Troubleshooting Kubernetes Onboarding
Deploying the Agent
-
kubectl -n <namespace> get pods
If the pod exists, but is not ready, get the pod's details:
kubectl describe -n <namespace> pod <pod_name>
-
Do a review of the Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. logs for error(s). To get the logs, run:
kubectl -n <namespace> logs <pod_name> [-c container_name]
-
Make sure the pods have connectivity to CloudGuard.
The pod must have HTTPS (port 443) connectivity to
https://api-cpx.dome9.com
.Check these entities for possible configuration issues that prevent connectivity to the agent:
-
Proxy
-
Network Policy
-
Security Groups
-
Firewall rules
You can install a different pod that has curl (such as an Alpine pod, for example) in the same namespace, with the same labels, exec into it, and do a connectivity check to the above URL with curl.
apk update ; apk add curl ; curl -k https://api-cpx.dome9.com/namespaces -X POST
If there is connectivity with the CloudGuard backend, the response is
{"message":"Unauthorized"}
. -
-
Make sure the nodes can connect to the Image Registry.
The node needs HTTPS (port 443) connectivity to the Quay registry. If you see an image pull error, make a connectivity check to:
https://quay.io/checkpoint/
Cluster Behind a Gateway
If the traffic passes from the cluster to the Internet through a Security Gateway with HTTPS inspection, you have to configure a customer CA (Certificate Authority) certificate for the agents.
-
Put the customer Base64 PEM-encoded CA certificate in a configmap in the applicable namespace.
For example, if the CA certificate is in file
ca.cer
:kubectl Command line tool for communicating with a Kubernetes cluster's control plane, using the Kubernetes API. You can use kubectl to create, inspect, update, and delete Kubernetes objects. -n <namespace> create configmap ca-store --from-file= ca.cer=<PATH_TO_CA_CERTIFICATE_FILE>
-
Install the file on the containers at
/etc/ssl/cert.pem
.
Blocked or Unreported Clusters
It is necessary to onboard each cluster with its Environment ID. If the same Environment ID is used for several clusters in parallel, then they are blocked and do not report. An example of this is seen in the agent's logs:
cloudAccount marked as blocked |
An equivalent error shows on the Environment page of the CloudGuard portal.
To correct the issue:
-
Offboard CloudGuard agents that share the same ID from the unnecessary cluster with this command:
helm uninstall asset-mgmt --namespace <namespace>
-
After you offboard the unnecessary clusters, use the API request to correct multiple onboardings and make sure the issue is resolved.
|
Important - The API request requires special CloudGuard privileges. The credentials (username and password) in this request must belong to a CloudGuard Service Account with Manage Resources permission. This is opposed to the username and password used when you configured the agents, which only allows the data to be reported to the backend. To configure the privileges, follow the steps below. |
To configure CloudGuard privileges for Manage Resources:
-
In the CloudGuard menu, navigate to Settings > Service Accounts and select Add Account.
-
In Selected Roles, select a role with the Manage Resources permissions or create a new role with these permissions.
For more information about roles and service accounts, see Users & Roles.
Installation of Agents Fails in Clusters with OPA Gatekeeper
When OPA (Open Policy Agent) Gatekeeper is configured in a cluster with custom block policies, the installation of the CloudGuard agents can fail, for example, because of the required permissions. For a successful installation, you must exclude the CloudGuard agents from OPA Gatekeeper enforcement.
For this, add an exclusion of the CloudGuard agents namespace to the Gatekeeper configuration as described in the Gatekeeper documentation.
-
Create Gatekeeper config with the statement below:
CopyapiVersion: config.gatekeeper.sh/v1alpha1
kind: Config
metadata:
name: config
namespace: GATEKEEPER-NAMESPACE
spec:
match:
- excludedNamespaces: ["CLOUDGUARD-NAMESPACE"]
processes: ["*"] -
If the Gatekeeper
config
exists, update it to include the statement below:Copy- excludedNamespaces: ["CLOUDGUARD-NAMESPACE"]
processes: ["*"]
|
Notes:
|
How to Enable Debugging
-
Edit the deployment, and set the debug level:
kubectl -n <namespace> set env deployment <deployment> LOG_LEVEL=debug
-
Make sure the logs are correct.
How to Collect CloudGuard Container Release Information
To collect this information for more troubleshooting, download the cloudguard-container-info-collect-v2.sh
shell script from the Download Center. Before you run the script, use this command:
|
Script prerequisites:
-
The user must have kubectl and helm installed on the server that runs this script and
kubeconfig
context set to the related cluster. -
The user must have the correct permissions to run the helm and kubectl commands for the applicable cluster.
-
These common Linux commands must be available:
rm
,tar
, andmkdir
.
Default assumptions:
-
Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. release name:
asset-mgmt
-
Namespace:
checkpoint
The script collects CloudGuard CRDs (Custom Resource Definitions) ./cloudguard-container-info-collect.sh
Syntax:
./cloudguard-container-info-collect.sh [-h | -c | -d | -m | - n | -o | -r]"
Parameters:
Parameter |
Description |
---|---|
|
Shows the built-in help. |
|
Specifies if the script has to collect CloudGuard CRDs. Default value: |
|
Runs the script in debug mode. |
|
Specifies if the script has to collect metrics for the CloudGuard agent containers. If metrics collection is enabled, the ' Default: disabled. |
|
Specifies the namespace. |
|
Specifies the custom name for the output TAR archive. |
|
Specifies the Helm release name. |
In the command below, the script collects debug information for the CloudGuard solution deployed in a custom namespace (cp
) with custom release name (cp-asset
). The script does not collect CloudGuard CRDs (Custom Resource Definition) and saves debug archive with the provided name (cp-debug.tar.gz
):
./cloudguard-container-info-collect-v2.sh --release cp-asset --namespace cp --crd no --o cp-debug.tar.gz |
More Links