Versions Compared

Old Version 2

changes.mady.by.user Florent

Saved on

compared with

New Version Current

changes.mady.by.user Alexis Pierru

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Overview

This

...

Table of Contents

...

article describes the process for onboarding a Kubernetes cluster into Data Theorem.

Requirements

  • Admin access to the Kubernetes cluster.

  • Whitelisting Data Theorem IP’s to allow Data Theorem’s analyzer to connect to the Kubernetes API.

Step 1: Generate the service account

In order to complete the onboarding process, you will need to execute a script on your machine in order to generate a new service account.

This service account will have read-only permissions and will allow Data Theorem to connect to the Kubernetes cluster API to analyze its configuration.

The script requires:

  • cluster-admin access to the Kubernetes cluster.

  • kubectl.

  • Python 3.7+.

View file

...

The script is written in Python. It works with Python 3.7+ on macOS and Linux.

name

Download the onboarding script

TODO: provide static link to script

datatheorem_onboarding_script.py

The script will:

  • create Create a service account for Data Theorem.

  • add Add a security audit role (with read-only access).

  • link Link the security audit role to the service account.

  • generate Generate a kube config file which contains a token which never expiresfor the previously generated service account.

Note

The script calls kubectl, which must be set on configured for the cluster you want to onboard.

Onboarding Kubernetes cluster on Amazon (EKS)

First we you need to retrieve the role ARN of the Kubernetes cluster:

  1. Go to the AWS Console

  2. Go to EKS

  3. On the left hand side, click on Clusters, under Amazon EKS

  4. In the list of clusters, search for the cluster name you want to onboard and click on it

  5. Then click on the Configuration tab

  6. Finally copy the Cluster IAM Role ARN

...

Then run the script as follows:

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p aws -o <CONFIGdatatheorem_k8s_OUTPUTservice_PATH>account.yaml --rolearn <ROLE_ARN>

Onboarding Kubernetes cluster on Azure (AKS)

In order to onboard the cluster, it must have the RBAC setting enabled. You can make sure of that by going to the Azure Console and:

  1. Kubernetes Services

  2. Search for the name of the cluster you want to onboard and click on it

  3. Under Settings, click on Cluster configuration

  4. Role-based access control (RBAC) must be Enabled

...

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p azure -o <CONFIGdatatheorem_k8s_OUTPUTservice_PATH>account.yaml

Onboarding Kubernetes cluster on GCP (GKE)

The gcloud user that runs the script must have the Kubernetes Engine Admin role or higher.

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p gcp -o <CONFIGdatatheorem_k8s_OUTPUTservice_PATH>account.yaml

Onboarding on-

...

premise and others Kubernetes cluster

Code Block
languagebash
python3 datatheorem-k8s-onboarding.py -p onprem -o <CONFIGdatatheorem_k8s_OUTPUTservice_PATH>

Send the generated credentials to Data Theorem

The script generates a configuration which is located at the path you provided when you executed the script. The filename is kube-config-to-onboard.yaml.

Copy the content of the file into the Data Theorem onboarding step. This will allow us to connect to your Kubernetes cluster with read-only access and scan your cluster.

The content should look similar to this one:

Code Block
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tC[...]
    server: https://ABCD.yl4.eu-west-3.eks.amazonaws.com
  name: arn:aws:eks:eu-west-3:123:cluster/test-to-delete
contexts:
- context:
    cluster: arn:aws:eks:eu-west-3:123:cluster/test-to-delete
    namespace: kube-system
    user: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
  name: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
current-context: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
kind: Config
preferences: {}
users:
- name: datatheorem-kube-system-arn:aws:eks:eu-west-3:123:cluster/test-to-delete
  user:
    token: eyJhbGciOiJSUzI1NiIsImtpZCI6IkQ1LTZ[...]account.yaml

Step 2: Whitelisting Data Theorem’s IP Addresses

Data Theorem analyzer will use the following IP addresses to connect to the Kubernetes API:

  • 34.123.118.75/32

  • 35.188.170.247/32

  • 34.123.250.193/32

You can refer to these guides for clusters managed by cloud providers:

Step 3: Send the generated credentials to Data Theorem

To complete the onboarding process, upload the service account file to the Data Theorem portal in the ASM setup section: https://www.securetheorem.com/cloud/asm-setup.

Start the flow using “Add source” and then “Kubernetes cluster”.