Versions Compared

Version Old Version 2 New Version 3
Changes made by

Florent

Thomas Sileo

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents

Overview

This

...

Table of Contents

Prerequisite

article describes the process for onboarding a Kubernetes cluster into Data Theorem.

Requirements

  • Admin access to the Kubernetes cluster

  • Whitelisting Data Theorem IP’s to allow the analyzer to properly talks to the Kubernetes API.

Step 1: Generate the service account

In order to complete the onboarding process, you will need to execute a script on your machine. This script requires:

  • cluster-admin access to the Kubernetes cluster

  • kubectl

  • Python 3.7+

Instructions

Download the onboarding script

TODO: provide static link to script

This service will have read-only permissions and will allow Data Theorem to connect to the Kubernetes cluster API to analyze its configuration.

View file
namedatatheorem_onboarding_script.py

The script is written in Python. It works with Python 3.7+ on macOS and Linux.

The script will:

  • create Create a service account for Data Theorem

  • add Add a security audit role (with read-only access)

  • link Link the security audit role to the service account

  • generate Generate a kube config file which contains a token which never expiresfor the previously generated service account

Note

The script calls kubectl, which must be set on configured for the cluster you want to onboard.

Onboarding Kubernetes cluster on Amazon (EKS)

First we need to retrieve the role ARN of the Kubernetes cluster:

...

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p aws -o <CONFIG_OUTPUT_PATH> --rolearn <ROLE_ARN>

Onboarding Kubernetes cluster on Azure (AKS)

In order to onboard the cluster, it must have the RBAC setting enabled. You can make sure of that by going to the Azure Console and:

...

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p azure -o <CONFIGdatatheorem_k8s_OUTPUTservice_PATH>account.yaml

Onboarding Kubernetes cluster on GCP (GKE)

The gcloud user that runs the script must have the Kubernetes Engine Admin role or higher.

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p gcp -o <CONFIGdatatheorem_k8s_OUTPUTservice_PATH>account.yaml

Onboarding on-

...

premise Kubernetes cluster

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p onprem -o <CONFIGdatatheorem_k8s_OUTPUTservice_PATH>

Send the generated credentials to Data Theorem

The script generates a configuration which is located at the path you provided when you executed the script. The filename is kube-config-to-onboard.yaml.

Copy the content of the file into the Data Theorem onboarding step. This will allow us to connect to your Kubernetes cluster with read-only access and scan your cluster.

The content should look similar to this one:

Code Block
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tC[...]
    server: https://ABCD.yl4.eu-west-3.eks.amazonaws.com
  name: arn:aws:eks:eu-west-3:123:cluster/test-to-delete
contexts:
- context:
    cluster: arn:aws:eks:eu-west-3:123:cluster/test-to-delete
    namespace: kube-system
    user: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
  name: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
current-context: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
kind: Config
preferences: {}
users:
- name: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ1LTZ[...]account.yaml

Step 2: Whitelisting Data Theorem’s IP Addresses

Data Theorem analyzer will use the following IP addresses to connect to the Kubernetes API:

  • 34.123.118.75/32

  • 35.188.170.247/32

  • 34.123.250.193/32

You can refer to these guides for clusters managed by cloud providers:

Step 3: Send the generated credentials to Data Theorem

To complete the onboarding process, upload the service account file to the Data Theorem portal in the ASM setup section: https://www.securetheorem.com/cloud/asm-setup. Start the flow using “Add source” and then “Kubernetes cluster”.