Anonymizing Using Amazon Elastic Kubernetes Service (EKS) on

Verifying the Prerequisites

Mon, 01 Jan 0001 00:00:00 +0000

Ensure that the following prerequisites are met:

Base machine - This might be a Linux machine instance that is used to communicate with the Kubernetes cluster. This instance can be on-premise or on AWS. Ensure that Helm is installed on this Linux instance. You must also install Docker on this Linux instance to communicate with the Container Registry, where you want to upload the Docker images.

For more information about the minimum hardware requirements, refer to the section Prerequisites for Deploying the Protegrity Anonymization API.

Preparing the Base Machine

Mon, 01 Jan 0001 00:00:00 +0000

The steps provided here installs the software required for running the various EKS commands for setting up and working with the Protegrity Anonymization API cluster.

Log in to your system as an administrator.
Open a command prompt with administrator.
Install the following tools to get started with creating the EKS cluster.
1. Install AWS CLI 2, which provides a set of command line tools for the AWS Cloud Platform.
  
  For more information about installing the AWS CLI 2, refer to Installing or updating to the latest version of the AWS CLI.

Creating the EKS Cluster

Mon, 01 Jan 0001 00:00:00 +0000

Complete the steps provided here to create the EKS cluster by running commands on the machine for the Protegrity Anonymization API.

Note: The steps listed in this procedure for creating the EKS cluster are for reference use. If you have an existing EKS cluster or want to create an EKS cluster based on your own requirements, then you can directly navigate to the section Accessing the EKS Cluster to connect your EKS cluster and the Linux instance.

Accessing the EKS Cluster

Mon, 01 Jan 0001 00:00:00 +0000

Connect to the cloud service using the steps in this section.

Run the following command to connect your Linux instance to the Kubernetes cluster.

aws eks update-kubeconfig --name <Name of Kubernetes cluster> --region <Region in which the cluster is created>

Run the following command to verify that the nodes are deployed.
```
kubectl get nodes
```
Note: You can also verify that the nodes are deployed in AWS from the EKS Kubernetes Cluster dashboard.

Uploading the Image to AWS Container Registry (ECR)

Mon, 01 Jan 0001 00:00:00 +0000

Use the information in this section to upload the Protegrity Anonymization API image to the AWS container registry (ECR) for running the Protegrity Anonymization API in EKS.

Ensure that you have set up your Container Registry.

Note: The steps listed in this section for uploading the container images to the Amazon Elastic Container Repository (ECR) are for reference use. You can choose to use a different Container Registry for uploading the container images.

Setting up NGINX Ingress Controller

Mon, 01 Jan 0001 00:00:00 +0000

Complete the steps provided here for installing the NGINX Ingress Controller on the base machine.

Login to the base machine and open a command prompt.
Create a namespace where the NGINX Ingress Controller needs to be deployed using the following command.
```
kubectl create namespace <Namespace name>
```
For example,
```
kubectl create namespace nginx
```
Add the repository from where the Helm charts for installing the NGINX Ingress Controller must be fetched using the following command.

Using Custom Certificates in Ingress

Mon, 01 Jan 0001 00:00:00 +0000

Protegrity Anonymization API uses certificates for secure communication with the client. You can use the certificates provided by Protegrity or use your own certificates. Complete the configurations provided in this section to use your custom certificates with the Ingress Controller.

Ensure that the certificates and keys are in the .pem format.

Note: Skip the steps provided in this section if you want to use the default Protegrity certificates for the Protegrity Anonymization API.

Updating the Configuration Files

Mon, 01 Jan 0001 00:00:00 +0000

Use the template files provided to specify the EKS settings for the Protegrity Anonymization API.

Extract and update the files in the ANON-API_HELM_1.4.0.x.tgz package.

The ANON-API_HELM_1.4.0.x.tgz package contains the values.yaml file that must be modified as per your requirements. It also contains the templates directory with yaml files.

Note: Ensure that the necessary permissions for updating the files are assigned to the .yaml files.
Navigate to the <path_to_helm>/templates directory and delete the anon-db-storage-aws.yaml file.

Deploying the Protegrity Anonymization API to the EKS Cluster

Mon, 01 Jan 0001 00:00:00 +0000

Complete the following steps to deploy the Protegrity Anonymization API on the EKS cluster.

Navigate to the <path_to_helm>/templates directory and delete the anon-dbpvc-azure.yaml and the anon-storagepvc-azure.yaml files.
Create the Protegrity Anonymization API namespace using the following command.
```
kubectl create namespace <name>
```
Note: Update and use the from the values.yaml file that is present in the Helm chart that you used in the previous section.
Run the following command to deploy the pods.

Viewing Protegrity Anonymization API Using REST

Mon, 01 Jan 0001 00:00:00 +0000

Use the URLs provided here for viewing the Protegrity Anonymization API service and pod details after you have successfully deployed the Protegrity Anonymization API.

You need to map the IP address of Ingress in the hosts file with the host name set in the Ingress configuration.

For more information about updating the hosts file, refer to step 2 of the section Enabling Custom Certificates From SDK.

Optionally, update the hostname of the Elastic Load Balancer (ELB) that is created by the NGINX Ingress Controller using the section Creating a DNS Entry for the ELB Hostname in Route53.

Creating Kubernetes Service Accounts and Kubeconfigs for Anonymization Cluster

Mon, 01 Jan 0001 00:00:00 +0000

A service account in the anonymization cluster namespace has access to the anonymization namespace. It might also have access to the whole cluster. These permissions for the service account allow the user to create, read, update, and delete objects in the anonymization Kubernetes cluster or the namespace. Additionally, the kubeconfig is required to access the service account using a token.

In this section, you create a Kubernetes service account and the role-based access control (RBAC) configuration manually using kubectl.