Onboarding Kubernetes Clusters

You can onboard a Kubernetes cluster to CloudGuard. On the process completion, you can see clusters, nodes, pods, and other additional resources in the CloudGuard Assets page. Then you can run compliance assessments on them, as well as use the data for additional security functionality, such as Runtime Protection, Image Assurance, etc.

The cluster can be on an on-premises host or in a cloud environment, including managed Kubernetes environments such as AKS on Azure, EKS on AWS, and GKE on GCP Cloud.

As part of the onboarding process, CloudGuard agents are deployed on the cluster. The CloudGuard agents send encrypted information back to the CloudGuard server over the internet.

For information on Kubernetes versions and container requirements, see Kubernetes Containers.

Onboarding a Cluster Manually

Follow the steps below to manually onboard a Kubernetes cluster to CloudGuard:

Onboarding a Cluster with Automation

Follow these steps to automate the onboarding process from the command line:

  1. Create or update these environmental variables: $API_KEY, $API_SECRET, $CLUSTER_NAME, where the API Key and Secret are generated on the CloudGuard portal (see V2 API).

  2. Run this command to create a Kubernetes account on CloudGuard:

    curl -s -X POST https://api.us1.cgn.portal.checkpoint.com/v2/kubernetes/account --header 'Content-Type: application/json' --header 'Accept: application/json' -d "{\"name\" : \"$CLUSTER_NAME\"}" --user $API_KEY:$API_SECRET)

  3. Extract the Cluster ID from the response:

    CLUSTER_ID=$(echo $CREATION_RESPONSE | jq -r '.id')

  4. Enable the required features:

    Copy
    curl -X POST https:// api.us1.cgn.portal.checkpoint.com/v2/kubernetes/account/$CLUSTER_ID/imageAssurance/enable
      --user $API_KEY:$API_SECRET
    curl -X POST https:// api.us1.cgn.portal.checkpoint.com/v2/kubernetes/account/$CLUSTER_ID/admissionControl/enable
      --user $API_KEY:$API_SECRET
    curl -X POST https:// api.us1.cgn.portal.checkpoint.com/v2/kubernetes/account/$CLUSTER_ID/runtimeProtection/enable
      --user $API_KEY:$API_SECRET
  5. Run these commands on each cluster:

    Copy
    helm install asset-mgmt cloudguard --repo https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/ 
    --set-string credentials.user=$API_KEY 
    --set-string credentials.secret=$API_SECRET 
    --set-string clusterID=$CLUSTER_ID 
    --set addons.imageScan.enabled={true|false} 
    --set addons.admissionControl.enabled={true|false} 
    --set addons.runtimeProtection.enabled={true|false} --namespace $NAMESPACE

Note - The *.enabled flags can be set to false or omitted if you do not want to enable the corresponding features.

For Non-Helm automation, run this command in step 5:

Copy
kubectl run cloudguard-install --rm --image alpine/helm --tty 
--stdin --quiet --restart=Never --command 
– helm template asset-mgmt cloudguard 
--repo https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/ 
--set credentials.user=$API_KEY 
--set credentials.secret=$API_SECRET 
--set clusterID=$CLUSTER_ID 
--set addons.imageScan.enabled={true|false} 
--set addons.admissionControl.enabled={true|false} 
--set addons.runtimeProtection.enabled={true|false} 
--namespace $NAMESPACE 
--set containerRuntime=containerd > cloudguard-install.yaml
kubectl apply -f cloudguard-install.yaml

  • If your cluster uses a Docker or CRI-O runtime environment, change the containerRuntime flag to:

    --set containerRuntime=docker or --set containerRuntime=cri-o.

  • If your cluster platform is OpenShift 4+ or Tanzu, before output redirection, add:

    --set platform=openshift or --set platform=tanzu.

Example

Upgrade the Agent

Agreed assumptions:

  • The environmental variables $API_KEY, $API_SECRET, $CLUSTER_NAME, $NAMESPACE have the same values as during onboarding

  • Image Assurance and Admission Control are enabled

For agents installed with Helm 3, use the command below to upgrade all agents to the latest version:

Copy
helm upgrade asset-mgmt cloudguard --repo 
https://raw.githubusercontent.com/CheckPointSW/charts/master/repository/ 
--set-string credentials.user=$API_KEY 
--set-string credentials.secret=$API_SECRET 
--set-string clusterID=$CLUSTER_ID 
--set addons.imageScan.enabled={true|false} 
--set addons.admissionControl.enabled={true|false} 
--set addons.runtimeProtection.enabled={true|false}
--namespace $NAMESPACE

Uninstall the Agent

During the process of onboarding, CloudGuard generates the cloudguard-install.yaml file that you use to uninstall the agents.

With Helm:

helm uninstall asset-mgmt --namespace $NAMESPACE

With kubectl:

kubectl delete -f cloudguard-install.yaml --namespace $NAMESPACE

Note - To install agents again after you have uninstalled them, follow Step 3 - Deploy the agent on the cluster and not the upgrade procedure.

Troubleshooting: Cluster behind a Gateway

If the traffic passes from the cluster to the Internet through a Security Gateway with HTTPS inspection, you have to configure a customer CA (Certificate Authority) certificate for the agents.

  1. Put the customer Base64 PEM-encoded CA certificate in a configmap in the relevant namespace.

    For example:

    kubectl -n <namespace>create configmap ca-store --from-file=custom_ca.cer=<PATH_TO_CA_CERTIFICATE_FILE>

  2. Mount the file to the containers at the corresponding locations as appears below:

    Container

    Pod

    Location

    inventory

    inventory

    custom/custom_ca.cer

    engine

    imagescan-engine

    /etc/ssl/cert.pem

    fluentbit

    imagescan-engine and imagescan-daemon

    /etc/ssl/certs/ca-certificates.crt