd/system/multi-user.target.wants/docker.service → /usr/lib/systemd/system/docker.service. 'complete' >>> 'Install and Configure hummerrisk' 1. 'Configure Persistent Directory' HummerRisk will be installed to the /opt/hummerrisk directory 'complete' 2. 'Check Configuration File' 'Path to Configuration file': /opt/hummerrisk/conf /opt/hummerrisk/conf/install.conf [ √ ] 'complete' 3. 'Backup Configuration File' 'Back up to' /opt/hummerrisk/backup/install.conf.2022-09-21_08-55-42 'complete' 4. 'Configure MySQL' 'Do you want to use external MySQL'? (y/n) ( 'default' n): n 'complete' 5. 'Configure External Port' 'Do you need to customize the hummerrisk external port'? (y/n) ( 'default' n): n 'complete' >>> 'Loading Docker Image' [hummerrisk/mysql:5.7.38] 5.7.38: Pulling from hummerrisk/mysql 66fb34780033: Pull complete ef4ccd63cdb4: Pull complete d6f28a94c51f: Pull complete 7feea2a503b5: Pull complete 71dd5852ecd9: Pull complete 3da2c95cac2f: Pull complete af7913db289c: Pull complete 77f552f93c12: Pull complete 3ed53edb61ab: Pull complete 67e1c6839f08: Pull complete abcdaaf08d0f: Pull complete Digest: sha256:f6f459b960b1c09270dcf6a0b48130ce321754ed85f91340a38bfd0a2bfaa9fd Status: Downloaded newer image for registry.cn-beijing.aliyuncs.com/hummerrisk/mysql:5.7.38 registry.cn-beijing.aliyuncs.com/hummerrisk/mysql:5.7.38 Untagged: registry.cn-beijing.aliyuncs.com/hummerrisk/mysql:5.7.38 Untagged: registry.cn-beijing.aliyuncs.com/hummerrisk/mysql@sha256:f6f459b960b1c09270dcf6a0b48130ce321754ed85f91340a38bfd0a2bfaa9fd [hummerrisk/hummerrisk:v0.3.1] v0.3.1: Pulling from hummerrisk/hummerrisk 1b7ca6aea1dd: Pull complete ad51147a85c7: Pull complete bdb64e7e5578: Pull complete 77a00c5164d6: Pull complete cfc7e7b4c46e: Pull complete b1744e0b1917: Pull complete 09f7c97b0546: Pull complete 0f2506e9c5f7: Pull complete 17f573599f84: Pull complete c12199338d40: Pull complete a13e982cd94e: Pull complete 87e5c919e08e: Pull complete d3ade79d42eb: Pull complete 6109ff1ca664: Pull complete fa3d0121f8bd: Pull complete 7147415d9be3: Pull complete dec44e4b04b3: Pull complete 4b46a367f3b4: Pull complete c6d9083259af: Pull complete ccba45df525c: Pull complete Digest: sha256:f31c9ec9f6d8000c7d172687ed5fff73c59d1a94e7d79297ee3400f38d1898d6 Status: Downloaded newer image for registry.cn-beijing.aliyuncs.com/hummerrisk/hummerrisk:v0.3.1 registry.cn-beijing.aliyuncs.com/hummerrisk/hummerrisk:v0.3.1 Untagged: registry.cn-beijing.aliyuncs.com/hummerrisk/hummerrisk:v0.3.1 Untagged: registry.cn-beijing.aliyuncs.com/hummerrisk/hummerrisk@sha256:f31c9ec9f6d8000c7d172687ed5fff73c59d1a94e7d79297ee3400f38d1898d6 'complete' Creating network "hr_hummerrisk-network" with driver "bridge" Creating hummer_mysql ... done Creating hummer_risk ... done Download cve data % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 118M 100 118M 0 0 1208k 0 0:01:40 0:01:40 --:--:-- 1533k % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 33.8M 100 33.8M 0 0 1259k 0 0:00:27 0:00:27 --:--:-- 1396k >>> 'The Installation is Complete' 1. 'You can use the following command to start, and then visit' hrctl start 2. 'Other management commands' hrctl stop hrctl restart hrctl backup hrctl upgrade 'For more commands, you can enter hrctl --help to understand' 3. 'Web access' http://172.16.88.180: 'Default username': admin 'Default password': hummer 4. 'More information' 'Offical Website': https://www.hummerrisk.com/ 'Documentation': https://docs.hummerrisk.com/ [root@easzlab-hummerrisk-01 hummerris
UI访问界面
三、对接k8s集群
root@easzlab-deploy:~# helm repo add hummer https://registry.hummercloud.com/repository/charts "hummer" has been added to your repositories root@easzlab-deploy:~# helm repo update Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "hummer" chart repository ...Successfully got an update from the "deepflow" chart repository ...Successfully got an update from the "ingress-nginx" chart repository ...Successfully got an update from the "grafana" chart repository Update Complete. ⎈Happy Helming!⎈ root@easzlab-deploy:~# helm upgrade --install trivy-operator hummer/trivy-operator \ > --namespace trivy-system \ > --set="image.repository=registry.cn-beijing.aliyuncs.com/hummerrisk/trivy-operator" \ > --create-namespace --set="trivy.ignoreUnfixed=true" Release "trivy-operator" does not exist. Installing it now. NAME: trivy-operator LAST DEPLOYED: Wed Sep 21 09:12:24 2022 NAMESPACE: trivy-system STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: You have installed Trivy Operator in the trivy-system namespace. It is configured to discover Kubernetes workloads and resources in all namespace(s). Inspect created VulnerabilityReports by: kubectl get vulnerabilityreports --all-namespaces -o wide Inspect created ConfigAuditReports by: kubectl get configauditreports --all-namespaces -o wide Inspect the work log of trivy-operator by: kubectl logs -n trivy-system deployment/trivy-operator root@easzlab-deploy:~# root@easzlab-deploy:~# root@easzlab-deploy:~#
root@easzlab-deploy:~# kubectl get vulnerabilityreports --all-namespaces -o wide NAMESPACE NAME REPOSITORY TAG SCANNER AGE CRITICAL HIGH MEDIUM LOW UNKNOWN argocd replicaset-argocd-redis-ha-haproxy-5899778bcc-config-init library/haproxy 2.0.29-alpine Trivy 42m 0 0 0 0 0 argocd replicaset-argocd-redis-ha-haproxy-5899778bcc-haproxy library/haproxy 2.0.29-alpine Trivy 42m 0 0 0 0 0 deepflow daemonset-deepflow-agent-deepflow-agent deepflowce/deepflow-agent v6.1.2 Trivy 51m 0 0 0 0 0 root@easzlab-deploy:~# kubectl get configauditreports --all-namespaces -o wide NAMESPACE NAME SCANNER AGE CRITICAL HIGH MEDIUM LOW argocd networkpolicy-argocd-application-controller-network-policy Trivy 59m 0 0 0 0 argocd networkpolicy-argocd-dex-server-network-policy Trivy 59m 0 0 0 0 argocd networkpolicy-argocd-redis-ha-proxy-network-policy Trivy 59m 0 0 0 0 argocd networkpolicy-argocd-redis-ha-server-network-policy Trivy 59m 0 0 0 0 argocd networkpolicy-argocd-repo-server-network-policy Trivy 59m 0 0 0 0 argocd networkpolicy-argocd-server-network-policy Trivy 59m 0 0 0 0 argocd replicaset-argocd-applicationset-controller-59bb589646 Trivy 57m 0 0 0 7 argocd replicaset-argocd-dex-server-6bdd9f5d65 Trivy 59m 0 0 0 13 argocd replicaset-argocd-notifications-controller-597d864ddf Trivy 57m 0 0 0 7 argocd replicaset-argocd-redis-ha-haproxy-5899778bcc Trivy 59m 0 0 2 18 argocd replicaset-argocd-repo-server-6fb578bf65 Trivy 57m 0 0 0 14 argocd replicaset-argocd-server-6774f85d64 Trivy 59m 0 0 0 8 argocd statefulset-argocd-application-controller Trivy 59m 0 0 0 8 argocd statefulset-argocd-redis-ha-server Trivy 59m 0 0 3 26 deepflow daemonset-deepflow-agent Trivy 59m 0 4 4 10 deepflow replicaset-deepflow-app-688c6c976 Trivy 58m 0 0 2 10 deepflow replicaset-deepflow-grafana-859f76c56b Trivy 59m 0 0 6 26 deepflow replicaset-deepflow-mysql-85749b8b46 Trivy 59m 0 0 5 19 deepflow statefulset-deepflow-clickhouse Trivy 59m 0 0 5 18 deepflow statefulset-deepflow-server Trivy 59m 0 0 5 14 kubernetes-dashboard replicaset-dashboard-metrics-scraper-8c47d4b5d Trivy 57m 0 0 1 8 kubernetes-dashboard replicaset-kubernetes-dashboard-5676d8b865 Trivy 58m 0 0 1 8 loki-logs daemonset-loki-logs-promtail Trivy 59m 0 0 2 8 loki-logs statefulset-loki-logs Trivy 59m 0 0 1 9 monitoring daemonset-node-exporter Trivy 59m 0 3 2 4 monitoring networkpolicy-alertmanager-main Trivy 59m 0 0 0 0 monitoring networkpolicy-blackbox-exporter Trivy 59m 0 0 0 0 monitoring networkpolicy-kube-state-metrics Trivy 59m 0 0 0 0 monitoring networkpolicy-node-exporter Trivy 59m 0 0 0 0 monitoring networkpolicy-prometheus-adapter Trivy 59m 0 0 0 0 monitoring networkpolicy-prometheus-k8s Trivy 59m 0 0 0 0 monitoring networkpolicy-prometheus-operator Trivy 59m 0 0 0 0 monitoring replicaset-blackbox-exporter-559db48fd Trivy 59m 0 0 0 3 monitoring replicaset-grafana-5d6b5955c9 Trivy 59m 0 0 0 3 monitoring replicaset-kube-state-metrics-576b75c6f7 Trivy 59m 0 0 1 2 monitoring replicaset-prometheus-adapter-5f68766c85 Trivy 59m 0 0 1 3 monitoring replicaset-prometheus-operator-79c5847fd8 Trivy 58m 0 0 0 3 monitoring statefulset-alertmanager-main Trivy 59m 0 0 0 5 monitoring statefulset-prometheus-k8s Trivy 59m 0 0 0 10 rook-ceph daemonset-csi-cephfsplugin Trivy 59m 0 5 8 26 rook-ceph daemonset-csi-rbdplugin Trivy 59m 0 6 8 26 rook-ceph job-rook-ceph-osd-prepare-172.16.88.157 Trivy 59m 0 1 5 19 rook-ceph job-rook-ceph-osd-prepare-172.16.88.158 Trivy 59m 0 1 5 19 rook-ceph job-rook-ceph-osd-prepare-172.16.88.159 Trivy 59m 0 1 5 19 rook-ceph job-rook-ceph-osd-prepare-172.16.88.163 Trivy 59m 0 1 5 19 rook-ceph job-rook-ceph-osd-prepare-172.16.88.164 Trivy 59m 0 1 5 19 rook-ceph job-rook-ceph-osd-prepare-172.16.88.165 Trivy 59m 0 1 5 19 rook-ceph replicaset-csi-cephfsplugin-provisioner-7b867fbd5f Trivy 59m 0 0 13 50 rook-ceph replicaset-csi-rbdplugin-provisioner-59fc59c8ff Trivy 59m 0 0 13 50 rook-ceph replicaset-rook-ceph-crashcollector-172.16.88.157-78f96fd8d5 Trivy 59m 0 0 7 26 rook-ceph replicaset-rook-ceph-crashcollector-172.16.88.159-5557c9bf97 Trivy 58m 0 0 7 26 rook-ceph replicaset-rook-ceph-crashcollector-172.16.88.163-6d5c77d66 Trivy 57m 0 0 7 26 rook-ceph replicaset-rook-ceph-crashcollector-172.16.88.164-b5685db67 Trivy 58m 0 0 7 26 rook-ceph replicaset-rook-ceph-crashcollector-172.16.88.165-64d758974d Trivy 59m 0 0 7 26 rook-ceph replicaset-rook-ceph-mgr-a-799d564c7f Trivy 57m 0 0 5 18 rook-ceph replicaset-rook-ceph-mon-b-7448c6ff79 Trivy 58m 0 0 7 26 rook-ceph replicaset-rook-ceph-mon-c-659cb46b87 Trivy 58m 0 0 7 26 rook-ceph replicaset-rook-ceph-mon-d-7bd477c95b Trivy 57m 0 0 7 26 rook-ceph replicaset-rook-ceph-operator-7f4cc48c84 Trivy 58m 0 0 1 10 rook-ceph replicaset-rook-ceph-osd-0-8699855f87 Trivy 57m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-1-7df7bdb9dc Trivy 59m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-2-56897b8df Trivy 58m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-3-85f7b4c965 Trivy 59m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-4-66d6ff6bc8 Trivy 58m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-5-684f4bdcbd Trivy 58m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-6-db4b5699 Trivy 58m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-7-d6ccbb9c4 Trivy 58m 0 3 7 27 rook-ceph replicaset-rook-ceph-osd-8-5dddc545c6 Trivy 58m 0 3 7 27 rook-ceph replicaset-rook-ceph-tools-74f48bf875 Trivy 59m 0 0 1 10 rook-ceph statefulset-prometheus-rook-prometheus Trivy 59m 0 0 4 10 velero-system replicaset-velero-858b9459f9 Trivy 57m 0 0 4 14 root@easzlab-deploy:~#
增加k8s集群检测
