Kubernetes Installation
Neo4j version was upgraded to v5.x (from v4.4).
Please follow these steps before upgrading the management console version.
You can install the Management Console on a single Docker host or in a dedicated Kubernetes cluster.
Prerequisites
-
Install and configure kubectl and helm cli to access the kubernetes cluster where ThreatMapper console is installed
-
Configure Persistent Volume:
Cloud Managed
If the Kubernetes cluster is hosted in a cloud provider, it is recommended to use cloud managed storage
kubectl get storageclass
Cloud Provider Storage Class AWS gp3 (https://docs.aws.amazon.com/eks/latest/userguide/ebs-csi.html) GCP standard Self-Managed
If using on-prem kubernetes cluster install and configure a self hostage storage provider like openebs, longhorn, etc.
-
Install the metrics server (optional)
If the metrics server is not already installed (
kubectl get deployment metrics-server -n kube-system
), install as follows:kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
Install the ThreatMapper Management Console
The following instructions explain how to install the ThreatMapper console on a Kubernetes Cluster, and configure external access to the Console.
-
Add Deepfence helm charts repo
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/threatmapper
helm repo update -
Install the ThreatMapper Console
# helm show values deepfence/deepfence-console --version 2.3.1 | less
helm install deepfence-console deepfence/deepfence-console \
--set global.imageTag=2.3.1 \
--set global.storageClass=gp3 \
--namespace deepfence-console \
--create-namespace \
--version 2.3.1... and wait for the pods to start up:
kubectl get pods --namespace deepfence-console -o wide -w
-
To access ThreatMapper connsole install
deepfence-router
helm chart, this creates aLoadbalancer
type service, the consle can be accessed over the loadbalancer created.To create a ingress service refer section Deploy Router Helm Chart With Ingress Enabled
# helm show values deepfence/deepfence-router --version 2.3.1
helm install deepfence-router deepfence/deepfence-router \
--namespace deepfence-console \
--create-namespace \
--version 2.3.1... and wait for the cloud platform to deploy an external load-balancer:
kubectl get svc -w deepfence-console-router --namespace deepfence-console
Now proceed to the Initial Configuration.
Customise the Helm deployment
Console Helm Chart
-
Save the helm chart values to file
helm show values deepfence/deepfence-console --version 2.3.1 > deepfence_console_values.yaml
infoAll the supported helm chart values are documentd in the
deepfence_console_values.yaml
file generated when above command is run -
Update the
deepfence_console_values.yaml
file as required to change the database password, resource requests, pod/service annotations etc,.Check instructions on Managed Database section for using external database with console
-
Use the updated values file to deploy the ThreatMapper Console
helm install -f deepfence_console_values.yaml deepfence-console deepfence/deepfence-console \
--namespace deepfence-console \
--create-namespace \
--version 2.3.1
Router Helm Chart
-
Save the helm chart values to file
helm show values deepfence/deepfence-router --version 2.3.1 > deepfence_router_values.yaml
infoAll the supported helm chart values are documentd in the
deepfence_router_values.yaml
file generated when above command is run -
Update the
deepfence_router_values.yaml
file as required to enable seperate serivce for agents access or to enable ingress -
Use the updated values file to deploy the ThreatMapper Console Router
helm install -f deepfence_router_values.yaml deepfence-router deepfence/deepfence-router \
--namespace deepfence-console \
--create-namespace \
--version 2.3.1
Deploy Router Helm Chart With Ingress Enabled
-
Install the supported ingress controller service on the cluster
-
Save the helm chart values to file
helm show values deepfence/deepfence-router --version 2.3.1 > deepfence_router_values.yaml
infoAll the supported helm chart values are documentd in the
deepfence_router_values.yaml
file generated when above command is run -
Update the
deepfence_router_values.yaml
file to enable ingress setservice.type=Ingress
and updated the ingress section according to the ingress cotroller installed on the cluster, below example assumes nginx ingress controllerservice:
name: deepfence-console-router
type: Ingress # LoadBalancer/NodePort/Ingress/ClusterIP
# ingress configuration for console
ingress:
## name of the ingress class for ingress provider installed on the cluster, cannot be empty
## Example: nginx
class: nginx
## host example: threat.example.com
host: "threatmapper.example.com"
## annotations to customize ingress
annotations:
## nginx ingress annotations
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 200m -
Use the updated values file to deploy the ThreatMapper Console Router
helm install -f deepfence_router_values.yaml deepfence-router deepfence/deepfence-router \
--namespace deepfence-console \
--create-namespace \
--version 2.3.1
Delete the ThreatMapper Management Console
To delete the ThreatMapper Management Console
helm delete deepfence-router -n deepfence-console
helm delete deepfence-console -n deepfence-console