CloudDefense.AI
Search
K

Install CloudDefense suite on a Kubernetes cluster

Pre-requisites

There are three main pre-requisites for a production grade cdefense installation on-premises
  1. 1.
    A managed Postgres instance (for AWS RDS db.r5.large)
    1. 1.
      enable automated backups
  2. 2.
    A kubernetes cluster (/examples/eks) with at least two nodegroups
    1. 1.
      node group for jobs
      1. 1.
        each node has { label: job }
    2. 2.
      node group for all else
      1. 1.
        (optional) each node has { label: cdefense }
  3. 3.
    A cluster auto-scaler

Install kafka

  • Download the kafka helm repo (bitnami)
    helm repo add bitnami https://charts.bitnami.com/bitnami
  • (optional) create/edit values.yaml
    nodeSelector:
    label: external
  • Install kafka helm
    helm install kafka bitnami/kafka -f values.yaml

Install cdefense

  • add cdefense helm repo
    helm repo add cdefense https://clouddefenseai.github.io/charts/
  • update repos
    helm repo update
  • clone the repo
    git clone https://github.com/CloudDefenseAI/charts
  • create roles, role binding and service accounts
    kubectl apply -f charts/cdefense/rbac
  • create secrets
    kubectl apply -f charts/cdefense/secrets
  • Install cdefense helm
    helm install cdefense cdefense --debug
    or
    helm upgrade cdefense cdefense/cdefense --debug

Configure Social Authentication

In order to sign in with different identity providers (for ex. github), create ID and secrets

Github

create secrets for authservice

  • create a secret for authservice
    apiVersion: v1
    kind: Secret
    metadata:
    name: authservice-secrets
    type: Opaque
    stringData:
    SENDGRID_KEY:
    GOOGLE_CLIENT_ID:
    GOOGLE_CLIENT_SECRET:
    GITHUB_CLIENT_ID:
    GITHUB_CLIENT_SECRET:
    GITLAB_APPLICATION_ID:
    GITLAB_APPLICATION_SECRET:
    BITBUCKET_KEY:
    BITBUCKET_SECRET:
    MICROSOFT_CLIENT_ID:
    MICROSOFT_CLIENT_SECRET:
    kubectl apply -f authservice-secrets.yaml
  • restart authservice pod

How to change location of logs

  • update value.yaml
    api:
    logs:
    region: <REGION>
    bucket: <BUCKET>

in case of private bucket

  • Edit the scan-server-secrets.yaml file
    AWS_SCAN_S3_ACCESS_KEY: <AWS_SCAN_S3_ACCESS_KEY>
    AWS_SCAN_S3_SECRET_KEY: <AWS_SCAN_S3_SECRET_KEY>
    kubectl apply -f scan-server-secrets.yaml
  • or update secrets on cluster
    • encode values as base64 strings
    AWS_SCAN_S3_ACCESS_KEY=<AWS_ACCESS_KEY>
    BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_ACCESS_KEY | base64)
    AWS_SCAN_S3_SECRET_KEY=<AWS_SECRET_KEY>
    BASE64_AWS_SCAN_S3_ACCESS_KEY=$(echo $AWS_SCAN_S3_SECRET_KEY | base64)
    • edit scan-server-secrets
    kubectl edit secret scan-server-secrets
    AWS_SCAN_S3_ACCESS_KEY: <BASE64_AWS_SCAN_S3_ACCESS_KEY>
    AWS_SCAN_S3_SECRET_KEY: <BASE64_AWS_SCAN_S3_SECRET_KEY>
  • save and restart api pod
    kubectl delete pod api-<some-string>