Install CloudDefense suite on a Kubernetes cluster
There are three main pre-requisites for a production grade cdefense installation on-premises
- 1.A managed Postgres instance (for AWS RDS db.r5.large)
- 1.enable automated backups
- 2.A kubernetes cluster (/examples/eks) with at least two nodegroups
- 1.node group for jobs
- 1.each node has { label: job }
- 2.node group for all else
- 1.(optional) each node has { label: cdefense }
- 3.A cluster auto-scaler
- Download the kafka helm repo (bitnami)helm repo add bitnami https://charts.bitnami.com/bitnami
- (optional) create/edit
values.yaml
nodeSelector:label: external - Install kafka helmhelm install kafka bitnami/kafka -f values.yaml
- add cdefense helm repohelm repo add cdefense https://clouddefenseai.github.io/charts/
- update reposhelm repo update
- clone the repogit clone https://github.com/CloudDefenseAI/charts
- create roles, role binding and service accountskubectl apply -f charts/cdefense/rbac
- create secretskubectl apply -f charts/cdefense/secrets
- Install cdefense helmhelm install cdefense cdefense --debugorhelm upgrade cdefense cdefense/cdefense --debug
In order to sign in with different identity providers (for ex. github), create ID and secrets
- create a New OAuth App
- Homepage URL is the base_url

- create a secret for authserviceapiVersion: v1kind: Secretmetadata:name: authservice-secretstype: OpaquestringData:SENDGRID_KEY:GOOGLE_CLIENT_ID:GOOGLE_CLIENT_SECRET:GITHUB_CLIENT_ID:GITHUB_CLIENT_SECRET:GITLAB_APPLICATION_ID:GITLAB_APPLICATION_SECRET:BITBUCKET_KEY:BITBUCKET_SECRET:MICROSOFT_CLIENT_ID:MICROSOFT_CLIENT_SECRET:kubectl apply -f authservice-secrets.yaml
- restart authservice pod
- update value.yamlapi:logs:region: <REGION>bucket: <BUCKET>
- Edit the scan-server-secrets.yaml fileAWS_SCAN_S3_ACCESS_KEY: <AWS_SCAN_S3_ACCESS_KEY>AWS_SCAN_S3_SECRET_KEY: <AWS_SCAN_S3_SECRET_KEY>kubectl apply -f scan-server-secrets.yaml
- or update secrets on cluster
- encode values as base64 strings
AWS_SCAN_S3_ACCESS_KEY=<AWS_ACCESS_KEY>BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64)AWS_SCAN_S3_SECRET_KEY=<AWS_SECRET_KEY>BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64)- edit scan-server-secrets
kubectl edit secret scan-server-secretsAWS_SCAN_S3_ACCESS_KEY: <BASE64_AWS_SCAN_S3_ACCESS_KEY>AWS_SCAN_S3_SECRET_KEY: <BASE64_AWS_SCAN_S3_SECRET_KEY> - save and restart api podkubectl delete pod api-<some-string>