Public Cloud K8s AKS, EKS, GKE, IBM…
Deploy SUSE® Security on a Public Cloud Kubernetes Service
Deploy SUSE® Security on any public cloud K8s service such as AWS EKS, Azure AKS, IBM Cloud K8s, Google Cloud, Alibaba Cloud or Oracle Cloud. SUSE® Security has passed the Amazon EKS Anywhere Conformance and Validation Framework and, as such, is a validated solution and is available as an Add-on for EKS-Anywhere on Snowball Edge devices through the AWS Console.
First, create your K8s cluster and confirm access with kubectl get nodes
.
To deploy SUSE® Security use the sample deployment instructions and examples from the Kubernetes section of the Production Deployment. Edit the sample yaml if you are pulling SUSE® Security images from a local or cloud registry such as ECR or ACR.
Some cloud providers have integrated load balancers which are easy to deploy by using Type: LoadBalancer
instead of NodePort for the SUSE® Security webui.
SUSE® Security also supports Helm-based deployment with a Helm chart at https://github.com/neuvector/neuvector-helm.
Network Access
Make sure internal and external ingress access is configured properly. For the NodePort service, the random port in the 3xxxx range must be accessible on a public IP of a worker or master node from the outside. You can access the console using the public IP address of any worker node and that port (NodePort), or the public IP of the load balancer and default port 8443. You can view the IP/port using:
kubectl get svc -n neuvector
Most K8s services automatically enable/allow all inter-pod / inter-cluster communication between nodes which also enable the SUSE® Security containers (enforcers, controllers, manager) to communicate within the cluster.
The sample Kubernetes yaml file will deploy one manager and 3 controllers. It will deploy an enforcer on every node as a daemonset. Note: It is not recommended to deploy (scale) more than one manager behind a load balancer due to potential session state issues.
Microsoft Azure AKS
When deploying a k8s cluster on Azure, the default for Kubernetes RBACs is off. Please enable RBACs to enable the cluster-admin clusterrole, otherwise you will need to create that manually later to support Helm based deployments.
Google Cloud Platform / GKE
You can use the integrated load balancers which are easy to deploy by using ‘Type: LoadBalancer’ instead of NodePort for the SUSE® Security webui. Configuring persistent storage with type RWM (read write many) may require creating a storage service such as NFS before deploying SUSE® Security.
SUSE® Security requires an SDN plug-in such as flannel, weave, or calico.
Use the environment variable NV_PLATFORM_INFO with value platform=Kubernetes:GKE to enable SUSE® Security to perform GKE specific action such as running the GKE Kubernetes CIS Benchmarks.
Handling Auto-Scaling Nodes with a Pod Disruption Budget
Public cloud providers support the ability to auto-scale nodes, which can dynamically evict pods including the SUSE® Security controllers. To prevent disruptions to the controllers, a SUSE® Security pod disruption budget can be created.
For example, create the file below nv_pdr.yaml to ensure that there are at least 2 controllers running at any time.
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
name: neuvector-controller-pdb
namespace: neuvector
spec:
minAvailable: 2
selector:
matchLabels:
app: neuvector-controller-pod
Then
kubectl create -f nv_pdr.yaml
For more details: https://kubernetes.io/docs/tasks/run-application/configure-pdb/