Overview

This article describes the process for onboarding a Kubernetes cluster into Data Theorem.

Requirements

• Admin access to the Kubernetes cluster.

• Whitelisting Data Theorem IP’s to allow Data Theorem’s analyzer to connect to the Kubernetes API.

Step 1: Generate the service account

In order to complete the onboarding process, you will need to execute a script on your machine in order to generate a new service account.

This service account will have read-only permissions and will allow Data Theorem to connect to the Kubernetes cluster API to analyze its configuration.

The script requires:

• cluster-admin access to the Kubernetes cluster.

• kubectl.

• Python 3.7+.

The script will:

• Create a service account for Data Theorem.

• Add a security audit role (with read-only access).

• Link the security audit role to the service account.

• Generate a kube config file for the previously generated service account.

Onboarding Kubernetes cluster on Amazon (EKS)

First you need to retrieve the role ARN of the Kubernetes cluster:

1. Go to the AWS Console

2. Go to EKS

3. On the left hand side, click on Clusters, under Amazon EKS

4. In the list of clusters, search for the cluster name you want to onboard and click on it

5. Then click on the Configuration tab

6. Finally copy the Cluster IAM Role ARN

Then run the script as follows:

python3 datatheorem-k8s-onboarding.py -p aws -o datatheorem_k8s_service_account.yaml --rolearn <ROLE_ARN>

Onboarding Kubernetes cluster on Azure (AKS)

In order to onboard the cluster, it must have the RBAC setting enabled. You can make sure of that by going to the Azure Console and:

1. Kubernetes Services

2. Search for the name of the cluster you want to onboard and click on it

3. Under Settings, click on Cluster configuration

4. Role-based access control (RBAC) must be Enabled

python3 datatheorem-k8s-onboarding.py -p azure -o datatheorem_k8s_service_account.yaml

Onboarding Kubernetes cluster on GCP (GKE)

The gcloud user that runs the script must have the Kubernetes Engine Admin role or higher.

python3 datatheorem-k8s-onboarding.py -p gcp -o datatheorem_k8s_service_account.yaml

Onboarding on-premise and others Kubernetes cluster

python3 datatheorem-k8s-onboarding.py -p onprem -o datatheorem_k8s_service_account.yaml

Step 2: Whitelisting Data Theorem’s IP Addresses

Data Theorem analyzer will use the following IP addresses to connect to the Kubernetes API:

• 34.123.118.75/32

• 35.188.170.247/32

• 34.123.250.193/32

You can refer to these guides for clusters managed by cloud providers:

• https://docs.aws.amazon.com/eks/latest/userguide/cluster-endpoint.html

• https://cloud.google.com/kubernetes-engine/docs/how-to/authorized-networks#add

• https://docs.microsoft.com/en-us/azure/aks/api-server-authorized-ip-ranges#update-a-clusters-api-server-authorized-ip-ranges

Step 3: Send the generated credentials to Data Theorem

To complete the onboarding process, upload the service account file to the Data Theorem portal in the ASM setup section: https://www.securetheorem.com/cloud/asm-setup.

Start the flow using “Add source” and then “Kubernetes cluster”.