Install MicroPerimeter™ Security components

Install MicroPerimeter

Install EFK

The first component we will install is EFK (Elasticsearch + Fluentd + Kibana). It’s required to store all audit/access events and provide data for visualizations on MicroPerimeter™ Dashboard.

To install EFK utilize the following helm command.

helm upgrade \
  --install efk \
  -f helm/registry/docker-microperimeter.artifactory.cloudentity.com/registry.yaml \
  --set global.registry=docker-microperimeter.artifactory.cloudentity.com \
  --namespace=kube-system \
  --wait helm/efk

As an output you should get the following information about successful deployment:

Release "efk" does not exist. Installing it now.
@NAME:   efk
LAST DEPLOYED: Wed May 15 15:32:58 2019
NAMESPACE: kube-system
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRole
NAME                   AGE
efk-fluentd            3m14s
elasticsearch-logging  3m14s

==> v1/ClusterRoleBinding
NAME                   AGE
efk-fluentd            3m14s
elasticsearch-logging  3m14s

==> v1/ConfigMap
NAME                       DATA  AGE
efk-curator                2     3m14s
efk-fluentd-config-v0.1.5  6     3m14s

==> v1/DaemonSet
NAME         DESIRED  CURRENT  READY  UP-TO-DATE  AVAILABLE  NODE SELECTOR  AGE
efk-fluentd  1        1        1      1           1          <none>         3m14s

==> v1/Deployment
NAME        READY  UP-TO-DATE  AVAILABLE  AGE
efk-kibana  1/1    1           1          3m14s

==> v1/Job
NAME                   COMPLETIONS  DURATION  AGE
elasticsearch-logging  0/1          3m14s     3m14s

==> v1/Pod(related)
NAME                          READY  STATUS   RESTARTS  AGE
efk-curator-74cff5fc8c-nzc6n  1/1    Running  0         3m14s
efk-fluentd-6xbft             1/1    Running  0         3m14s
efk-kibana-5bdcc8fd8b-tt94x   1/1    Running  0         3m14s
elasticsearch-logging-0       1/1    Running  0         3m14s

==> v1/Secret
NAME         TYPE                     DATA  AGE
efk          kubernetes.io/dockercfg  1     3m14s
efk-curator  kubernetes.io/dockercfg  1     3m14s
efk-fluentd  kubernetes.io/dockercfg  1     3m14s
efk-kibana   kubernetes.io/dockercfg  1     3m14s

==> v1/Service
NAME                   TYPE       CLUSTER-IP      EXTERNAL-IP  PORT(S)   AGE
efk-curator            ClusterIP  10.107.105.161  <none>       80/TCP    3m14s
efk-kibana             ClusterIP  10.102.166.202  <none>       5601/TCP  3m14s
elasticsearch-logging  ClusterIP  10.106.162.230  <none>       9200/TCP  3m14s

==> v1/ServiceAccount
NAME                   SECRETS  AGE
efk-fluentd            1        3m14s
elasticsearch-logging  1        3m14s

==> v1/StatefulSet
NAME                   READY  AGE
elasticsearch-logging  1/1    3m14s

==> v1beta1/Deployment
NAME         READY  UP-TO-DATE  AVAILABLE  AGE
efk-curator  1/1    1           1          3m14s

Install MicroPerimeter™ System components

Having the EFK up and running we can move to the installation of MicroPerimeter™ System components.

To install it please execute the following command:

helm upgrade \
  --install microperimeter-system \
  -f helm/registry/docker-microperimeter.artifactory.cloudentity.com/registry.yaml \
  -f values.yaml \
  --set global.tag=2.6.0 \
  --set global.registry=docker-microperimeter.artifactory.cloudentity.com \
  --namespace=microperimeter-system \
  --wait helm/microperimeter-system

The output of the above command provides you details of what was installed and initialized.

Release "microperimeter-system" does not exist. Installing it now.
NAME:   microperimeter-system
LAST DEPLOYED: Wed May 15 15:51:20 2019
NAMESPACE: microperimeter-system
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRole
NAME                     AGE
microperimeter-operator  107s

==> v1/ClusterRoleBinding
NAME                     AGE
microperimeter-operator  107s

==> v1/ConfigMap
NAME                     DATA  AGE
consul                   1     107s
jaeger                   1     107s
microperimeter-operator  1     107s
vault                    3     107s

==> v1/Job
NAME    COMPLETIONS  DURATION  AGE
consul  1/1          64s       106s

==> v1/PersistentVolumeClaim
NAME    STATUS  VOLUME                                    CAPACITY  ACCESS MODES  STORAGECLASS    AGE
consul  Bound   pvc-f515abee-7763-11e9-a233-0800274d97b8  256Mi     RWO           standard        107s

==> v1/Pod(related)
NAME                                      READY  STATUS     RESTARTS  AGE
consul-5f7cf46ff4-x25s6                   1/1    Running    0         106s
consul-dtqth                              0/5    Completed  0         106s
jaeger-86f7cd86f4-vhnm9                   1/1    Running    0         106s
microperimeter-operator-6b44d894c5-8474x  1/1    Running    0         106s
vault-6885d8d749-jhwhm                    2/2    Running    0         106s

==> v1/Role
NAME   AGE
vault  107s

==> v1/RoleBinding
NAME   AGE
vault  107s

==> v1/Secret
NAME                     TYPE                     DATA  AGE
consul                   Opaque                   4     107s
consul-registry          kubernetes.io/dockercfg  1     107s
jaeger-registry          kubernetes.io/dockercfg  1     107s
MicroPerimeter           kubernetes.io/dockercfg  1     107s
microperimeter-operator  Opaque                   3     107s
vault-registry           kubernetes.io/dockercfg  1     107s
vault-tokens             Opaque                   2     107s

==> v1/Service
NAME                                    TYPE       CLUSTER-IP      EXTERNAL-IP    PORT(S)                              AGE
consul                                  ClusterIP  10.109.222.114  <none>       8500/TCP,8443/  TCP                    107s
jaeger-agent                            ClusterIP  None            <none>       5775/UDP,5778/  TCP,6831/UDP,6832/UDP  107s
jaeger-query                            ClusterIP  10.108.215.224  <none>       8200/ TCP                             107s
jaeger-zipkin                           ClusterIP  None            <none>       9411/ TCP                             106s
microperimeter-operator                 ClusterIP  10.102.7.12     <none>       443/  TCP                              106s
microperimeter-system-jaeger-collector  ClusterIP  10.109.81.121   <none>       14267/TCP,14268/  TCP,9411/TCP         107s
vault                                   ClusterIP  10.102.40.84    <none>       8200/ TCP                             106s

==> v1/ServiceAccount
NAME                     SECRETS  AGE
microperimeter-operator  1        107s
vault                    1        107s

==> v1beta1/ClusterRoleBinding
NAME                                    AGE
microperimeter-operator-auth-delegator  107s

==> v1beta1/Deployment
NAME                     READY  UP-TO-DATE  AVAILABLE  AGE
consul                   1/1    1           1          106s
jaeger                   1/1    1           1          106s
microperimeter-operator  1/1    1           1          106s
vault                    1/1    1           1          106s

==> v1beta1/MutatingWebhookConfiguration
NAME                     AGE
microperimeter-operator  106s

As you can see above this particular helm installation command deployed following components

  • consul - Used for configuration rules as well as access policies distribution and storage
  • jaeger - Used for OpenTracing support
  • MicroPerimeter™ Operator - Used to orchestrate the sidecar’s initialization
  • vault - Used for as a Certificate Authority and Key Management.

Additionally, all necessary services, configuration maps, and initialization jobs were deployed and configured.

Import Policies

We use our MicroPerimeter™ Sidecar based protection to enforce security on our MicroPerimeter™ Dashboard and APIs. So before we move to the installation of these components we need to import access policies and API rules definitions for MicroPerimeter™ Services and Dashboard. To do so we will use the mpctl tool to import all security using a declarative approach.

./bin/mpctl.sh import -d policies/system/kubernetes.yaml -d policies/scopes.yaml -p policies/system/secured.yaml

The output of this command should be similar to:

mpctl-darwin-amd64 info: "OK services/microperimeter-dashboard.microperimeter-services.cluster.local/endpoints"
mpctl-darwin-amd64 info: "OK edge/policies/microperimeter-edge.microperimeter-services.cluster.local"
mpctl-darwin-amd64 info: "OK services/microperimeter-edge.microperimeter-services.cluster.local/endpoints"
mpctl-darwin-amd64 info: "OK services/microperimeter-dashboard.microperimeter-services.cluster.local/rules"
mpctl-darwin-amd64 info: "OK edge/policies/microperimeter-dashboard.microperimeter-services.cluster.local"
mpctl-darwin-amd64 info: "OK services/microperimeter-edge.microperimeter-services.cluster.local/rules"
mpctl-darwin-amd64 info: "OK edge/rules/microperimeter-edge.microperimeter-services.cluster.local"
mpctl-darwin-amd64 info: "OK edge/rules/microperimeter-dashboard.microperimeter-services.cluster.local"
mpctl-darwin-amd64 info: "OK services/microperimeter-edge.microperimeter-services.cluster.local/policies"
mpctl-darwin-amd64 info: "OK services/microperimeter-dashboard.microperimeter-services.cluster.local/policies"

NOTE: mpctl command is utilizing the kubectl proxy capability to communicate with MicroPerimeter™ Systems

Install MicroPerimeter™ Services

Having all system components deployed and configured we can deploy the remaining MicroPerimeter™ Services like:

  • MicroPerimeter™ Edge - edge controller/ingress gateway
  • MicroPerimeter™ Dashboard - API security visualization Dashboard

Additionally, it will install mock idp in case you want to have a self-contained testing framework and simple traffic generator for demo purposes.

helm upgrade \
  --install microperimeter-services \
  -f helm/registry/docker-microperimeter.artifactory.cloudentity.com/registry.yaml \
  -f values.yaml \
  --set global.tag=2.6.0 \
  --set global.registry=docker-microperimeter.artifactory.cloudentity.com \
  --namespace=microperimeter-services \
  --wait helm/microperimeter-services

The output of this command will be the following:

Release "microperimeter-services" does not exist. Installing it now.
NAME:   microperimeter-services
LAST DEPLOYED: Wed May 15 16:34:13 2019
NAMESPACE: microperimeter-services
STATUS: DEPLOYED

RESOURCES:
==> v1/ClusterRole
NAME                      AGE
microperimeter-dashboard  103s

==> v1/ClusterRoleBinding
NAME                      AGE
microperimeter-dashboard  103s

==> v1/ConfigMap
NAME                 DATA  AGE
microperimeter-edge  6     103s

==> v1/Pod(related)
NAME                                       READY  STATUS   RESTARTS  AGE
microperimeter-dashboard-77fb56494b-m6s6l  2/2    Running  0         102s
microperimeter-edge-699d455695-rk7g9       2/2    Running  0         102s
microperimeter-idp-mock-64f688f699-b55cd   1/1    Running  0         102s
microperimeter-loadgen-6697c8c4f7-9wbtz    1/1    Running  0         103s

==> v1/Secret
NAME                      TYPE                     DATA  AGE
MicroPerimeter            kubernetes.io/dockercfg  1     103s
microperimeter-dashboard  Opaque                   1     103s

==> v1/Service
NAME                      TYPE       CLUSTER-IP      EXTERNAL-IP  PORT(S)   AGE
microperimeter-dashboard  ClusterIP  10.106.92.65    <none>       8080/TCP  103s
microperimeter-edge       ClusterIP  10.107.169.72   <none>       8080/TCP  103s
microperimeter-idp-mock   ClusterIP  10.109.164.251  <none>       80/TCP    103s
microperimeter-loadgen    ClusterIP  10.110.229.6    <none>       80/TCP    103s

==> v1/ServiceAccount
NAME                      SECRETS  AGE
microperimeter-dashboard  1        103s
microperimeter-edge       1        103s

==> v1beta1/Deployment
NAME                      READY  UP-TO-DATE  AVAILABLE  AGE
microperimeter-dashboard  1/1    1           1          103s
microperimeter-edge       1/1    1           1          103s
microperimeter-idp-mock   1/1    1           1          103s
microperimeter-loadgen    1/1    1           1          103s