X

Best Practices from Oracle Development's A‑Team

Install Aqua Security on Oracle Cloud Infrastructure Container Engine for Kubernetes

Derek Kam
Consulting Solutions Architect

Introduction

Oracle Cloud Infrastructure Container Engine for Kubernetes (a.k.a OKE) is a fully managed, scalable and highly available service that helps developers build, deploy and manage the cloud-native application.  Just like any technology, there are tradeoffs, and it is easy to overlook and have serious security consequences if not properly mitigated and managed.

The process of security containers is similar to the continuous integration and quality control process in your development phase, and in many cases, it extends into the maintenance and operation phase of the system.  The main security concerns in any container platform are:

  1. Security of your application

  2. Image and registry security

  3. Network traffic security

  4. Host platform security

  5. Application layers security

  6. Build CI/CD system security

       ...and more

 

In the blog published by OKE PM regarding Extending Aqua Security to Oracle Container Engine for Kubernetes (https://blogs.oracle.com/cloudnative/extending-aqua-security-to-oracle-container-engine-for-kubernetes-oke-v2), OKE product manager provided a brief introduction of running Aqua Security on OKE and the benefits of Aqua Security.  In this blog, I will demonstrate the steps of installing Aqua on OKE using Helm.

Prerequisites

  • An instance of OKE cluster

  • An Aqua account with license and access to Aqua Security Registry (registry.aquasec.com) - The installation instructions below used Aqua CSP images in Aqua Security Registry, it is recommended that you pull the Aqua CSP images from Aqua Security Registry, re-tag and push the images to your own registry, so that you can keep track of the version you used, enforce change control as well as ensure the same version is being used in your environment.

Below are the brief descriptions of the Aqua Components used in this installation.

  • Aqua Server is the central control component of Aqua CSP

  • Aqua Database is the database used by the Aqua Server and the Aqua Gateway(s)

  • Aqua Gateway(s) handle communication between the Aqua Server and the Aqua Enforcer(s)

  • Aqua CyberCenter is a cyber-intelligence knowledge base, maintained and operated by Aqua Security.

  • Aqua Scanner(s) scan images for vulnerabilities and send the results to the Aqua Server.

  • Aqua Enforcer(s) provide runtime security-related monitoring of your running containers, in order to provide enforcement of the Container Runtime Policies that you have configured using the Aqua UI. The Aqua Enforcer(s) also ensures that only registered and scanned images will run on the hosts where the Aqua Enforcer is deployed.

Installation Steps

  • Create a namespace

    kubectl create namespace aqua
  • Clone the Aqua Github repository with the charts

    git clone https://github.com/aquasecurity/aqua-helm.git
    cd aqua-helm/
  • Install the Aqua server console

    helm upgrade --install --namespace aqua csp ./server --set imageCredentials.username='<Your Aqua Repo Username>',imageCredentials.password='<Your Aqua Repo Password>',imageCredentials.email=‘<Your Aqua Repo Email>’,imageCredentials.registry='registry.aquasec.com'
  • Install the Enforcer

    helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username='<Your Aqua Repo Username>',imageCredentials.password='<Your Aqua Repo Password>',imageCredentials.email=‘<Your Aqua Repo Email>',enforcerToken=‘<Your Aqua Enforcer Token>’,imageCredentials.registry='registry.aquasec.com' 
  • Install the Scanner

    helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username='<Your Aqua Repo Username>',imageCredentials.password='<Your Aqua Repo Password>',imageCredentials.email=‘<Your Aqua Repo Email>',imageCredentials.registry='registry.aquasec.com' 
  • Create a role binding

    kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=aqua:csp-sa 
  • To access the Aqua console

    kubectl get pods -n aqua   ##This will list all the pods in the aqua namespace, find the csp-console-xxxxxx pod and it’s port number and use it in the next command. 
  • Open your browser and navigate to the IP address of the Aqua Server host. By default, port 8080 is used: http://<OKE-HOST-IP>:8080

  • You can configure Aqua CSP to scan the images in your image repository, to do that, you need to create a new registry configuration in Aqua Console (see screenshot below for DockerHub). For OCIR, You need to select Docker Registry as the registry type, then enter your OCIR URL, username and Password.

  • If you have multiple OKE instances in different regions and you have deployed the Aqua security platform on those instances, you can install Aqua Tenant Manager to create security policies and distribute them to all your OKE instances in other regions. This will allow you to enforce security policies across your organization.

            Instruction:

  • In an OKE instance, create a namespace:

     kubectl create namespace aqua-security
  • Create the YAML file as shown below with the file name as "aqua-tenant-manager.yaml"

    apiVersion: v1
    kind: Service
    metadata:
      name: aqua-tenantmanager
      labels:
        app: aqua-tenantmanager
    spec:
      ports:
        - port: 8081
      selector:
        app: aqua-tenantmanager
      type: LoadBalancer    
    ---
    apiVersion: extensions/v1beta1
    kind: Deployment
    metadata:
      name: aqua-tenantmanager
    spec:
      template:
        metadata:
          labels:
            app: aqua-tenantmanager
          name: aqua-tenantmanager
        spec:
          serviceAccount: csp-sa           
          containers:
          - name: aqua-tenantmanager
            image: "registry.aquasec.com/tenantmanager:4.2"
            imagePullPolicy: "IfNotPresent"
            env:
              - name: AQUA_TM_DBNAME
                value: "tenantmanager"
              - name: AQUA_TM_DBUSER
                value: "postgres"
              - name: AQUA_TM_DBPASSWORD
                valueFrom: 
                  secretKeyRef:
                    name: csp-database-password
                    key: db-password
              - name: AQUA_TM_DBHOST
                value: csp-database-svc
              - name: AQUA_TM_DBPORT
                value: "5432"
              - name: AQUA_TM_AUDIT_DBNAME
                value: "tm_audit"
              - name: AQUA_TM_AUDIT_DBUSER
                value: "postgres"
              - name: AQUA_TM_AUDIT_DBPASSWORD
                valueFrom: 
                  secretKeyRef:
                    name: csp-database-password
                    key: db-password
              - name: AQUA_TM_AUDIT_DBHOST
                value: csp-database-svc
              - name: AQUA_TM_AUDIT_DBPORT
                value: "5432"
              - name: SCALOCK_LOG_LEVEL
                value: "DEBUG"
            ports:
            - containerPort: 8081
    
  • Deploy the tenant manager:

    kubectl create -f aqua-tenant-manager.yaml 
  • Open your browser and navigate to the OKE external/Load Balancer IP address of the Tenant Manager. Note that port 8081 is used; this is different from Aqua CSP, which uses port 8080 by default: http://<OKE_EXTERNAL_DNS_NAME_OR_IP>:8081

Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.Captcha