Deep Security Smart Check uses the helm package manager for Kubernetes.
To install Deep Security Smart Check you must have a running Amazon EKS cluster.
Follow the instructions here to create an Amazon EKS cluster.
Then create a storage class as described here. You will specify the storage class name when you install Deep Security Smart Check.
You will need helm version v2.8.0 or later. There's a handy quickstart that will help you get started, or if you like living dangerously:
curl https://raw.githubusercontent.com/kubernetes/helm/master/scripts/get | bashHelm has a cluster-side component called tiller that needs to be installed as well.
Make sure that your kubectl context is set correctly to point to your cluster:
kubectl config current-contextIf your kubectl context is not pointing to your cluster, use kubectl config get-contexts and kubectl config use-context to set it.
Install the tiller cluster-side component:
helm initYou will also need to configure a service account for tiller:
kubectl create serviceaccount \
--namespace kube-system \
tiller
kubectl create clusterrolebinding tiller-cluster-role \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
kubectl patch deploy \
--namespace kube-system \
tiller-deploy \
--patch '{"spec":{"template":{"spec":{"serviceAccount":"tiller"}}}}'Use helm version to confirm that you have at least version v2.8.0 of the client and server installed.
Note: the commands above will give tiller full cluster administrator privileges. Review Securing your Helm Installation for help on what to consider when setting up Helm in your cluster.
We recommend that you register for a 30-day trial license code. Deep Security Smart Check will operate without an activation code; however, malware pattern updates will not be available and you will see a warning message in the administration console.
The Helm chart for Deep Security Smart Check is hosted in a public repository on Github.
To install Deep Security Smart Check into the default Kubernetes namespace:
helm install \
--set auth.masterPassword={password} \
--set activationCode={activation code} \
--set persistence.storageClassName={storage class name} \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/1.0.8-aws-container-marketplace.tar.gzExperienced helm users will note that we are using deepsecurity-smartcheck as the helm release name in these examples. There is no requirement to use this release name.
Note: If you do not have an activation code then omit the --set activationCode={activation code} line.
The install process will display instructions for obtaining the initial username and password and for connecting to Deep Security Smart Check.
You can delete all of the resources created for Deep Security Smart Check by running helm delete:
helm delete --purge deepsecurity-smartcheckUse the helm list command to list installed releases.
This is a destructive command and will delete all of the Deep Security Smart Check resources, including database contents, without further confirmation.
Our docs page provides links to the Deep Security Smart Check Deployment Guide and full API documentation.
To install Deep Security Smart Check into an existing Kubernetes namespace that's different from the current kube config namespace, use the --namespace parameter in the helm install command:
helm install \
--namespace {namespace} \
--set auth.masterPassword={password} \
--set persistence.storageClassName={storage class name} \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/1.0.8-aws-container-marketplace.tar.gzHelm uses a file called values.yaml to set configuration defaults.
You can override the defaults in this file by specifying a comma-separated list of key-value pairs on the command line:
helm install \
--set key1=value1,key2=value2,... \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/1.0.8-aws-container-marketplace.tar.gzor by creating a YAML file with the specific values you want to override and providing the location of this file on the command line:
helm install \
--values overrides.yaml \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/1.0.8-aws-container-marketplace.tar.gzIf you create a file to override the values, make sure to copy the structure from the chart's values.yaml file. You only need to provide the values that you are overriding.
Refer to the values.yaml file for a full list of available values to override; some common keys are listed here:
| Key | Default value | Description |
|---|---|---|
auth.masterPassword |
None | The master password to use when generating passwords within the system, ensuring that each installation of Deep Security Smart Check has different passwords. |
auth.userName |
administrator |
The name of the default administrator user that the system will create on startup. |
activationCode |
None | The activation code to use. The activation code is required if you wish to receive updated malware patterns. |
auth.userName |
administrator |
The name of the default administrator user that the system will create on startup. |
auth.password |
{a random 16-character alphanumeric string} |
The default password assigned to the default administrator. helm will provide instructions for retrieving the initial password as part of the installation process. |
certificate.commonName |
example.com |
The server name to use in the default self-signed certificate created for the service. |
service.type |
LoadBalancer |
The Kubernetes service type to create. This must be one of LoadBalancer, ClusterIP, or NodePort. |
persistence.enabled |
true |
Whether a persistent volume should be created for the Deep Security Smart Check databases. If no persistent volume claim is created, all database content will be lost when the database container restarts. |
persistence.storageClassName |
None | If set, will be used as the storage class for the persistent volume claim that is created for the Deep Security Smart Check databases. |
networkPolicy.enabled |
false |
EXPERIMENTAL: Whether Kubernetes NetworkPolicy resources should be created for the deployed pods. |
proxy.httpProxy |
If set, will be used as the proxy for HTTP traffic from Deep Security Smart Check. The value may be either a complete URL or a host[:port], in which case the http scheme is assumed. |
|
proxy.httpsProxy |
If set, will be used as the proxy for HTTPS traffic from Deep Security Smart Check. If httpsProxy is not set, httpProxy is also checked and will be used if set. The value may be either a complete URL or a host[:port], in which case the http scheme is assumed. |
|
proxy.noProxy |
If set, is a list of hosts or host:port combinations which should not be accessed through the proxy. |
|
proxy.username |
If set, is the user name to use to authenticate requests sent through the proxy. | |
proxy.password |
If set, is the password to use to authenticate requests sent through the proxy. | |
scan.malwareCache.enabled |
true |
If set, cache mechanism will be used to improve scanning performance. |
See the wiki page Replacing the service certificate.
The Helm team have some helpful guidelines for securing your Helm installation as well as an abbreviated list of best practices for reference.
Deep Security Smart Check stores its data in a postgres database.
The following example command will perform a full database dump, compressing the output and writing it to the file db.gz in the current directory. You can then archive the db.gz file according to your needs.
kubectl exec $(kubectl get pods -l service=db -o jsonpath='{.items[0].metadata.name}') -- \
sh -c 'pg_dumpall -U $POSTGRES_USER | gzip -' \
> db.gzNote: If you are running Deep Security Smart Check in a namespace other than the default namespace and your kubectl context is not set to use that namespace, you will need to add the --namespace NAMESPACE parameter to both kubectl commands in this example.
Important: While Deep Security Smart Check encrypts credentials stored in the database, the database backup file contains other information that you may consider sensitive, such as registry locations, names, and scan results. Ensure that you store your backups safely with appropriate access controls to prevent misuse or accidental disclosure.
The following example command will perform a database restore from the compressed database dump created in the previous procedure.
kubectl exec -i \
$(kubectl get pods -l service=db -o jsonpath='{.items[0].metadata.name}') -- \
sh -c 'gunzip -f -c - | psql -U $POSTGRES_USER' \
< db.gzNote: If you are running Deep Security Smart Check in a namespace other than the default namespace and your kubectl context is not set to use that namespace, you will need to add the --namespace NAMESPACE parameter to both kubectl commands in this example.
If you see errors like:
pod has unbound PersistentVolumeClaims
You likely have not defined a storage class. Since Amazon EKS does not create a default storage class you will have to create one as described here , then specify the storage class name when installing Deep Security Smart Check:
helm install \
--set persistence.storageClassName={storage class name} \
--values overrides.yaml \
--name deepsecurity-smartcheck \
https://github.com/deep-security/smartcheck-helm/archive/1.0.8-aws-container-marketplace.tar.gz