The following article describes what is needed to deploy the Defender in a Kubernetes environment. Before this point, you must have followed the steps provided in the following articles. 

• Cequence Defender Prerequisites
• Defender Compatibility Matrix

Step 1: Prepare your Cluster

Create a namespace for your defender deployment

You should have created this namespace in the Cequence Defender Prerequisites article. If you follow that article, you can skip this step.  

Create a namespace to deploy the Cequence Defender

kubectl create namespace <defender-namespace>

Set the new namespace as the <defender-namespace>.  

kubectl config set-context --current --namespace=<defender-namespace>

Platform Secrets

If you use the Cequence repositories, you must have GitLab credentials with the proper authorization. You can use one of the following options. Defender should be installed in the same namespace as your UAP Platform. If you used the Cequence registries to install your UAP platform, you can skip this step. 

kubectl create secret docker-registry regcred --docker-server=registry.gitlab.com --docker-username=<your-username> --docker-password=<your-password> -n <platform-namespace>

Or via docker file. You must already have your docker-config.json file for this to work.

kubectl create secret generic regcred --from-file=.dockerconfigjson=./docker-config.json --type=kubernetes.io/dockerconfigjson -n <platform-namespace>

If you do not have credentials, please contact your Cequence Account manager for further direction.  Otherwise, we will provide you with the images for your company repository.

Step 2: Install Cequence Defender 

Helm Overrides File

Take the contents of the values file below and create your own values file. You can launch the helm chart by using the following syntax. 

Before Launching the chart, please read the information below

helm upgrade --install defender cequence/defender  --version 4.4.0 -n <defender-namespace> --values yourvaluesfile.yaml

Helm Overrides File Edits

Use the attached values file as a starting point for your Defender configuration. 

Line 8: If you are not using external DNS for K8s, then you can disregard this line. 

Line 38: Leave the upstream routing type as "cqai."

Lines 40-43: 6.x platforms use routing, so these lines are unnecessary.

Line 48: Change your edge endpoint domain. If you are using a SaaS UAP Platform, you will gather this information from your Cequence account contact. 

Line 50:  Change your auth token URL to match your domain. If you are using a SaaS UAP Platform, you will gather this information from your Cequence account contact. 

Line 50: Change the token URL to match your domain. If you are using a SaaS UAP Platform, you will gather this information from your Cequence account contact. 

Lines 51-52: Update the token settings with your client name and client secret from the steps above.

Lines 56-59: If you use Cequence SaaS and want to deploy your own defenders, you must edit line 57 for policy engine "host" to point to your Policy Engine ingress URL. For Hybrid deployment, you must use HTTPS

Step 3: Defender Health

You can verify your defender deployment in different ways. In this article, we will focus on verifying the following

• Successful helm deployment
  • Ensure your helm launch was successful
• Kubernetes pod health
  • Ensure your Pod is healthy and running
• Defender communication to the UAP Platform
  • Ensure your Defender can communicate with the UAP Platform. 

Deployment Verification

Your helm deployment should show as "deployed."

helm list | grep <deployment-name>
unified1-defender unified1 1 2023-07-13 12:21:45.353761811 -0700 PDT deployed defender-4.4.0 4.4.0

Pod Health Verification 

Your defender pod status should show as running. 

kubectl get pods | grep <pod-name>
defender-configuration-59456649d6-prtrg 2/2 Running 4 (9d ago) 47d
unified1-defender-84988444dc-2qvrv 2/2 Running 0 47d
unified1-defender-84988444dc-tc66g 2/2 Running 0 47d

UAP Verification 

From within the UAP Platform, you can verify defender communication to the platform. On the left side pane, navigate to Diagnostics > System Components. At the very bottom, under Defender Instances, it will show you the status of your Defender deployment. You will see a date for the first communication and the last update.