Install the Kubernetes packages from: https://kubernetes.io/docs/tasks/tools/install-kubectl/
kubectl, kubeadm
Install aws-iam-authenticator from https://docs.aws.amazon.com/eks/latest/userguide/install-aws-iam-authenticator.html
Install aws cli from https://aws.amazon.com/cli/
test AWS Connection
*make sure that you have the ~/.aws/credentials file in place
# aws sts get-caller-identity
credentials
aws_access_key_id=<USER_API_KEY>
aws_secret_access_key=<USER_API_SECRET>
region=us-east-1
output=json
**** build EKS cluster ****
tenable-demo2.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: tenable-demo2
region: us-east-1
availabilityZones: ["us-east-1a", "us-east-1b"]
nodeGroups:
- name: ng-1
instanceType: t3.medium
minSize: 1
maxSize: 3
desiredCapacity: 2
ami: auto
ssh: # import inline public key
publicKey: "PUBLIC_KEY_HASH"
allow: true
Set Kube Namespace: kube-namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
name: tiocsscanner
labels:
name: tiocsscanner
**** set secrets ****
#kubectl create secret generic tio –from-literal=username=<ACCESS_KEY> –from-literal=password=<SECRET_KEY> –namespace=tiocsscanner
#kubectl create secret generic <NAME> –from-literal=username=<USERNAME> –from-literal=password=<PASSWORD> –namespace=tiocsscanner
Secret for connecting to TIO JFROG for CS Scanner
#kubectl create secret docker-registry <JFROG_ARTIFACTORY_NAME> –docker-server=https://tenableio-docker-consec-local.jfrog.io –docker-username=<TIO_USERNAME> –docker-password=<TIO_PASSWORD> –[email protected] –namespace=tiocsscanner
#kubectl create secret docker-registry <jfrog-tio> –docker-server=https://tenableio-docker-consec-local.jfrog.io –docker-username=<TIO_USERNAME> –docker-password=<TIO_PASSWORD> –[email protected] –namespace=tiocsscanner
#kubectl create secret docker-registry <private-registry-user> –docker-server=https://xxxx.jfrog.io –docker-username=<JFROG_USER>–docker-password=<JFROG_PWD> –docker-email=<email that was used on account> –namespace=tiocsscanner
**** build deployment YAML ****
Don’t forget to use for jfrog image pull
imagePullSecrets:
apiVersion: v1
kind: Service
metadata:
name: tiocsscanner
namespace: tiocsscanner
labels:
app: tiocsscanner
spec:
selector:
app: tiocsscanner
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 5000
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: tiocsscanner
name: tiocsscanner
namespace: tiocsscanner
spec:
minReadySeconds: 10
replicas: 1
selector:
matchLabels:
app: tiocsscanner
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
app: tiocsscanner
spec:
imagePullSecrets:
- name: jfrog-tio
containers:
- image: "tenableio-docker-consec-local.jfrog.io/cs-scanner:latest"
name: tiocsscanner
resources:
limits:
cpu: "3"
requests:
cpu: "1.5"
memory: "2Gi"
args:
- import-registry
env:
- name: TENABLE_ACCESS_KEY
valueFrom:
secretKeyRef:
name: tio
key: username
- name: TENABLE_SECRET_KEY
valueFrom:
secretKeyRef:
name: tio
key: password
- name: REGISTRY_USERNAME
valueFrom:
secretKeyRef:
name: private-registry-user
key: username
- name: REGISTRY_PASSWORD
valueFrom:
secretKeyRef:
name: private-registry-user
key: password
- name: IMPORT_REPO_NAME
value: "docker"
- name: REGISTRY_URI
value: "XXXXX.jfrog.io"
- name: IMPORT_INTERVAL_MINUTES
value: "15"
Might want to set virtual python environment
scl enable rh-python36 bash
Example:
python –m venv tenableEKS_venv
source tenableEKS_venv/bin/activate
sudo yum groupinstall “Development Tools”
mkdir ~/tenableEKS
cd ~/tenableEKS
source tenableEKS/tenableEKS_venv/bin/activate
kubectl get nodes –all-namespaces
NAME STATUS ROLES AGE VERSION
ip-192-168-44-109.ec2.internal Ready 11h v1.13.8-eks-cd3eb0
ip-192-168-46-54.ec2.internal Ready 11h v1.13.8-eks-cd3eb0
ip-192-168-6-98.ec2.internal Ready 11h v1.13.8-eks-cd3eb0
kubectl get pods –all-namespaces
kubectl describe pods –namespace=<podname>
kubectl logs -f –namespace=<podname>