search

kubearmor / kubearmor-client

KubeArmor cli tool aka kArmor :robot:
Apache License 2.0
34 stars 82 forks source link

feat(gRPC): add mtls support #408

Closed rksharma95 closed 5 months ago

rksharma95 commented 6 months ago

This PR adds mtls support to secure grpc connections between karmor <-> KubeArmor and karmor <-> KubeArmor-Relay.

The following configurations has been added: config values default description
--insecure true/false true connect to secure/insecure server
--tlsCertPath "valid directory path" /var/lib/kubearmor/tls path to the directory where ca.crt, client.crt and client.key files are present
--tlsCertProvider self/external self self: client certificates will be generated dynamically, external: use client and ca certificates provided using files

Use cases:

  1. KubeArmor is being deployed in k8s cluster with tls enabled, connect to the kubearmor relay to get the telemetry using default self signed ca deployed along with the KubeArmor. (KubeArmor should be installed with tls configurations that allows karmor to connect)
karmor logs --insecure=false
  1. Connect to KubeArmor using certificates (client.crt, client.key, ca.crt) stored locally.
karmor logs --insecure=false --tlsCertPath=<path-to-certs> --tlsCertProvider=external
daemon1024 commented 5 months ago

Let's rebase and handle conflicts