Install CloudDefense suite on a Kubernetes cluster
Pre-requisites
There are three main pre-requisites for a production grade cdefense installation on-premises
A managed Postgres instance (for AWS RDS db.r5.large)
enable automated backups
A kubernetes cluster (/examples/eks) with at least two nodegroups
node group for jobs
each node has { label: job }
node group for all else
(optional) each node has { label: cdefense }
A cluster auto-scaler
Install kafka
Download the kafka helm repo (bitnami)
helm repo add bitnami https://charts.bitnami.com/bitnami
(optional) create/edit
values.yaml
nodeSelector: label: external
Install kafka helm
helm install kafka bitnami/kafka -f values.yaml
Install cdefense
add cdefense helm repo
helm repo add cdefense https://clouddefenseai.github.io/charts/
update repos
helm repo update
clone the repo
git clone https://github.com/CloudDefenseAI/charts
create roles, role binding and service accounts
kubectl apply -f charts/cdefense/rbac
create secrets
kubectl apply -f charts/cdefense/secrets
Install cdefense helm
helm install cdefense cdefense --debug
or
helm upgrade cdefense cdefense/cdefense --debug
Configure Social Authentication
In order to sign in with different identity providers (for ex. github), create ID and secrets
Github
create a New OAuth App
Homepage URL is the base_url
Authorization callback URL is https://{base_url}/auth/realms/cdefense/broker/github/endpoint

create secrets for authservice
create a secret for authservice
apiVersion: v1 kind: Secret metadata: name: authservice-secrets type: Opaque stringData: SENDGRID_KEY: GOOGLE_CLIENT_ID: GOOGLE_CLIENT_SECRET: GITHUB_CLIENT_ID: GITHUB_CLIENT_SECRET: GITLAB_APPLICATION_ID: GITLAB_APPLICATION_SECRET: BITBUCKET_KEY: BITBUCKET_SECRET: MICROSOFT_CLIENT_ID: MICROSOFT_CLIENT_SECRET:
kubectl apply -f authservice-secrets.yaml
restart authservice pod
How to change location of logs
update value.yaml
api: logs: region: <REGION> bucket: <BUCKET>
in case of private bucket
Edit the scan-server-secrets.yaml file
AWS_SCAN_S3_ACCESS_KEY: <AWS_SCAN_S3_ACCESS_KEY> AWS_SCAN_S3_SECRET_KEY: <AWS_SCAN_S3_SECRET_KEY>
kubectl apply -f scan-server-secrets.yaml
or update secrets on cluster
encode values as base64 strings
AWS_SCAN_S3_ACCESS_KEY=<AWS_ACCESS_KEY> BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64)
AWS_SCAN_S3_SECRET_KEY=<AWS_SECRET_KEY> BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64)
edit scan-server-secrets
kubectl edit secret scan-server-secrets
AWS_SCAN_S3_ACCESS_KEY: <BASE64_AWS_SCAN_S3_ACCESS_KEY> AWS_SCAN_S3_SECRET_KEY: <BASE64_AWS_SCAN_S3_SECRET_KEY>
save and restart api pod
kubectl delete pod api-<some-string>
Last updated