This guide explains how to use the provisioning tools provided by OPSWAT to create an AWS GKE and generate all the Kubernetes components needed to run MetaDefender Core and MetaDefender Storage Security.
In case of having the K8S cluster already created, please check the Deployment Using Helm page
This page is purely for provisioning the EKS cluster and install the products at the same time with the tools that OPSWAT has prepared.
Deploy using Terraform
- Locally clone the metadefender-k8s repository and go to terraform folder
git clone git@github.com:OPSWAT/metadefender-k8s.gitcd terraform/gcloud/- Modify terraform.tfvars file
- PERSISTENT_DEPLOYMENT=true -> To create K8S cluster with EC2 Worker Nodes
- DEPLOY_FARGATE_NODES=false -> To true if wanted to create a Fargate profile
- DEPLOY_RDS_POSTGRES_DB=true -> To create RDS instance for PostgreSQL server
- POSTGRES_USERNAME -> if DEPLOY_RDS_POSTGRES_DB=true, set up admin database username
- POSTGRES_PASSWORD -> if DEPLOY_RDS_POSTGRES_DB=true, set up admin database password
- MQ_USERNAME -> if DEPLOY_RABBITMQ=true
- MQ_PASSWORD -> if DEPLOY_RABBITMQ=true
# project_id = "<ADD_YOUR_PROJECT_ID>"# region = "europe-central2"# cluster_location = "europe-central2"gcloud_json_key_path = "/path/to/json"# node_count = "1"# machine_type = "e2-standard-8"deploy_cloud_sql = trueAUTOPILOT_GKE = false# private_ip_cloud_sql = true# cloud_sql_user = postgres# cloud_sql_password = <ADD_YOUR_POSTGRES_PASS>- Run terraform init and apply. Check the resource to be created, after that enter "y"
terraform initterraform applyMetaDefenderK8S script details
Script path: %provisioning_script_path%
Programming Language: Bash
Installation Pre-requisites for provisioning:
AWS Credentials
- Set in your local environment credentials the IAM user credentials under AWS_ACCESS_KEY_ID& AWS_SECRET_ACCESS_KEY
MetaDefender Core License Key (Required with --mdcore parameter)
- Set it in your local environment credentials under MDCORE_LICENSE_KEY
As security measure do not use the root user for any deployment or operation. Follow the principle of least privilege for all access granted. Keep in mind the resources listed in this page for your option selected: EKS Cluster Architecture
How to run the script
./metadefenderk8s.sh provision -l AWS --mdcore --mdssScript Parameters
| Parameter | Flags | Options | Default | Description | Required/Optional |
|---|---|---|---|---|---|
| Action |
| Action to indicate the script if we want to provision (Create resources + install Core) or install (Install Core) | Required | ||
| Location | -l or --location |
| Where is going to be the K8S cluster | Required | |
| MetaDefender Flag Installation | Combination of
| - | Install MetaDefender Core in the cluster provisioned | Required | |
| Image Version | --image |
| latest | MetaDefender Core image version to install | Optional |
| Region | --region | AWS Regions | eu-central-1 | AWS region where all the resources will be provisioned | Optional |
| Cluster Name | --name | Not uppercase allowed | md-k8s | Name of the cluster that will be used for naming all the resources | Optional |
| Number of Replicas | --replicas | [0-9]* | 1 | Number of replicas for MetaDefender Core service | Optional |
| Namespace | --namespace | [A-Za-z]{1,10} | Namespace where MetaDefender products will be installed in the K8S Cluster | Optional Max Characters: 10 |
Limitations using parameters
- When using Fargate
- the pods should be installed in the default namespace.
- if using AWS Load Balancer controllers need a worker node to be installed in.
##
