-
Notifications
You must be signed in to change notification settings - Fork 188
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update kube-enforcer helm chart docs #121
Merged
niso120b
merged 1 commit into
aquasecurity:master
from
VineethReddy02:vineeth-update-ke-helm-docs
Aug 19, 2020
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -26,29 +26,39 @@ These are Helm charts for installation and maintenance of Aqua Container Securit | |
|
||
You need to enable TLS authentication from the API Server to the Kube-Enforcer. Perform these steps: | ||
|
||
1. Run these commands to create TLS certificates which is signed by the local CA certificate. We will pass these certificates with helm command to enbale TLS authentication between kube-enforcer & API-Server to receive events from validatingwebhookconfiguration for image assurance functionality. | ||
|
||
```shell | ||
openssl genrsa -out ca.key 2048 | ||
openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca" | ||
|
||
cat >server.conf <<EOF | ||
[req] | ||
req_extensions = v3_req | ||
distinguished_name = req_distinguished_name | ||
[req_distinguished_name] | ||
[ v3_req ] | ||
basicConstraints = CA:FALSE | ||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
extendedKeyUsage = clientAuth, serverAuth | ||
EOF | ||
|
||
openssl genrsa -out server.key 2048 | ||
openssl req -new -key server.key -out server.csr -subj "/CN=aqua-kube-enforcer.aqua.svc" -config server.conf | ||
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf | ||
Create TLS certificates which is signed by the local CA certificate. We will pass these certificates with helm command to enbale TLS authentication between kube-enforcer & API-Server to receive events from validatingwebhookconfiguration for image assurance functionality. | ||
|
||
You can generate these certificates by executing the script: | ||
|
||
``` | ||
./gen-certs.sh | ||
``` | ||
|
||
You can also use your own certificates without generating new ones for TLS authentication all we need is root CA certificate, certificate signed by CA and certificate key. | ||
|
||
Optionally you can configure the certificates generated from the above script in ```values.yaml``` file | ||
|
||
You need to encode the certificates into based64 for ```ca.crt```, ```server.crt``` and ```server.key``` using the below cmd | ||
|
||
``` | ||
cat <file-name> | base64 | tr -d '\n' | ||
``` | ||
|
||
Provide the above obtained certificates in the below fields of ```values.yaml``` file. | ||
|
||
``` | ||
certsSecret: | ||
name: aqua-kube-enforcer-certs | ||
serverCertificate: "<server.crt>" | ||
serverKey: "<server.key>" | ||
|
||
validatingWebhook: | ||
name: kube-enforcer-admission-hook-config | ||
caBundle: "<ca.crt>" | ||
``` | ||
|
||
or you can provide these certificates while installing the kube-enforcer by providing them in flags. | ||
|
||
You also also use your own certificates without generating new ones for TLS authentication all we need is root CA certificate, certificate signed by CA and certificate key. | ||
|
||
## Installing the Chart | ||
|
||
|
@@ -61,7 +71,7 @@ git clone https://github.com/aquasecurity/kube-enforcer-helm.git | |
***Optional*** Update the Helm charts values.yaml file with your environment's custom values, registry secret, aqua console credentials & TLS certificates. This eliminates the need to pass the parameters to the helm command. Then run one of the commands below to install the relevant services. | ||
|
||
```bash | ||
helm install <release_name> kube-enforcer --set imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>,certsSecret.serverCertificate="$(cat server.crt)",certsSecret.serverKey="$(cat server.key)",validatingWebhook.caBundle="$(cat ca.crt)" | ||
helm upgrade --install <RELEASE_NAME> --namespace aqua kube-enforcer --set imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>,certsSecret.serverCertificate="$(cat server.crt)",certsSecret.serverKey="$(cat server.key)",validatingWebhook.caBundle="$(cat ca.crt)" | ||
``` | ||
|
||
Optional flags: | ||
|
@@ -71,21 +81,25 @@ Optional flags: | |
--aquaSecret.kubeEnforcerToken default to "" you can find the KubeEnforcer token from aqua csp under enforcers tab in default/custom KubeEnforcer group or you can manually approve KubeEnforcer authentication from aqua CSP under default/custom KubeEnforcer group in enforcers tab. | ||
``` | ||
|
||
## ClusterRole | ||
|
||
KubeEnforcer needs a dedicated clusterrole with **get, list, watch** permissions on **pods, secrets, nodes, namespaces, deployments, replicasets, replicationcontrollers, statefulsets, daemonsets, jobs, cronjobs, clusterroles, clusterrolebindings, componentstatuses** to perform discovery on the cluster. | ||
|
||
## Configurable Variables | ||
|
||
### KubeEnforcer | ||
|
||
| Parameter | Description | Default | | ||
| --------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------- | | ||
| `imageCredentials.create` | Set if to create new pull image secret | `true` | | ||
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-image-pull-secret` | | ||
| `imageCredentials.name` | Your Docker pull image secret name | `aqua-registry-secret` | | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. duplicates #110 |
||
| `imageCredentials.username` | Your Docker registry (DockerHub, etc.) username | `N/A` | | ||
| `imageCredentials.password` | Your Docker registry (DockerHub, etc.) password | `N/A` | ||
| `aquaSecret.kubeEnforcerToken` | Aqua KubeEnforcer token | `N/A` | ||
| `certsSecret.serverCertificate` | Certificate for TLS authentication with Kubernetes api-server | `N/A` | ||
| `certsSecret.serverKey` | Certificate key for TLS authentication with Kubernetes api-server | `N/A` | ||
| `validatingWebhook.caBundle` | Root Certificate for TLS authentication with Kubernetes api-server | `N/A` | | ||
| `envs.gatewayAddress` | Gateway host Address | `aqua-gateway:8443` | | ||
| `envs.gatewayAddress` | Gateway host Address | `aqua-gateway-svc:8443` | | ||
|
||
|
||
## Issues and feedback | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/bash | ||
|
||
openssl genrsa -out ca.key 2048 | ||
openssl req -x509 -new -nodes -key ca.key -days 100000 -out ca.crt -subj "/CN=admission_ca" | ||
|
||
cat >server.conf <<EOF | ||
[req] | ||
req_extensions = v3_req | ||
distinguished_name = req_distinguished_name | ||
[req_distinguished_name] | ||
[ v3_req ] | ||
basicConstraints = CA:FALSE | ||
keyUsage = nonRepudiation, digitalSignature, keyEncipherment | ||
extendedKeyUsage = clientAuth, serverAuth | ||
EOF | ||
|
||
openssl genrsa -out server.key 2048 | ||
openssl req -new -key server.key -out server.csr -subj "/CN=aqua-kube-enforcer.aqua.svc" -config server.conf | ||
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 100000 -extensions v3_req -extfile server.conf |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,7 +2,7 @@ | |
imageCredentials: | ||
# If aqua-registry already exists in the cluster. Make create to false. So it won't attempt to create a new registry secret. | ||
create: true | ||
name: csp-registry-secret # example | ||
name: aqua-registry-secret # example | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. duplicates #110 |
||
repositoryUriPrefix: "registry.aquasec.com" # for dockerhub - "docker.io" | ||
registry: "registry.aquasec.com" #REQUIRED only if create is true, for dockerhub - "index.docker.io/v1/" | ||
username: "" | ||
|
@@ -35,7 +35,7 @@ aquaSecret: | |
kubeEnforcerToken: "" | ||
|
||
envs: | ||
gatewayAddress: csp-gateway-svc:8443 | ||
gatewayAddress: aqua-gateway-svc:8443 | ||
|
||
|
||
serviceAccount: | ||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This Chart already contains a
ClusterRole
, I would find this very confusing; this makes it sound like I need to add aClusterRole
myself.I've also made a bunch of PRs to fix some very confusing and buggy inconsistencies and this adds a new inconsistency: the Server Chart also has a
ClusterRole
, but nothing is mentioned there...It also doesn't say why it needs each of those permissions.
ToC also wasn't updated...