Install CloudDefense suite on a Kubernetes cluster

Pre-requisites

There are three main pre-requisites for a production grade cdefense installation on-premises

  1. A managed Postgres instance (for AWS RDS db.r5.large)

    1. enable automated backups

  2. A kubernetes cluster (/examples/eks) with at least two nodegroups

    1. node group for jobs

      1. each node has { label: job }

    2. node group for all else

      1. (optional) each node has { label: cdefense }

  3. A cluster auto-scaler

Install kafka

  • Download the kafka helm repo (bitnami)

    helm repo add bitnami https://charts.bitnami.com/bitnami

  • (optional) create/edit values.yaml

    nodeSelector:
  label: external

  • Install kafka helm

    helm install kafka bitnami/kafka -f values.yaml

Install cdefense

  • add cdefense helm repo

    helm repo add cdefense https://clouddefenseai.github.io/charts/

  • update repos

    helm repo update

  • clone the repo

    git clone https://github.com/CloudDefenseAI/charts

  • create roles, role binding and service accounts

    kubectl apply -f charts/cdefense/rbac

  • create secrets

    kubectl apply -f charts/cdefense/secrets

  • Install cdefense helm

    helm install cdefense cdefense --debug

    or

    helm upgrade cdefense cdefense/cdefense --debug

Configure Social Authentication

In order to sign in with different identity providers (for ex. github), create ID and secrets

Github

create secrets for authservice

  • create a secret for authservice

    apiVersion: v1
kind: Secret
metadata:
  name: authservice-secrets
  type: Opaque
stringData:
  SENDGRID_KEY: 
  GOOGLE_CLIENT_ID: 
  GOOGLE_CLIENT_SECRET: 
  GITHUB_CLIENT_ID: 
  GITHUB_CLIENT_SECRET: 
  GITLAB_APPLICATION_ID: 
  GITLAB_APPLICATION_SECRET: 
  BITBUCKET_KEY: 
  BITBUCKET_SECRET: 
  MICROSOFT_CLIENT_ID: 
  MICROSOFT_CLIENT_SECRET: 
    kubectl apply -f authservice-secrets.yaml

  • restart authservice pod

How to change location of logs

  • update value.yaml

    api:
  logs: 
    region: <REGION>
    bucket: <BUCKET>

in case of private bucket

  • Edit the scan-server-secrets.yaml file

      AWS_SCAN_S3_ACCESS_KEY: <AWS_SCAN_S3_ACCESS_KEY>
  AWS_SCAN_S3_SECRET_KEY: <AWS_SCAN_S3_SECRET_KEY>
    kubectl apply -f scan-server-secrets.yaml

  • or update secrets on cluster

    • encode values as base64 strings

    AWS_SCAN_S3_ACCESS_KEY=<AWS_ACCESS_KEY>
BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64)
    AWS_SCAN_S3_SECRET_KEY=<AWS_SECRET_KEY>
BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64)

    • edit scan-server-secrets

    kubectl edit secret scan-server-secrets
      AWS_SCAN_S3_ACCESS_KEY: <BASE64_AWS_SCAN_S3_ACCESS_KEY>
  AWS_SCAN_S3_SECRET_KEY: <BASE64_AWS_SCAN_S3_SECRET_KEY>

  • save and restart api pod

    kubectl delete pod api-<some-string>

PreviousInstall CloudDefense Helm on a Kubernetes ClusterNextTeam Management

Last updated