kube-enforcer

Aqua Security KubeEnforcer Helm Charts

This page provides instructions for using HELM charts to configure and deploy the Aqua KubeEnforcer.

Contents

• Aqua Security KubeEnforcer Helm Charts
  • Contents
  • Prerequisites
    • Container registry credentials
    • Clone the GitHub repository with the charts
    • Configure TLS authentication between the KubeEnforcer and the API Server
  • Deploy the HELM chart
    • Deploy Aqua Kube-Enforcer from Github repository
    • Deploy Aqua Kube-Enforcer from Helm private repository
  • Configuration for discovery
  • Configuration for performing kube-bench scans
  • Configurable parameters
  • Issues and feedback

Prerequisites

Container registry credentials

Link

Clone the GitHub repository with the charts

git clone https://github.com/aquasecurity/aqua-helm.git
cd aqua-helm/

Configure TLS authentication between the KubeEnforcer and the API Server

You need to enable TLS authentication from the API Server to the KubeEnforcer. Perform these steps:

Create TLS certificates which are signed by the local CA certificate. We will pass these certificates with a HELM command to enable TLS authentication between the KubeEnforcer and the API Server to receive events from the validatingwebhookconfiguration for Image Sssurance functionality.

You can generate these certificates by executing the script:

./kube-enforcer/gen-certs.sh

You can also use your own certificates without generating new ones for TLS authentication. All we need is a root CA certificate, a certificate signed by a CA, and a certificate key.

You can optionally configure the certificates generated from the script above in the values.yaml file.

You need to encode the certificates into base64 for ca.crt, server.crt and server.key using this command:

cat <file-name> | base64 | tr -d '\n'

Provide the certificates previously obtained in the fields of the values.yaml file, as indicated here:

certsSecret:
  name: aqua-kube-enforcer-certs
  serverCertificate: "<server.crt>"
  serverKey: "<server.key>"

webhooks:
  caBundle: "<ca.crt>"

Optionally, you can provide these certificates in base64 encoded format as flags: a. certsSecret.serverCertificate="<base64_encoded_server.crt>" b. certsSecret.serverKey="<base64_encoded_server.key>" c. webhooks.caBundle="<base64_encoded_ca.crt>"

Deploy the HELM chart

Deploy Aqua Kube-Enforcer from Github repository

1. Clone the GitHub repository with the charts:

   $ git clone -b 6.2 https://github.com/aquasecurity/kube-enforcer-helm.git

2. (Optional) Update the Helm charts values.yaml file with your environment's custom values, registry secret, Aqua Server (console) credentials, and TLS certificates. This eliminates the need to pass the parameters to the HELM command. Then run one of the following commands to deploy the relevant services.

3. Choose either 3a or 3b:

   3a. To deploy the KubeEnforcer on the same cluster as the Aqua Server (console), run this command on that cluster:

   $ helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer

   3b. Multi-cluster: To deploy the KubeEnforcer in a different cluster:

   First, create a namespace on that cluster named aqua:

   $ kubectl create namespace aqua

   Next, run the following command:

   $ helm upgrade --install --namespace aqua kube-enforcer ./kube-enforcer --set envs.gatewayAddress="<Aqua_Remote_Gateway_IP/URL>",imageCredentials.username=<registry-username>,imageCredentials.password=<registry-password>

Deploy Aqua Kube-Enforcer from Helm private repository

1. Add Aqua Helm Repository

   $ helm repo add aqua-helm https://helm.aquasec.com

2. (Optional) Update the Helm charts values.yaml file with your environment's custom values, registry secret, Aqua Server (console) credentials, and TLS certificates. This eliminates the need to pass the parameters to the HELM command. Then run one of the following commands to deploy the relevant services.

3. Check for available chart versions either from Changelog or by running the below command

$ helm search repo aqua-helm/kube-enforcer --versions

4. Choose either 4a or 4b:

   4a. To deploy the KubeEnforcer on the same cluster as the Aqua Server (console), run this command on that cluster:

   $ helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer

   4b. Multi-cluster: To deploy the KubeEnforcer in a different cluster:

   First, create a namespace on that cluster named aqua:

   $ kubectl create namespace aqua

   Next, copy the values.yaml content from Values.yaml and make the respective changes then run the following command:

   $ helm upgrade --install --namespace aqua kube-enforcer aqua-helm/kube-enforcer --values values.yaml --version <>

Optional flags:

Flag	Description
--namespace	defaults to aqua
--aquaSecret.kubeEnforcerToken	defaults to ""; you can find the KubeEnforcer token from Aqua Enterprise under the Enforcers screen in the default/custom KubeEnforcer group, or you can manually approve KubeEnforcer authentication from Aqua Enterprise under the default/custom KubeEnforcer group in the Enforcers screen.

Configuration for discovery

To perform discovery on the cluster, the KubeEnforcer needs a dedicated ClusterRole with get, list, and watch permissions on pods, secrets, nodes, namespaces, deployments, ReplicaSets, ReplicationEontrollers, StatefulSets, DaemonSets, jobs, CronJobs, ClusterRoles, ClusterRoleBindings, and ComponentStatuses`.

Configuration for performing kube-bench scans

To perform kube-bench scans in the cluster, the KubeEnforcer needs:

• A dedicated role in the aqua namespace with get, list, and watch permissions on pods/log
• create and delete permissions on jobs

Configurable parameters

Parameter	Description	Default	Mandatory
imageCredentials.create	Set to create new pull image secret	true	YES - New cluster
imageCredentials.name	Your Docker pull image secret name	aqua-registry-secret	YES - New cluster
imageCredentials.username	Your Docker registry (DockerHub, etc.) username	N/A	YES - New cluster
imageCredentials.password	Your Docker registry (DockerHub, etc.) password	N/A	YES - New cluster
clusterName	Cluster name registered with Aqua in Infrastructure tab	N/A	NO
aquaSecret.create	Set to create the Aqua KubeEnforcer token secret	true	YES
aquaSecret.kubeEnforcerToken	Aqua KubeEnforcer token	N/A	YES
certsSecret.create	Set to create new secret for KE certs	true	YES
certsSecret.name	Secret name for KE certs	aqua-kube-enforcer-certs	YES
certsSecret.serverCertificate	Certificate for TLS authentication with the Kubernetes api-server	N/A	YES
certsSecret.serverKey	Certificate key for TLS authentication with the Kubernetes api-server	N/A	YES
webhooks.caBundle	Root certificate for TLS authentication with the Kubernetes api-server	N/A	YES
envs.gatewayAddress	Gateway host address	aqua-gateway-svc:8443	YES
kubeEnforcerAdvance.enable	Advance Kube Enforcer Deployment	false	NO
kubeEnforcerAdvance.nodeID	Envoy Node ID of the advance KE deployment	envoy	YES - if kubeEnforcerAdvance.enable
nodeSelector	Kubernetes node selector	{}	NO

Issues and feedback

If you encounter any problems or would like to give us feedback on this deployment, we encourage you to raise issues here on GitHub.