Deploying External S-TAP from the Guardium UI

If your site uses Kubernetes, you can deploy an External S-TAP directly from Guardium®.

About this task

Before you can deploy an External S-TAP from Kubernetes, you need to:
  1. Create a Kubernetes admin user.
  2. Retrieve the Kubernetes cluster access token.
  3. Retrieve the Kubernetes control plane URL.
  4. Create the registry key for your cluster.
  5. Ensure that any SSL-enabled collectors have valid SSL certificates.
Save the cluster access token, the Master URL, and the registry key. You need to enter them into the Kubernetes or Docker tabs of the Deploy External S-TAP window. For more information, see Deploy External S-TAP window.
Note: For Google Cloud deployments only: If you plan to deploy the External S-TAP from the Guardium GUI, make sure that the IAM user has the following permissions: container.clusterRoleBindings.create and container.clusterRoles.bin.

These permissions allow the IAM user to add the cluster user and create tokens for GUI deployment.

Without these permissions, the IAM user can still deploy with Kubernetes by using the templates. For more information about generating and using the templates, see Deploy External S-TAP window.

Procedure

  1. Create a Kubernetes admin user from kubectl (the Kubernetes command-line interface):
    1. Create a yaml file that contains the following information. For this example, the yaml file is named admin-service-account.yaml where admin-name is the name of your administrative user:
      apiVersion: v1
      kind: ServiceAccount
      metadata:
        name: <admin-name>
        namespace: kube-system
      ---
      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRoleBinding
      metadata:
        name: <admin-name>
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: cluster-admin
      subjects:
      - kind: ServiceAccount
        name: <admin-name>
        namespace: kube-system
    2. Run the following command from kubectl to create the admin user:
      $kubectl apply -f admin-service-account.yaml
  2. Retrieve the Kubernetes cluster access token (also called the secret):
     kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep <admin-name> | awk '{print $1}')

    Enter the returned token in the Token field of the Kubernetes tab.

  3. Retrieve the Kubernetes control plane URL.
    Run kubctl cluster-info to find the name of the Kubernetes control plane URL. For example:
    $kubectl cluster-info
    Kubernetes control plane is running at https://azureaks01-dns-e1234567e.hcp.centralus.azmk8s.io:443
    . . .

    Enter the returned URL in the Kubernetes control plane URL field of the Kubernetes tab.

  4. Create the registry key, which is called the secret in Kubernetes.

    Run the following command to create the registry key, where the <regcred> is the secret for your registry:

    kubectl create secret docker-registry <regcred> \
     --docker-server=$DOCKER_REGISTRY_SERVER \
     --docker-username=$DOCKER_USER \
     --docker-password=$DOCKER_PASSWORD \
     --docker-email=$DOCKER_EMAIL

    Enter the returned secret in the Registry key field of the Docker tab.

  5. Make sure that each SSL-enabled collector on which you deploy an External S-TAP has a valid SSL certificate, as described in SSL certificates for External S-TAP.

What to do next

After you complete these tasks, you can deploy a new External S-TAP directly from Guardium. Kubernetes automatically manages the Docker container and balancing the load.

For more information, see The External S-TAP user interface and the Deploy External S-TAP window