This tutorial details how to onboard Openshift cluster to CloudGuard native.
- Register for a CloudGuard native account. https://secure.dome9.com/v2/register/invite
- Generate CloudGuard API key and secret here https://secure.dome9.com/v2/settings/credentials
git clone https://github.com/jaydenaung/cloudguard-OpenShift
- ake sure that uid1000.json and cp-cloudguard-openshift.yaml are in the same directory as onboard-1.sh.
- Edit variables and run onboard-1.sh to onboard the cluster.
chmod +x onboard-1.sh
./onboard-1.sh
Alternatively, you can follow the instructions below and execute command lines manually.
oc create namespace
PLEASE REPLACE <your_namespace> with your namespace name that you created after the --namespace flag!
oc create secret generic dome9-creds --from-literal=username=<cloudguard_API_key> --from-literal=secret=<cloudguard_secret_key> --namespace <your_namespace>
please copy your cluster id from the the kubectl equivalent command that is automatically generated in the onboarding page
oc create configmap cp-resource-management-configmap --from-literal=cluster.id=,your_cluster_id> --namespace <your_namespace>
oc create serviceaccount cp-resource-management --namespace <your_namespace>
The cloudguard agent uses the user ID 1000 whereas the Openshift security context constraint or scc assign a randown UID from internal number ranges which will cause the replicaset to fail to deploy the agent. We need to create a Security Context Constraint or scc for CloudGuard in OpenShift and allow the UID 1000:
To allow cloudguard to use UID 1000, please create a file uid1000.json that you can download with git clone containing:
NOTE:with OpenShift 4.x and above the apiVersion has changed to security.openshift.io/v1. Please do update that if you are running v4.x and above
{
"apiVersion": "v1",
"kind": "SecurityContextConstraints",
"metadata": {
"name": "uid1000"
},
"requiredDropCapabilities": [
"KILL",
"MKNOD",
"SYS_CHROOT",
"SETUID",
"SETGID"
],
"runAsUser": {
"type": "MustRunAs",
"uid": "1000"
},
"seLinuxContext": {
"type": "MustRunAs"
},
"supplementalGroups": {
"type": "RunAsAny"
},
"fsGroup": {
"type": "MustRunAs"
},
"volumes": [
"configMap",
"downwardAPI",
"emptyDir",
"persistentVolumeClaim",
"projected",
"secret"
]
}
oc create -f uid1000.json --as system:admin
securitycontextconstraints "uid1000" created
oc adm policy add-scc-to-user uid1000 -z cp-resource-management --as system:admin
oc create clusterrole cp-resource-management --verb=get,list --resource=pods,nodes,services,nodes/proxy,networkpolicies.networking.k8s.io,ingresses.extensions,podsecuritypolicies,roles,rolebindings,clusterroles,clusterrolebindings,serviceaccounts,namespaces
oc create clusterrolebinding cp-resource-management --clusterrole=cp-resource-management --serviceaccount=prod:cp-resource-management
oc create -f cp-cloudguard-openshift.yaml --namespace=<your_namespace>
then next and wait for agent to be synced