Creating a Guardium Data Security Center instance by using a custom resource (CR)

Guardium Data Security Center simplifies your organization's data security architecture and enables access to long-term data security and compliance data. It provides security teams with risk-based views and alerts, along with advanced analytics based on proprietary machine learning technology to uncover hidden threats. Guardium Data Security Center gives security professionals the ability to quickly create data security and audit reports, monitor activity in on-premises and DBaaS sources, and act from a central location.

Before you begin

Before you proceed with the installation, complete the following steps:

  1. Verify that your environment meets the System requirements and prerequisites and Hardware cluster requirements.
  2. Prepare for installation.
  3. Log in to the OpenShift® command-line interface.

Procedure

  1. Create a YAML file that uses the indentation from the following example.
    • If you are installing the GDSC suite use the following CR.
      
      apiVersion: gi.ds.isc.ibm.com/v1
      kind: GuardiumDataSecurityCenter
      metadata:
        # name: This must be 10 or less characters
        name: staging
        # Provide the name of the namespace in which you want to install the CR.
        namespace: staging
      spec:
        version: 3.6.0
        license:
          accept: true
          # GDSC Suite license
          licenseType: "L-QABB-9QRLFB"
        guardiumGlobal:
          backupsupport:
            enabled: true
            name: <GI_Backup_PVC>
            storageClassName: managed-nfs-storage
            size: 500Gi
          dev: “false”
          licenseAccept: true
          # Guardium Insights template size can be defined as below using the size parameter
          size: values-small
          instance:
            ingress:
              # hostName: Change this, ex: staging.apps.gi-devops-ocp46-41.cp.fyre.ibm.com
              hostName: <host_name>
              # domainName:  Change this
              domainName: <domain_name>
            ics:
              namespace: ibm-common-services
              registry: common-service
          # storageClassName: Change this to a ReadWriteMany StorageClass
          storageClassName: “ocs-storagecluster-cephfs”
          # storageClassNameRWO: Must be a ReadWriteOnce StorageClass
          storageClassNameRWO: "ocs-storagecluster-ceph-rbd"
        capabilities:
          - name: quantum-safe
            enabled: true
            configurations: {}
          - name: platorm
            enabled: true
            configurations: {}
              connections:
                insightsEnv:
                  FEATURE_STAP_STREAMING: "false"
              dependency-db2:
                image:
                  insightsPullSecret: “ibm-entitlement-key”
                db2:
                size: 2
                resources:
                  requests:
                    cpu: “6"
                    memory: “48Gi”
                  limits:
                    cpu: “6"
                    memory: “48Gi”
                storage:
                - name: meta
                  spec:
                    storageClassName: “ocs-storagecluster-cephfs”
                    accessModes:
                    - ReadWriteMany
                    resources:
                      requests:
                        storage: “1000Gi”
                  type: create
                - name: data
                  spec:
                    storageClassName: "ocs-storagecluster-ceph-rbd"
                    accessModes:
                    - ReadWriteOnce
                    resources:
                      requests:
                        storage: “4000Gi”
                  type: template
                mln:
                  distribution: 0:0
                  total: 2
              dependency-kafka:
                kafka:
                  storage:
                    type: persistent-claim
                    size: 250Gi
                    class: "ocs-storagecluster-ceph-rbd"
                zookeeper:
                  storage:
                    type: persistent-claim
                    size: 20Gi
                    class: "ocs-storagecluster-ceph-rbd"
              mini-snif:
                persistentVolumesClaims:
                  mini-snif-shared:
                    storageClassName: “ocs-storagecluster-cephfs”
              universal-connector-manager:
                persistentVolumesClaims:
                  universal-connector-manager-shared:
                    storageClassName: “ocs-storagecluster-cephfs”
              settings-datasources:
                persistentVolumesClaims:
                  settings-datasources:
                    storageClassName: “ocs-storagecluster-cephfs”
              ticketing:
                persistentVolumesClaims:
                  ticketing-keystore:
                    storageClassName: “ocs-storagecluster-cephfs”
              dependency-s3:
                storageClassName: ocs-storagecluster-ceph-rbd
              dependency-security:
              networkPolicy:
                egresses:
                  egress-required-allow:
                    egress:
                    - to:
                      - ipBlock:
                          cidr: 0.0.0.0/0
                    - ports:
                      - port: 5353
                        protocol: UDP
                      - port: 5353
                        protocol: TCP
                      - port: 53
                        protocol: UDP
                      - port: 53
                        protocol: TCP
                      - port: 443
                        protocol: UDP
                      - port: 443
                        protocol: TCP
    • If you purchased the quantum-safe functionality, use the following CR:
      apiVersion: gi.ds.isc.ibm.com/v1
      kind: GuardiumDataSecurityCenter
      metadata:
        # name: This must be 10 or less characters
        name: staging
        # Provide the name of the namespace in which you want to install the CR.
        namespace: staging
      spec:
        version: 3.6.0
        license:
          accept: true
          # GDSC Suite license
          licenseType: "L-QABB-9QRLFB"
        guardiumGlobal:
          backupsupport:
            enabled: true
            name: <GI_Backup_PVC>
            storageClassName: managed-nfs-storage
            size: 500Gi
          dev: “false”
          licenseAccept: true
          # Guardium Insights template size can be defined as below using the size parameter
          size: values-small
          image:
            insightsPullSecret: ibm-entitlement-key
            repository: cp.icr.io/cp/ibm-guardium-data-security-center
          instance:
            ingress:
              # hostName: Change this, ex: staging.apps.gi-devops-ocp46-41.cp.fyre.ibm.com
              hostName: <host_name>
              # domainName:  Change this
              domainName: <domain_name>
            ics:
              namespace: ibm-common-services
              registry: common-service
          # storageClassName: Change this to a ReadWriteMany StorageClass
          storageClassName: “ocs-storagecluster-cephfs”
          # storageClassNameRWO: Must be a ReadWriteOnce StorageClass
          storageClassNameRWO: "ocs-storagecluster-ceph-rbd"
        capabilities:
          - name: quantum-safe
            enabled: true
            configurations: {}
          - name: platorm
            enabled: false
            configurations: {}
              connections:
                insightsEnv:
                  FEATURE_STAP_STREAMING: "false"
              dependency-db2:
                image:
                  insightsPullSecret: “ibm-entitlement-key”
                db2:
                size: 2
                resources:
                  requests:
                    cpu: “6"
                    memory: “48Gi”
                  limits:
                    cpu: “6"
                    memory: “48Gi”
                storage:
                - name: meta
                  spec:
                    storageClassName: “ocs-storagecluster-cephfs”
                    accessModes:
                    - ReadWriteMany
                    resources:
                      requests:
                        storage: “1000Gi”
                  type: create
                - name: data
                  spec:
                    storageClassName: "ocs-storagecluster-ceph-rbd"
                    accessModes:
                    - ReadWriteOnce
                    resources:
                      requests:
                        storage: “4000Gi”
                  type: template
                mln:
                  distribution: 0:0
                  total: 2
              dependency-kafka:
                kafka:
                  storage:
                    type: persistent-claim
                    size: 250Gi
                    class: "ocs-storagecluster-ceph-rbd"
                zookeeper:
                  storage:
                    type: persistent-claim
                    size: 20Gi
                    class: "ocs-storagecluster-ceph-rbd"
              mini-snif:
                persistentVolumesClaims:
                  mini-snif-shared:
                    storageClassName: “ocs-storagecluster-cephfs”
              universal-connector-manager:
                persistentVolumesClaims:
                  universal-connector-manager-shared:
                    storageClassName: “ocs-storagecluster-cephfs”
              settings-datasources:
                persistentVolumesClaims:
                  settings-datasources:
                    storageClassName: “ocs-storagecluster-cephfs”
              ticketing:
                persistentVolumesClaims:
                  ticketing-keystore:
                    storageClassName: “ocs-storagecluster-cephfs”
              dependency-s3:
                storageClassName: ocs-storagecluster-ceph-rbd
              dependency-security:
              networkPolicy:
                egresses:
                  egress-required-allow:
                    egress:
                    - to:
                      - ipBlock:
                          cidr: 0.0.0.0/0
                    - ports:
                      - port: 5353
                        protocol: UDP
                      - port: 5353
                        protocol: TCP
                      - port: 53
                        protocol: UDP
                      - port: 53
                        protocol: TCP
                      - port: 443
                        protocol: UDP
                      - port: 443
                        protocol: TCP
    Note: Use the same namespace as your Guardium Data Security Center project. This example uses staging as the namespace.
  2. Create the instance by using the example file by using the following command.
    oc apply -f <guardium-data-security-center-custom-resource-example.yaml>
  3. Check the status of the instance creation:
    oc get guardiumdatasecuritycenter 
    Before completion, the output is similar to:
    NAME    TYPE      STATUS   REASON                       MESSAGE                                 DESIRED_VERSION   INSTALLED_VERSION
    sysqa   Running   True     Running                      Running reconciliation                  3.6.0
    sysqa   Running   True     Reconciling                  Starting to Reconcile                   3.6.0
    sysqa   Running   True     Reconciling                  Starting to Reconcile                   3.6.0
    sysqa   Running   True     GuardiumDataSecurityCenter   Guardium Platform install in progress   3.6.0
    sysqa   Running   True     Running                      Running reconciliation                  3.6.0
    sysqa   Running   True     Reconciling                  Starting to Reconcile                   3.6.0
    sysqa   Running   True     Reconciling                  Starting to Reconcile                   3.6.0
    sysqa   Running   True     GuardiumDataSecurityCenter   Guardium Platform install in progress   3.6.0
    After completion, the output is similar to:
    NAME      TYPE    STATUS   REASON      MESSAGE                    DESIRED_VERSION   INSTALLED_VERSION
    staging   Ready   True     Completed   Completed Reconciliation   3.6.0            3.6.0
    Tip: The displayed versions in the output vary based on the Guardium Data Security Center version that you want to install and the current version on your system.

Results

Limitations:
  • Only one instance of Guardium Data Security Center can be installed on a cluster.
  • This product can run only on amd64 architecture type with AVX enabled hardware.
  • This product's operator supports an OwnNamespace type only for the installation mode.