Skip to main content
Defenders installed in Kubernetes clusters

Search

Defender Deployment in Kubernetes

© 2024 Cequence Security. All Rights Reserved.

Defender Deployment in Kubernetes

  • Updated on
  • ~ minute read
Download PDF

The following article describes what is needed to deploy Defender in a Kubernetes environment.

Step 1: Prepare your Cluster

Create a namespace for your defender deployment

Creating a namespace is optional. You can deploy into an existing namespace when one exists.

kubectl create namespace defender
kubectl config set-context --current --namespace=defender

Platform Secrets

If you use the Cequence repositories, you must have GitLab credentials with the proper authorization. Create a secret with the following command. 

kubectl create secret docker-registry regcred --docker-server=registry.gitlab.com --docker-username=<your-username> --docker-password=<your-password> -n defender

To use a docker file, create a secret with the following command. Note that this command requires an existing, valid docker-config.json file. Consult Docker documentation for details on how to create a suitable Docker configuration file.

kubectl create secret generic regcred --from-file=.dockerconfigjson=./docker-config.json --type=kubernetes.io/dockerconfigjson -n defender

If you do not have credentials, please contact your Cequence Account manager for further direction.  Otherwise, we will provide you with the images for your company repository.

Creating a client ID and client secret

Several Cequence components must authenticate to the Cequence UAP platform in order to transmit and receive data. Create authentication credentials in the Cequence UAP platform to enable this authentication.

  1. Log in to the UAP management portal UI.
    The URL for the management portal is typically of the form https://ui.<your-tenant-name>.<domain>. Replace <your-tenant-name> with the name of your Cequence tenant organization. Replace <domain> with your domain name.
  2. Select General Settings > User Management.
    The User Management pane appears.
  3. Click the Clients tab.
  4. Click Add New Client.
    The new client dialog box appears.
  5. Type the client name in the Client Name field.
    This name is the client ID. Note the client ID for later use.
  6. Enable the Traffic Management toggle.
  7. (Optional) To change the token lifespan from the default of 1800 seconds, type a whole number of seconds in Token Lifespan.
  8. Click Save.
    A dialog box with the client secret appears.
  9. Click the blue Copy icon to copy the secret to the clipboard, then click Close.
    The client is now set up. Note the client name for future use.
    The client list appears.
  10. Note the value of the client secret for later use. This value will not be shown again later on the UI for security reasons.

Step 2: Install Cequence Defender 

Installation using Helm

Save a copy of the sample override file below as defender-values.yaml. Edit this file to add the values of the client ID and client Secret created earlier in this article.

defenderContainer:
  image:
    repository: registry.gitlab.com/cequence/releases/defender
    tag: 5.3.2
    pullPolicy: IfNotPresent
  resources:
    requests:
      cpu: 200m
      memory: 512Mi
    limits:
      cpu: 2
      memory: 2Gi
imagePullSecrets:
- name: regcred

ingress:
  enabled: true
  hostname: defender.yourdomain.com # Change this URL to one of your choice for defender
  servicePort: 443
  ingressClassName: xxxxx # Your ingress class name  

config:
  extraVars:
  - DISABLE_SSL_VERIFY=true
  policyEngine:
    host: "policy-engine.cqai.yourdomain.com" # Replace the URL based on your UAP installation
    port: 443
    scheme: "https"
  upstream:
    config:
      type: "static"
      static:
        http:
          server: "www.cequence.ai" # Change this URL to your origin server
        https:
          server: "www.cequence.ai" # Change this URL to your origin server  
  apiEdge:
    pipelines:
    - enabled: true
      sentinel: true
      endpointHost: "edge.cqai.yourdomain.com" # Replace the URL based on your UAP installation
      auth:
        clientId: "defender-client-1"
        clientSecret: "xxxxxxx" # Replace with the secret created in the previous step
        tokenUrl: "https://auth.cqai.yourdomain.com/auth/realms/cequence/protocol/openid-connect/token" # Replace the url based on your CQAI installation

Run the following commands to install Cequence Defender.

helm repo add cequence https://cequence.gitlab.io/helm-charts

helm repo update

helm upgrade --install defender cequence/defender --version 5.3.2 -n defender --values defender-values.yaml

Verify Defender on CQAI Portal

Check the System Diagnostics section on the Cequence UAP platform dashboard. Confirm that the Defender instance is listed.image-20240424-182204.png

Configuration instructions for using Cequence Defender with mTLS are available in a separate article.

Was this article helpful?