Install CloudDefense suite on a Kubernetes cluster

Pre-requisites

There are three main pre-requisites for a production grade cdefense installation on-premises

1. A managed Postgres instance (for AWS RDS db.r5.large)

   1. enable automated backups

2. A kubernetes cluster (/examples/eks) with at least two nodegroups

   1. node group for jobs

      1. each node has { label: job }

   2. node group for all else

      1. (optional) each node has { label: cdefense }

3. A cluster auto-scaler

Install kafka

• Download the kafka helm repo (bitnami)

  Copy

  helm repo add bitnami https://charts.bitnami.com/bitnami

• (optional) create/edit values.yaml

  Copy

  nodeSelector:
    label: external

• Install kafka helm

  Copy

  helm install kafka bitnami/kafka -f values.yaml

Install cdefense

• add cdefense helm repo

  Copy

  helm repo add cdefense https://clouddefenseai.github.io/charts/  

• update repos

  Copy

  helm repo update

• clone the repo

  Copy

  git clone https://github.com/CloudDefenseAI/charts

• create roles, role binding and service accounts

  Copy

  kubectl apply -f charts/cdefense/rbac

• create secrets

  Copy

  kubectl apply -f charts/cdefense/secrets

• Install cdefense helm

  Copy

  helm install cdefense cdefense --debug

  or

  Copy

  helm upgrade cdefense cdefense/cdefense --debug

Configure Social Authentication

In order to sign in with different identity providers (for ex. github), create ID and secrets

Github

• go to github developer settings

• create a New OAuth App

• Homepage URL is the base_url

• Authorization callback URL is https://{base_url}/auth/realms/cdefense/broker/github/endpoint

create secrets for authservice

• create a secret for authservice

  Copy

  apiVersion: v1
  kind: Secret
  metadata:
    name: authservice-secrets
    type: Opaque
  stringData:
    SENDGRID_KEY: 
    GOOGLE_CLIENT_ID: 
    GOOGLE_CLIENT_SECRET: 
    GITHUB_CLIENT_ID: 
    GITHUB_CLIENT_SECRET: 
    GITLAB_APPLICATION_ID: 
    GITLAB_APPLICATION_SECRET: 
    BITBUCKET_KEY: 
    BITBUCKET_SECRET: 
    MICROSOFT_CLIENT_ID: 
    MICROSOFT_CLIENT_SECRET: 

  Copy

  kubectl apply -f authservice-secrets.yaml

• restart authservice pod

How to change location of logs

• update value.yaml

  Copy

  api:
    logs: 
      region: <REGION>
      bucket: <BUCKET>

in case of private bucket

• Edit the scan-server-secrets.yaml file

  Copy

    AWS_SCAN_S3_ACCESS_KEY: <AWS_SCAN_S3_ACCESS_KEY>
    AWS_SCAN_S3_SECRET_KEY: <AWS_SCAN_S3_SECRET_KEY>

  Copy

  kubectl apply -f scan-server-secrets.yaml

• or update secrets on cluster

  • encode values as base64 strings

  Copy

  AWS_SCAN_S3_ACCESS_KEY=<AWS_ACCESS_KEY>
  BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64)

  Copy

  AWS_SCAN_S3_SECRET_KEY=<AWS_SECRET_KEY>
  BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64)

  • edit scan-server-secrets

  Copy

  kubectl edit secret scan-server-secrets

  Copy

    AWS_SCAN_S3_ACCESS_KEY: <BASE64_AWS_SCAN_S3_ACCESS_KEY>
    AWS_SCAN_S3_SECRET_KEY: <BASE64_AWS_SCAN_S3_SECRET_KEY>

• save and restart api pod

  Copy

  kubectl delete pod api-<some-string>