Deploying External S-TAP from the Guardium UI

Edit online

If your site uses Kubernetes, you can deploy an External S-TAPĀ® directly from GuardiumĀ®.

About this task

To deploy with Kubernetes from the Guardium UI, use either Amazon Elastic Container Service for Kubernetes (Amazon EKS) or Microsoft Azure Kubernetes Service (AKS).

Before you can deploy an External S-TAP from Kubernetes, complete the following tasks
  1. Create a Kubernetes admin user.
  2. Retrieve the Kubernetes cluster access token.
  3. Retrieve the master URL.
  4. Create the registry key for your cluster.
  5. For IBM Cloud deployments only, create a repository with a registry key.
  6. Make sure that any SSL-enabled collectors have valid SSL certificates.
Save the cluster access token, the Master URL, and the registry key. You need to enter them into the Kubernetes or Docker tabs of the Deploy External S-TAP window. For more information, see Deploy External S-TAP window.
Note: Google Cloud deployments only: If you plan to deploy the External S-TAP from the Guardium GUI, make sure that the IAM user has the following permissions: container.clusterRoleBindings.create and container.clusterRoles.bin.

These permissions allow the IAM user to add the cluster user and create tokens for GUI deployment.

Without these permissions, the IAM user can still deploy with Kubernetes by using the templates. For more information about generating and using the templates, see Deploy External S-TAP window.

Procedure

  1. Create a Kubernetes namespace and set the current Kubernetes context to use the specified namespace.
    kubectl create namespace <your-namespace>
kubectl config set-context --current --namespace=<your-namespace>
  2. Create a Kubernetes admin user from kubectl (the Kubernetes command-line interface).
    1. Create a yaml file that contains the following information. For this example, the yaml file is named admin-service-account.yaml where admin-name is the name of your administrative user.
      apiVersion: v1
kind: ServiceAccount
metadata:
  name: <admin-name>
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: <admin-name>
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: <admin-name>
  namespace: kube-system
    2. Run the following command from kubectl to create the admin user:
      $kubectl apply -f admin-service-account.yaml
    3. Create a yaml file that generates a secret with token. For this example, the yaml file is named service-account-token.yaml.
      Draft comment: vanaja.guruprasad@ibm.com
      In step 1a above, is it your-account is the name of service account OR your-secret-name is the name of service account? Please confirm.
      apiVersion: v1
kind: Secret
metadata:
name: <your-secret-name>
namespace: <your-namespace>
annotations:
kubernetes.io/service-account.name: <admin-name>
type: kubernetes.io/service-account-token
  3. Retrieve the Kubernetes cluster access token (also called the secret).
    kubectl -n <your-namespace> describe secret $(kubectl -n <your-namespace> get secret | grep <your-secret-name> | awk '{print $1}')

    Enter the returned token in the Token field of the Kubernetes tab.

  4. Retrieve the controller URL (also called the Kubernetes master).
    Run kubectl cluster-info to find the name of the master URL as shown in the following example: 
    $kubectl cluster-info
Kubernetes master is running at https://azureaks01-dns-e1234567e.hcp.centralus.azmk8s.io:443
. . .

    Enter the returned Kubernetes master in the Master URL field of the Kubernetes tab.

  5. Create the registry key, which is called as the secret in Kubernetes.

    Run the following command to create the registry key, where the <regcred> is the secret for your registry:

    kubectl create secret docker-registry <regcred> \
 --docker-server=$DOCKER_REGISTRY_SERVER \
 --docker-username=$DOCKER_USER \
 --docker-password=$DOCKER_PASSWORD \
 --docker-email=$DOCKER_EMAIL

    Enter the returned secret in the Registry key field of the Docker tab.

  6. IBM Cloud deployments only: To deploy an External S-TAP to IBM Cloud, create a repository with a registry key to pull the Docker image. You can either use the IBM Cloud Container Registry or a Docker private registry, as follows:
    1. Log in to Docker and download the Guardium External S-TAP Docker container.
    2. Use docker images to find the image ID as shown in the following example:
      >docker images
REPOSITORY                               TAG       IMAGE ID    
store/ibmcorp/guardium_external_s-tap   <tag>      <imageid>
    3. Tag the image by using the command shown in the following example:
      >docker tag <imageid>  <reponame>/<mytag>
    4. Log in to your repository and then use the tag to push the image to that repository.
  7. Make sure that each SSL-enabled collector on which you deploy an External S-TAP has a valid SSL certificate, as described in SSL certificates for External S-TAP.

What to do next

After you complete these tasks, you can deploy a new External S-TAP directly from Guardium. Kubernetes automatically manages the Docker container and balancing the load.

For more information, see The External S-TAP user interface and the Deploy External S-TAP window