Oracle Cloud Infrastructure Container Engine for Kubernetes (a.k.a OKE) is a fully managed, scalable and highly available service that helps developers build, deploy and manage the cloud-native application. Just like any technology, there are tradeoffs, and it is easy to overlook and have serious security consequences if not properly mitigated and managed.
The process of security containers is similar to the continuous integration and quality control process in your development phase, and in many cases, it extends into the maintenance and operation phase of the system. The main security concerns in any container platform are:
Security of your application
Image and registry security
Network traffic security
Host platform security
Application layers security
Build CI/CD system security
In the blog published by OKE PM regarding Extending Aqua Security to Oracle Container Engine for Kubernetes (https://blogs.oracle.com/cloudnative/extending-aqua-security-to-oracle-container-engine-for-kubernetes-oke-v2), OKE product manager provided a brief introduction of running Aqua Security on OKE and the benefits of Aqua Security. In this blog, I will demonstrate the steps of installing Aqua on OKE using Helm.
An instance of OKE cluster
An Aqua account with license and access to Aqua Security Registry (registry.aquasec.com) - The installation instructions below used Aqua CSP images in Aqua Security Registry, it is recommended that you pull the Aqua CSP images from Aqua Security Registry, re-tag and push the images to your own registry, so that you can keep track of the version you used, enforce change control as well as ensure the same version is being used in your environment.
Below are the brief descriptions of the Aqua Components used in this installation.
Aqua Server is the central control component of Aqua CSP
Aqua Database is the database used by the Aqua Server and the Aqua Gateway(s)
Aqua Gateway(s) handle communication between the Aqua Server and the Aqua Enforcer(s)
Aqua CyberCenter is a cyber-intelligence knowledge base, maintained and operated by Aqua Security.
Aqua Scanner(s) scan images for vulnerabilities and send the results to the Aqua Server.
Aqua Enforcer(s) provide runtime security-related monitoring of your running containers, in order to provide enforcement of the Container Runtime Policies that you have configured using the Aqua UI. The Aqua Enforcer(s) also ensures that only registered and scanned images will run on the hosts where the Aqua Enforcer is deployed.
Create a namespace
kubectl create namespace aqua
Clone the Aqua Github repository with the charts
git clone https://github.com/aquasecurity/aqua-helm.git cd aqua-helm/
Install the Aqua server console
helm upgrade --install --namespace aqua csp ./server --set imageCredentials.username='<Your Aqua Repo Username>',imageCredentials.password='<Your Aqua Repo Password>',imageCredentials.email=‘<Your Aqua Repo Email>’,imageCredentials.registry='registry.aquasec.com'
Install the Enforcer
helm upgrade --install --namespace aqua csp-enforcer ./enforcer --set imageCredentials.username='<Your Aqua Repo Username>',imageCredentials.password='<Your Aqua Repo Password>',imageCredentials.email=‘<Your Aqua Repo Email>',enforcerToken=‘<Your Aqua Enforcer Token>’,imageCredentials.registry='registry.aquasec.com'
Install the Scanner
helm upgrade --install --namespace aqua scanner ./scanner --set imageCredentials.username='<Your Aqua Repo Username>',imageCredentials.password='<Your Aqua Repo Password>',imageCredentials.email=‘<Your Aqua Repo Email>',imageCredentials.registry='registry.aquasec.com'
Create a role binding
kubectl create clusterrolebinding default-admin --clusterrole cluster-admin --serviceaccount=aqua:csp-sa
To access the Aqua console
kubectl get pods -n aqua ##This will list all the pods in the aqua namespace, find the csp-console-xxxxxx pod and it’s port number and use it in the next command.
Open your browser and navigate to the IP address of the Aqua Server host. By default, port 8080 is used: http://<OKE-HOST-IP>:8080
You can configure Aqua CSP to scan the images in your image repository, to do that, you need to create a new registry configuration in Aqua Console (see screenshot below for DockerHub). For OCIR, You need to select Docker Registry as the registry type, then enter your OCIR URL, username and Password.
If you have multiple OKE instances in different regions and you have deployed the Aqua security platform on those instances, you can install Aqua Tenant Manager to create security policies and distribute them to all your OKE instances in other regions. This will allow you to enforce security policies across your organization.
In an OKE instance, create a namespace:
kubectl create namespace aqua-security
Create the YAML file as shown below with the file name as "aqua-tenant-manager.yaml"
apiVersion: v1 kind: Service metadata: name: aqua-tenantmanager labels: app: aqua-tenantmanager spec: ports: - port: 8081 selector: app: aqua-tenantmanager type: LoadBalancer --- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: aqua-tenantmanager spec: template: metadata: labels: app: aqua-tenantmanager name: aqua-tenantmanager spec: serviceAccount: csp-sa containers: - name: aqua-tenantmanager image: "registry.aquasec.com/tenantmanager:4.2" imagePullPolicy: "IfNotPresent" env: - name: AQUA_TM_DBNAME value: "tenantmanager" - name: AQUA_TM_DBUSER value: "postgres" - name: AQUA_TM_DBPASSWORD valueFrom: secretKeyRef: name: csp-database-password key: db-password - name: AQUA_TM_DBHOST value: csp-database-svc - name: AQUA_TM_DBPORT value: "5432" - name: AQUA_TM_AUDIT_DBNAME value: "tm_audit" - name: AQUA_TM_AUDIT_DBUSER value: "postgres" - name: AQUA_TM_AUDIT_DBPASSWORD valueFrom: secretKeyRef: name: csp-database-password key: db-password - name: AQUA_TM_AUDIT_DBHOST value: csp-database-svc - name: AQUA_TM_AUDIT_DBPORT value: "5432" - name: SCALOCK_LOG_LEVEL value: "DEBUG" ports: - containerPort: 8081
Deploy the tenant manager:
kubectl create -f aqua-tenant-manager.yaml
Open your browser and navigate to the OKE external/Load Balancer IP address of the Tenant Manager. Note that port 8081 is used; this is different from Aqua CSP, which uses port 8080 by default: http://<OKE_EXTERNAL_DNS_NAME_OR_IP>:8081