Deep Security Smart Check uses the helm package manager for Kubernetes.
You will need helm version v2.8.0 or later. There's a handy quickstart that will help you get started, or if you like living dangerously:
curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bashHelm has a cluster-side component called tiller that needs to be installed as well.
Make sure that your kubectl context is set correctly to point to your cluster:
kubectl config current-contextIf your kubectl context is not pointing to your cluster, use kubectl config get-contexts and kubectl config use-context to set it, or if you are using Google Cloud Platform follow the instructions in the Connect to the cluster dialog available by clicking the Connect button beside your cluster information in the console.
Install the tiller cluster-side component:
helm initYou will also need to configure a service account for tiller:
kubectl create serviceaccount \
--namespace kube-system \
tiller
kubectl create clusterrolebinding tiller-cluster-role \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
kubectl patch deploy \
--namespace kube-system \
tiller-deploy \
--patch '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'Use helm version to confirm that you have at least version v2.8.0 of the client and server installed.
Note: the commands above will give tiller full cluster administrator privileges. Review Securing your Helm Installation for help on what to consider when setting up Helm in your cluster.
We recommend that you register for a 30-day trial license code. Deep Security Smart Check will operate without an activation code; however, malware pattern updates will not be available and you will see a warning message in the administration console.
The Helm chart for Deep Security Smart Check is hosted in a public repository on Github.
To install the latest version of Deep Security Smart Check into the default Kubernetes namespace:
helm install \
--set auth.masterPassword={password} \
--set activationCode={activation code} \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/master.tar.gzExperienced helm users will note that we are using deepsecurity-smartcheck as the helm release name in these examples. There is no requirement to use this release name.
Note: If you do not have an activation code then omit the --set activationCode={activation code} line.
The install process will display instructions for obtaining the initial username and password and for connecting to Deep Security Smart Check.
You can delete all of the resources created for Deep Security Smart Check by running helm delete:
helm delete --purge deepsecurity-smartcheckUse the helm list command to list installed releases.
This is a destructive command and will delete all of the Deep Security Smart Check resources, including database contents, without further confirmation.
Our docs page provides links to the Deep Security Smart Check Deployment Guide and full API documentation.
If you want to install a specific version of Deep Security Smart Check, you can use the archive link for the tagged release rather than for master. For example, to install Deep Security Smart Check 1.0.1, you can run:
helm install \
--set auth.masterPassword={password} \
--set activationCode={activation code} \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/1.0.1.tar.gzTo install Deep Security Smart Check into an existing Kubernetes namespace that's different from the current kube config namespace, use the --namespace parameter in the helm install command:
helm install \
--namespace {namespace} \
--set auth.masterPassword={password} \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/master.tar.gzHelm uses a file called values.yaml to set configuration defaults.
You can override the defaults in this file by specifying a comma-separated list of key-value pairs on the command line:
helm install \
--set key1=value1,key2=value2,... \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/master.tar.gzor by creating a YAML file with the specific values you want to override and providing the location of this file on the command line:
helm install \
--values overrides.yaml \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/master.tar.gzIf you create a file to override the values, make sure to copy the structure from the chart's values.yaml file. You only need to provide the values that you are overriding.
Refer to the values.yaml file for a full list of available values to override; some common keys are listed here:
| Key | Default value | Description |
|---|---|---|
auth.masterPassword |
None | The master password to use when generating passwords within the system, ensuring that each installation of Deep Security Smart Check has different passwords. |
auth.userName |
administrator |
The name of the default administrator user that the system will create on startup. |
activationCode |
None | The activation code to use. The activation code is required if you wish to receive updated malware patterns. |
auth.userName |
administrator |
The name of the default administrator user that the system will create on startup. |
auth.password |
{a random 16-character alphanumeric string} |
The default password assigned to the default administrator. helm will provide instructions for retrieving the initial password as part of the installation process. |
certificate.commonName |
example.com |
The server name to use in the default self-signed certificate created for the service. |
service.type |
LoadBalancer |
The Kubernetes service type to create. This must be one of LoadBalancer, ClusterIP, or NodePort. |
persistence.enabled |
true |
Whether a persistent volume should be created for the Deep Security Smart Check databases. If no persistent volume claim is created, all database content will be lost when the database container restarts. |
networkPolicy.enabled |
false |
EXPERIMENTAL: Whether Kubernetes NetworkPolicy resources should be created for the deployed pods. |
proxy.httpProxy |
If set, will be used as the proxy for HTTP traffic from Deep Security Smart Check. The value may be either a complete URL or a host[:port], in which case the http scheme is assumed. |
|
proxy.httpsProxy |
If set, will be used as the proxy for HTTPS traffic from Deep Security Smart Check. If httpsProxy is not set, httpProxy is also checked and will be used if set. The value may be either a complete URL or a host[:port], in which case the http scheme is assumed. |
|
proxy.noProxy |
If set, is a list of hosts or host:port combinations which should not be accessed through the proxy. |
|
proxy.username |
If set, is the user name to use to authenticate requests sent through the proxy. | |
proxy.password |
If set, is the password to use to authenticate requests sent through the proxy. |
Follow the instructions below to replace the certificate that the service is using.
-
Create a new self-signed certificate (or bring your own):
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \ -keyout mycert.key \ -out mycert.crt
-
Delete and re-add the Kubernetes secret that stores the certificate:
kubectl delete secret \ --namespace default \ deepsecurity-smartcheck-tls-certificate kubectl create secret generic \ --namespace default \ deepsecurity-smartcheck-tls-certificate \ --from-file=privateKey=mycert.key \ --from-file=certificate=mycert.crt
IMPORTANT: Make sure that
mycert.keyandmycert.crtin this command match the file names for the key and certificate created in step 1. Do not change theprivateKey=orcertificate=parts of the command, or the service will fail to read the secret. -
Delete the pods. They will be restarted by the Kubernetes deployment:
kubectl delete pods \ --namespace default \ -l "service=proxy,release=deepsecurity-smartcheck"
The Helm team have some helpful guidelines for securing your Helm installation as well as an abbreviated list of best practices for reference.
Deep Security Smart Check stores its data in a postgres database.
The following example command will perform a full database dump, compressing the output and writing it to the file db.gz in the current directory. You can then archive the db.gz file according to your needs.
kubectl exec $(kubectl get pods -l service=db -o jsonpath='{.items[0].metadata.name}') -- \
sh -c 'pg_dumpall -U $POSTGRES_USER | gzip -' \
> db.gzNote: If you are running Deep Security Smart Check in a namespace other than the default namespace and your kubectl context is not set to use that namespace, you will need to add the --namespace NAMESPACE parameter to both kubectl commands in this example.
Important: While Deep Security Smart Check encrypts credentials stored in the database, the database backup file contains other information that you may consider sensitive, such as registry locations, names, and scan results. Ensure that you store your backups safely with appropriate access controls to prevent misuse or accidental disclosure.
The following example command will perform a database restore from the compressed database dump created in the previous procedure.
kubectl exec -i \
$(kubectl get pods -l service=db -o jsonpath='{.items[0].metadata.name}') -- \
sh -c 'gunzip -f -c - | psql -U $POSTGRES_USER' \
< db.gzNote: If you are running Deep Security Smart Check in a namespace other than the default namespace and your kubectl context is not set to use that namespace, you will need to add the --namespace NAMESPACE parameter to both kubectl commands in this example.
If you are using minikube and an insecure registry, you will need to tell minikube that the registry is insecure. To do this, you will need to first delete and then restart your minikube VM:
minikube delete
minikube start --insecure-registry {registry address}Failed to pull image ... Please enable or contact project owners to enable the Google Container Registry API
If you have copied the Deep Security Smart Check images from their default location to the Google Container Registry and pods are failing to start with an error message that looks like the following:
Failed to pull image "us.gcr.io/deepsecurity/auth:latest": rpc error: code = 2 desc = Error response from daemon: {"message":"Get https://gcr.io/v2/deepsecurity/auth/manifests/latest: denied: Please enable or contact project owners to enable the Google Container Registry API in Cloud Console at https://console.cloud.google.com/apis/api/containerregistry.googleapis.com/overview?project=deepsecurity before performing this operation."}
with the deepsecurity project name, then check to make sure that you have the right project name override in your overrides.yaml file. For example, if your project is amazing-minbari and your registry endpoint is gcr.io, you should have the following in your overrides.yaml:
images:
defaults:
registry: gcr.io
project: amazing-minbariIf you have confirmed that the project name is set correctly and you are seeing it in the error message, follow the instructions and the link in the error to enable the Google Container Registry API, then delete and re-install the release:
helm delete --purge deepsecurity-smartcheck
helm install \
--values overrides.yaml \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/master.tar.gzFailed to pull image ... pull access denied ... repository does not exist or may require 'docker login'
If the images are stored in a private registry, you will need to use ImagePullSecrets to allow your Kubernetes cluster to pull the images from the registry.
Run the following command to create a Docker secret, replacing the upper-case values with your values:
kubectl create secret docker-registry myregistrykey \
--docker-server=DOCKER_REGISTRY_SERVER \
--docker-username=DOCKER_USER \
--docker-password=DOCKER_PASSWORD \
--docker-email=DOCKER_EMAILIMPORTANT: Make sure you enter your credentials correctly! If you get the values wrong, Docker Hub will lock out your account when it sees repeated failed attempts to download the images.
Then, provide the secret key (myregistrykey in the example) to the install process, either on the command line:
helm delete --purge deepsecurity-smartcheck
helm install \
--set images.defaults.imagePullSecret=myregistrykey \
--values overrides.yaml \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/master.tar.gzor by editing your overrides.yaml file to set the images.defaults.imagePullSecret attribute and re-installing:
helm delete --purge deepsecurity-smartcheck
helm install \
--values overrides.yaml \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/master.tar.gzWhat role does my Google Cloud Platform service account need in order for Deep Security Smart Check to work with Google Container Registry?
The service account must have at least the StorageObjectViewer role.
If you are using minikube and see errors like:
request canceled while waiting for connection
There is an open issue that may be causing the issue. The workaround suggested by the minikube team is to try:
minikube ssh
sudo ip link set docker0 promisc on