Onboard a Kubernetes Cluster

You can onboard a Kubernetes cluster to CloudGuard Native. When this is done, you see clusters, nodes, and pods in the CloudGuard Native Cloud Inventory page, and are able to run compliance assessments on them.

The cluster can be on an on-premises host, or on in a cloud environment, including managed Kubernetes environments such as AKS on Azure, EKS on AWS, and GKE on GCP Cloud.

As part of the onboarding process, a CloudGuard Native agent is deployed on the cluster, which reports information back to CloudGuard Native. This information shows details of the inventory (resources) of the cluster, which is used, for example, to run compliance assessments on the cluster. The CloudGuard Native agent communicates with CloudGuard Native over the internet.

Supported Kubernetes versions

  • Kubernetes v1.12 and higher

  • Helm v3.0 and higher

Required Permissions

The CloudGuard Native agent requires Kubernetes list and get permissions for these resources:

  • pods

  • nodes

  • nodes/proxy

  • services

  • ingresses

  • networkpolicies

  • podsecuritypolicies

  • roles

  • rolebindings

  • clusterroles

  • clusterrolebindings

  • globalnetworkpolicies

  • serviceaccounts.

Connectivity Requirements

The CloudGuard Native pod must have connectivity to both CloudGuard Native (https://api-cpx.dome9.com) and the Quay image registry (https://quay.io/checkpoint).

If the CloudGuard Native pod image is uploaded to a private repository, connectivity to Quay is not necessary. In this case, the Helm chart parameter image.repository should be changed to indicate this (the location of the image). See https://github.com/CheckPointSW/charts/tree/master/checkpoint/cp-resource-management for more information about setting this parameter.

Onboard a Cluster

Follow the steps below to onboard a Kubernetes cluster to CloudGuard Native.

  1. In the CloudGuard Native portal, select the Asset menu, navigate to Environments page, click Add New and then select Kubernetes Cluster.

  2. Enter a name for the cluster, as it later appears in CloudGuard Native.

  3. Follow the onscreen instructions to complete these steps

    • Select an API Key, or generate a new key (see here for details on creating an API Key)

    • Enter a name for the Kubernetes namespace in which the agent will be deployed (or leave the default name, checkpoint)

  4. Click NEXT to proceed to the next step.

  1. Select the Organizational Unit with which the onboarded cluster will be associated. If no Org Unit is selected, the root (top-level) unit will be used.

  2. Click NEXT.

  1. Follow the onscreen steps, to deploy the agent, using Helm or Kubectl.

  2. Click NEXT.

After the agent is deployed, CloudGuard Native will access the cluster, through the agent, to obtain information about the assets, and synchronize with it. This will take a few minutes (according to the number of assets in the cluster).

If the process does not complete, click CANCEL or BACK.

After CloudGuard Native synchronized with the new cluster, a summary of the assets found in the cluster is shown, which indicates that the onboardind process is complete.

Onboarding Automation

Follow these steps to automate the onboarding process from the command line.

  1. Create or update these environmental variables: $API_KEY, $ API_SECRET, $CLUSTER_NAME, where the API  Key and Secret are generated on the CloudGuard Native UI (see Create a CloudGuard Native API Key).

  2. Run the following command to create a Kubernetes 'account' on CloudGuard Native:

    curl -s -X POST https://api.dome9.com/v2/KubernetesAccount --header 'Content-Type: application/json' --header 'Accept: application/json' -d "{\"name\" : \"$CLUSTER_NAME\"}" --user $API_KEY:$API_SECRET)

  3. Extract the Cluster Id from the response:

    CLUSTER_ID=$(echo $CREATION_RESPONSE | jq -r '.id')

  4. Run the following command on the each cluster:

    helm repo add checkpoint https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/

    helm install asset-mgmt checkpoint/cp-resource-management --set-string credentials.user=$API_KEY --set-string credentials.secret=$API_SECRET --set-string clusterID=$CLUSTER_ID --namespace $NAMESPACE

Example

#!/bin/bash
# Create environmental variables for the API Key, API Secret, and Cluster name.
export API_KEY=372e5df3-db03-432d-bf46-cb4261efb317
export API_SECRET=on3cs1ambgv4tnbs6kiwb1ws
export CLUSTER_NAME=auto-cluster
export NAMESPACE=checkpoint
 
# Onboard the cluster
export CREATION_RESPONSE=$(curl -s -X POST https://api.dome9.com/v2/KubernetesAccount --header 'Content-Type: application/json' --header 'Accept: application/json' \-d "{\"name\" : \"$CLUSTER_NAME\"}" --user $API_KEY:$API_SECRET)
export CLUSTER_ID=$(echo $CREATION_RESPONSE | jq -r '.id')
 
# if the designated namespace already exists, comment out the following line
kubectl create namespace $NAMESPACE
 
# Deploy the Asset Management agent on the cluster using Helm
export NAMESPACE=checkpoint
helm repo add checkpoint https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/
helm install asset-mgmt checkpoint/cp-resource-management --set-string credentials.user=$API_KEY --set-string credentials.secret=$API_SECRET --set-string clusterID=$CLUSTER_ID --namespace $NAMESPACE
# Check the status of the cluster
curl -s https://api.dome9.com/v2/KubernetesAccount/$CLUSTER_ID/AccountSummary --user $API_KEY:$API_SECRET

Upgrade the agent

Follow the steps below to upgrade the agent from an earlier version to v1.1.0

For an agent installed using Helm 3:

helm repo update

helm upgrade asset-mgmt checkpoint/cp-resource-management -n checkpoint

For an agent installed without Helm:

kubectl replace -f https://secure.dome9.com/v2/assets/files/upgrade_cp-resource-ver-1.1.0.yaml --namespace checkpoint

Note:

The same method (Helm or kubectl) must be used to upgrade the agent as was used to install it originally (the methods cannot be switched). In order to switch methods, the agent must be uninstalled (see instructions following).

If unsure how the agent was originally installed, use this command:

kubectl get deployment --namespace checkpoint -l app.kubernetes.io/managed-by=Helm --show-labels

If you use Helm, a deployment is listed like this:

NAME                                READY   UP-TO-DATE   AVAILABLE   AGE   LABELS
asset-mgmt-cp-resource-management   1/1     1            1           16m   app.kubernetes.io/instance=asset-mgmt,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/name=cp-resource-management,helm.sh/chart=cp-resource-management-1

Uninstall the Agent

Using Helm:

helm uninstall asset-mgmt -n checkpoint

Not using Helm:

Kubectl delete namespace checkpoint
Kubectl delete clusterrole cp-resource-management
Kubectl delete clusterrolebinding cp-resource-management

Note:

After uninstalling the agent, follow the steps (above) to fully install it, not the upgrade procedure.