CloudDefense.AI
  • Connect Repositories
    • Scan a Github/Gitlab
    • Scan an Azure DevOps repository
    • Scan a Bitbucket repository
  • Scans
    • Written code Scan (SAST)
    • Open Source Libraries Scan (SCA)
    • Secrets Scan
    • DAST Scans
    • API Scan from CloudDefense UI
  • CI/CD
    • GitHub Enterprise Actions
    • Methods for CI/CD integration with CLI
    • CI/CD Policies
    • Jenkins integration with cdefence
  • Integration
    • IaC on GCR Scan
    • IaC on Amazon ECR Scan
    • IaC on Docker Hub Scan
    • Integration with ServiceNow
    • Integration with Jira
    • SSO Okta App Integration
    • Set up CloudDefense Single Sign-On (SSO)
    • SIEM
      • Azure Sentinel
      • IBM Qradar
      • Micro Focus ArcSight Logger
  • Features
    • Sharing Integration
    • How to Enable Multi-Factor Authentication
    • AUTO PR
    • Remediation using SAST Recommendations
    • Global Allowed List and Local allowed list - Documentation
    • File Exclude
  • CloudDefense CLI
    • Cloud Defense CLI
  • On-Prem Installation
    • Install CloudDefense Helm on a Kubernetes Cluster
    • Install CloudDefense suite on a Kubernetes cluster
  • Others
    • Team Management
    • User Management
    • App Management
    • LogIn/Signup process
Powered by GitBook
On this page
  • Pre-requisites
  • Install kafka
  • Install cdefense
  • Configure Social Authentication
  • How to change location of logs
  1. On-Prem Installation

Install CloudDefense suite on a Kubernetes cluster

PreviousInstall CloudDefense Helm on a Kubernetes ClusterNextTeam Management

Last updated 2 years ago

Pre-requisites

There are three main pre-requisites for a production grade cdefense installation on-premises

  1. A managed Postgres instance (for AWS RDS db.r5.large)

    1. enable automated backups

  2. A kubernetes cluster (/examples/eks) with at least two nodegroups

    1. node group for jobs

      1. each node has { label: job }

    2. node group for all else

      1. (optional) each node has { label: cdefense }

  3. A cluster auto-scaler

Install kafka

  • Download the kafka helm repo (bitnami)

    helm repo add bitnami https://charts.bitnami.com/bitnami

  • (optional) create/edit values.yaml

    nodeSelector:
  label: external

  • Install kafka helm

    helm install kafka bitnami/kafka -f values.yaml

Install cdefense

  • add cdefense helm repo

    helm repo add cdefense https://clouddefenseai.github.io/charts/

  • update repos

    helm repo update

  • clone the repo

    git clone https://github.com/CloudDefenseAI/charts

  • create roles, role binding and service accounts

    kubectl apply -f charts/cdefense/rbac

  • create secrets

    kubectl apply -f charts/cdefense/secrets

  • Install cdefense helm

    helm install cdefense cdefense --debug

    or

    helm upgrade cdefense cdefense/cdefense --debug

Configure Social Authentication

In order to sign in with different identity providers (for ex. github), create ID and secrets

Github

  • go to github developer settings

  • create a New OAuth App

  • Homepage URL is the base_url

  • Authorization callback URL is https://{base_url}/auth/realms/cdefense/broker/github/endpoint

create secrets for authservice

  • create a secret for authservice

    apiVersion: v1
kind: Secret
metadata:
  name: authservice-secrets
  type: Opaque
stringData:
  SENDGRID_KEY: 
  GOOGLE_CLIENT_ID: 
  GOOGLE_CLIENT_SECRET: 
  GITHUB_CLIENT_ID: 
  GITHUB_CLIENT_SECRET: 
  GITLAB_APPLICATION_ID: 
  GITLAB_APPLICATION_SECRET: 
  BITBUCKET_KEY: 
  BITBUCKET_SECRET: 
  MICROSOFT_CLIENT_ID: 
  MICROSOFT_CLIENT_SECRET: 
    kubectl apply -f authservice-secrets.yaml

  • restart authservice pod

How to change location of logs

  • update value.yaml

    api:
  logs: 
    region: <REGION>
    bucket: <BUCKET>

in case of private bucket

  • Edit the scan-server-secrets.yaml file

      AWS_SCAN_S3_ACCESS_KEY: <AWS_SCAN_S3_ACCESS_KEY>
  AWS_SCAN_S3_SECRET_KEY: <AWS_SCAN_S3_SECRET_KEY>
    kubectl apply -f scan-server-secrets.yaml

  • or update secrets on cluster

    • encode values as base64 strings

    AWS_SCAN_S3_ACCESS_KEY=<AWS_ACCESS_KEY>
BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64)
    AWS_SCAN_S3_SECRET_KEY=<AWS_SECRET_KEY>
BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64)

    • edit scan-server-secrets

    kubectl edit secret scan-server-secrets
      AWS_SCAN_S3_ACCESS_KEY: <BASE64_AWS_SCAN_S3_ACCESS_KEY>
  AWS_SCAN_S3_SECRET_KEY: <BASE64_AWS_SCAN_S3_SECRET_KEY>

  • save and restart api pod

    kubectl delete pod api-<some-string>