Creating a Guardium Data Security Center instance by using a custom resource (CR)
Guardium Data Security Center simplifies your organization's data security architecture and enables access to long-term data security and compliance data. It provides security teams with risk-based views and alerts, along with advanced analytics based on proprietary machine learning technology to uncover hidden threats. Guardium Data Security Center gives security professionals the ability to quickly create data security and audit reports, monitor activity in on-premises and DBaaS sources, and act from a central location.
Before you begin
Before you proceed with the installation, complete the following steps:
- Verify that your environment meets the System requirements and prerequisites and Hardware cluster requirements.
- Prepare for installation.
- Log in to the OpenShift® command-line interface.
Procedure
- Create a YAML file that uses the indentation from the following example.
- If you are installing the GDSC suite use the following
CR.
apiVersion: gi.ds.isc.ibm.com/v1 kind: GuardiumDataSecurityCenter metadata: # name: This must be 10 or less characters name: staging # Provide the name of the namespace in which you want to install the CR. namespace: staging spec: version: 3.6.0 license: accept: true # GDSC Suite license licenseType: "L-QABB-9QRLFB" guardiumGlobal: backupsupport: enabled: true name: <GI_Backup_PVC> storageClassName: managed-nfs-storage size: 500Gi dev: “false” licenseAccept: true # Guardium Insights template size can be defined as below using the size parameter size: values-small instance: ingress: # hostName: Change this, ex: staging.apps.gi-devops-ocp46-41.cp.fyre.ibm.com hostName: <host_name> # domainName: Change this domainName: <domain_name> ics: namespace: ibm-common-services registry: common-service # storageClassName: Change this to a ReadWriteMany StorageClass storageClassName: “ocs-storagecluster-cephfs” # storageClassNameRWO: Must be a ReadWriteOnce StorageClass storageClassNameRWO: "ocs-storagecluster-ceph-rbd" capabilities: - name: quantum-safe enabled: true configurations: {} - name: platorm enabled: true configurations: {} connections: insightsEnv: FEATURE_STAP_STREAMING: "false" dependency-db2: image: insightsPullSecret: “ibm-entitlement-key” db2: size: 2 resources: requests: cpu: “6" memory: “48Gi” limits: cpu: “6" memory: “48Gi” storage: - name: meta spec: storageClassName: “ocs-storagecluster-cephfs” accessModes: - ReadWriteMany resources: requests: storage: “1000Gi” type: create - name: data spec: storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteOnce resources: requests: storage: “4000Gi” type: template mln: distribution: 0:0 total: 2 dependency-kafka: kafka: storage: type: persistent-claim size: 250Gi class: "ocs-storagecluster-ceph-rbd" zookeeper: storage: type: persistent-claim size: 20Gi class: "ocs-storagecluster-ceph-rbd" mini-snif: persistentVolumesClaims: mini-snif-shared: storageClassName: “ocs-storagecluster-cephfs” universal-connector-manager: persistentVolumesClaims: universal-connector-manager-shared: storageClassName: “ocs-storagecluster-cephfs” settings-datasources: persistentVolumesClaims: settings-datasources: storageClassName: “ocs-storagecluster-cephfs” ticketing: persistentVolumesClaims: ticketing-keystore: storageClassName: “ocs-storagecluster-cephfs” dependency-s3: storageClassName: ocs-storagecluster-ceph-rbd dependency-security: networkPolicy: egresses: egress-required-allow: egress: - to: - ipBlock: cidr: 0.0.0.0/0 - ports: - port: 5353 protocol: UDP - port: 5353 protocol: TCP - port: 53 protocol: UDP - port: 53 protocol: TCP - port: 443 protocol: UDP - port: 443 protocol: TCP
- If you purchased the quantum-safe functionality, use the following
CR:
apiVersion: gi.ds.isc.ibm.com/v1 kind: GuardiumDataSecurityCenter metadata: # name: This must be 10 or less characters name: staging # Provide the name of the namespace in which you want to install the CR. namespace: staging spec: version: 3.6.0 license: accept: true # GDSC Suite license licenseType: "L-QABB-9QRLFB" guardiumGlobal: backupsupport: enabled: true name: <GI_Backup_PVC> storageClassName: managed-nfs-storage size: 500Gi dev: “false” licenseAccept: true # Guardium Insights template size can be defined as below using the size parameter size: values-small image: insightsPullSecret: ibm-entitlement-key repository: cp.icr.io/cp/ibm-guardium-data-security-center instance: ingress: # hostName: Change this, ex: staging.apps.gi-devops-ocp46-41.cp.fyre.ibm.com hostName: <host_name> # domainName: Change this domainName: <domain_name> ics: namespace: ibm-common-services registry: common-service # storageClassName: Change this to a ReadWriteMany StorageClass storageClassName: “ocs-storagecluster-cephfs” # storageClassNameRWO: Must be a ReadWriteOnce StorageClass storageClassNameRWO: "ocs-storagecluster-ceph-rbd" capabilities: - name: quantum-safe enabled: true configurations: {} - name: platorm enabled: false configurations: {} connections: insightsEnv: FEATURE_STAP_STREAMING: "false" dependency-db2: image: insightsPullSecret: “ibm-entitlement-key” db2: size: 2 resources: requests: cpu: “6" memory: “48Gi” limits: cpu: “6" memory: “48Gi” storage: - name: meta spec: storageClassName: “ocs-storagecluster-cephfs” accessModes: - ReadWriteMany resources: requests: storage: “1000Gi” type: create - name: data spec: storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteOnce resources: requests: storage: “4000Gi” type: template mln: distribution: 0:0 total: 2 dependency-kafka: kafka: storage: type: persistent-claim size: 250Gi class: "ocs-storagecluster-ceph-rbd" zookeeper: storage: type: persistent-claim size: 20Gi class: "ocs-storagecluster-ceph-rbd" mini-snif: persistentVolumesClaims: mini-snif-shared: storageClassName: “ocs-storagecluster-cephfs” universal-connector-manager: persistentVolumesClaims: universal-connector-manager-shared: storageClassName: “ocs-storagecluster-cephfs” settings-datasources: persistentVolumesClaims: settings-datasources: storageClassName: “ocs-storagecluster-cephfs” ticketing: persistentVolumesClaims: ticketing-keystore: storageClassName: “ocs-storagecluster-cephfs” dependency-s3: storageClassName: ocs-storagecluster-ceph-rbd dependency-security: networkPolicy: egresses: egress-required-allow: egress: - to: - ipBlock: cidr: 0.0.0.0/0 - ports: - port: 5353 protocol: UDP - port: 5353 protocol: TCP - port: 53 protocol: UDP - port: 53 protocol: TCP - port: 443 protocol: UDP - port: 443 protocol: TCP
Note: Use the same namespace as your Guardium Data Security Center project. This example usesstaging
as the namespace. - If you are installing the GDSC suite use the following
CR.
- Create the instance by using the example file by using the following command.
oc apply -f <guardium-data-security-center-custom-resource-example.yaml>
- Check the status of the instance creation:
oc get guardiumdatasecuritycenter
Before completion, the output is similar to:NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION sysqa Running True Running Running reconciliation 3.6.0 sysqa Running True Reconciling Starting to Reconcile 3.6.0 sysqa Running True Reconciling Starting to Reconcile 3.6.0 sysqa Running True GuardiumDataSecurityCenter Guardium Platform install in progress 3.6.0 sysqa Running True Running Running reconciliation 3.6.0 sysqa Running True Reconciling Starting to Reconcile 3.6.0 sysqa Running True Reconciling Starting to Reconcile 3.6.0 sysqa Running True GuardiumDataSecurityCenter Guardium Platform install in progress 3.6.0
After completion, the output is similar to:NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION staging Ready True Completed Completed Reconciliation 3.6.0 3.6.0
Tip: The displayed versions in the output vary based on the Guardium Data Security Center version that you want to install and the current version on your system.
Results
- Only one instance of Guardium Data Security Center can be installed on a cluster.
- This product can run only on amd64 architecture type with AVX enabled hardware.
- This product's operator supports an
OwnNamespace
type only for the installation mode.