This section provides an overview of the steps required to install the REST Container using either the Static or the Dynamic method.
This is the multi-page printable view of this section. Click here to print.
Installing the Protector
Deploying the REST Container using Static or Dynamic method.
- 1: Deploying REST Container for Dynamic Method
- 1.1: Deploying Log Forwarder
- 1.2: Deploying Resilient Package Proxy (RPP)
- 1.3: Deploying the REST Container with Dynamic Method
- 1.4: Uninstalling the Protector in Dynamic Method
- 2: Deploying REST Product in Static Mode
1 - Deploying REST Container for Dynamic Method
Deploy the REST Container using RPP.
This section describes how to deploy the REST Container integrated with RPP. Deploy in the following order:
- Log Forwarder
- RPP
- REST Container
1.1 - Deploying Log Forwarder
Describes how to deploy the Log Forwarder.
The Log Forwarder is deployed as a DaemonSet. The following steps describe how to deploy Log Forwarder.
On the Linux instance, run the following command to create the namespace required for Helm deployment.
kubectl create namespace <Namespace name>For example:
kubectl create namespace iap-restOn the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the Log Forwarder.
For more information about the extracted Helm charts, refer to the section Extracting the Installation Package.
The logforwarder > values.yaml file contains the default configuration values for deploying the Log Forwarder container on the Kubernetes cluster. The following content shows an extract of the values.yaml file.
... # - Protegrity PSU(Protegrity Storage Unit)/ESA configuration. # Logforwarder will send audit records to below specified hosts/ip. # User can specify multiple PSU/ESA distribute the audit records and avoid downtime. opensearch: # -- specify a given name to uniquely identify PSU/ESA in the deployment. - name: # -- hostname/ip address of PSU/ESA host: # -- port address of ESA/PSU port: 9200 # - name: node-2 # host: test-insight # port: 9200 # -- Kubernetes service configuration, represents a TCP endpoint to receive audit records # from the protectors. service: # -- Configure service type: ClusterIP for Logforwarder endpoint. type: ClusterIP # -- port to accept incoming audit records from the protector port: 15780 ...Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| opensearch/name | Specify the unique name for the ESA. |
| opensearch/host | Specify the host name or IP address of the ESA. |
| opensearch/port | Specify the port number of the ESA. The default value is 9200. |
| service/type | Specify the service type for the Log Forwarder. The default value is ClusterIP. |
| service/port | Specify the service port of the Log Forwarder, which receives the audit logs from the protectors. The default value is 15780. |
- Run the following command to deploy the Log Forwarder on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the RPP container> <Location of the directory that contains the Helm charts>
For example:
helm install log1 --namespace iap-rest <Custom_path>/commonlogforwarder/
<Custom_path> is the directory where you have extracted the installation package.
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
log1-logforwarder-f6gvj 1/1 Running 0 11h
log1-logforwarder-ls4hn 1/1 Running 0 11h
log1-logforwarder-phk4t 1/1 Running 0 11h
log1-logforwarder-z2mz7 1/1 Running 0 11h
As the Log Forwarder is deployed as a DaemonSet, one instance of Log Forwarder is deployed on each node. In this example, one Log Forwarder pod is deployed per node.
For information about configuring the Log Forwarder, refer to the section Configuration Parameters for Forwarding Audits and Logs.
1.2 - Deploying Resilient Package Proxy (RPP)
Describes how to deploy the Resilient Package Proxy (RPP).
The following steps describe how to deploy RPP.
Note: Ensure that you have deployed the Log Forwarder before deploying the RPP. For more information about deploying the Log Forwarder, refer to the section Deploying the Log Forwarder.
- Run the following command on the Jump box to generate the common certificate from the ESA certificates.
CertificatesSetup_Linux_x64_<Version>.sh -u <User> -p <Password> -h <Hostname or IP address of ESA> --port <Port number of ESA> -d <Directory>
For example:
CertificatesSetup_Linux_x64_<Version>.sh -u admin -p admin12345 -h 10.10.10.10 --port 8443 -d rpproxy
For more information about generating the ESA certificates, refer to the section Creating Certificates.
The following files are created:
- CA.pem
- cert.key
- cert.pem
- secret.txt
2. Run the following command to create a Kubernetes secret using the common certificate generated in step 1.
kubectl -n <Namespace> create secret generic common-cert --from-file=CA.pem=./CA.pem --from-file=cert.key=./cert.key --from-file=cert.pem=./cert.pem --from-file=secret.txt=./secret.txt
Specify this secret as the value of the commonCertSecrets parameter in the values.yaml file. In this case, this secret is used in the following ways:
- RPP uses the certificate as an upstream server certificate to download the policy packages from the ESA.
- The protector uses the certificate as a client certificate to download the policy packages from the RPP.
If you do not specify any value for the commonCertSecrets parameter, then you need to specify separate values for the rpp/upstream/certificateSecret and service/certificateSecret parameters.
3. Run the following command on the Jump box to generate the upstream certificate between the ESA and the RPP.
CertificatesSetup_Linux_x64_<Version>.sh -u <User> -p <Password> -h <Hostname or IP address of ESA> --port <Port number of ESA> -d <Directory>
For example:
CertificatesSetup_Linux_x64_<Version>.sh -u admin -p admin12345 -h 10.10.10.10 --port 8443 -d rpproxy
For more information about generating the ESA certificates, refer to the section Creating Certificates.
The following files are created:
- CA.pem
- cert.key
- cert.pem
- secret.txt
Note: This certificate is created only if you are not using the common certificate.
4. Run the following command to create a Kubernetes secret using the upstream certificate generated in step 3.
kubectl -n <Namespace> create secret generic upstream-cert --from-file=CA.pem=./CA.pem --from-file=cert.key=./cert.key --from-file=cert.pem=./cert.pem --from-file=secret.txt=./secret.txt
Note: This secret is created only if you are not using the common certificate.
Specify this secret as the value of the rpp/upstream/certificateSecret parameter in the values.yaml file.
5. Run the following command to generate the service TLS certificate.
CreateCertificate_Linux_x64_<Version>.sh server --name <Directory> --dns <Release_Name>.<namespace>.svc
For example:
CreateCertificate_Linux_x64_<Version>.sh server --name rpproxy --dns rpp.iap-rest.svc
For more information about generating the server certificates, refer to the section Creating Certificates.
The following client certificates files are created in the rpproxy folder:
- cert.pem
- cert.key
- CA.pem
- secret.txt
These certificate is used by the protector as a server certificate to authenticate the RPP to download policy packages.
Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 7 while deploying the RPP Helm chart.
Note: This certificate is created only if you are not using the common certificate.
6. Run the following command to generate the secret for the service TLS certificate.
kubectl -n <Namespace> create secret generic service-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>
For more information about generating the client certificates, refer to the section Creating Certificates.
Note: This secret is created only if you are not using the common certificate.
Specify this secret as the value of the service/certificateSecret parameter in the values.yaml file.
7. On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the RPP.
For more information about the extracted Helm charts, refer to the section Initializing the Linux instance.
The rp-proxy > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.
...
podSecurityContext:
fsGroup: 1000
...
#-- k8s secret for storing common certificates
# eg. kubectl command:
# kubectl -n $RPP_NAMESPACE create secret generic common-certs \
# --from-literal=CA.pem=<path-to-CA.pem> --from-literal=cert.key=<path-to-cert.key> \
# --from-literal=cert.pem=<path-to-cert.pem> --from-literal=secret.txt=<path-to-secret.txt>
commonCertSecrets:
rpp:
#-- upstream configuration
# host: Upstream host to connect
# port: Upstream port to connect
upstream:
host:
port: 25400
#-- certificateSecret : k8s secret for storing upstream tls certificates
# NOTE : Only to be set when not using common certificate secret
# eg. kubectl command:
# kubectl -n $RPP_NAMESPACE create secret generic upstream-certs \
# --from-literal=CA.pem=<path-to-CA.pem> --from-literal=cert.key=<path-to-cert.key> \
# --from-literal=cert.pem=<path-to-cert.pem> --from-literal=secret.txt=<path-to-secret.txt>
certificateSecret:
#-- logging configuration
# logLevel: Specifies the logging level for rpproxy
# INFO (default)
# ERROR
# WARN
# DEBUG
# TRACE
# logHost: Host to forward the logs (Default : 127.0.0.1)
# logPort: Port to forward the logs (Default : 15780)
logging:
logLevel: "INFO"
logHost: "127.0.0.1"
logPort: 15780
#-- service configuration
# certificateSecret : k8s secret for storing service tls certificates
# NOTE : Only to be set when not using common certificate secret
# eg. kubectl command:
# kubectl -n $RPP_NAMESPACE create secret generic service-certs \
# --from-literal=CA.pem=<path-to-CA.pem> --from-literal=cert.key=<path-to-cert.key> \
# --from-literal=cert.pem=<path-to-cert.pem> --from-literal=secret.txt=<path-to-secret.txt>
# cacheTTL:
# TTL sets the duration (in seconds) of which a cached item is considered fresh.
# When a cached item's TTL expires, the item will be revalidated.
service:
certificateSecret:
cacheTTL: 60
...
- Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| podSecurityContext | Specify the privilege and access control settings for the pod. The default values are set as follows:
|
| commonCertSecrets | Specify the Kubernetes secret, which you have created in step 2, for storing the common certificates. If you specify the value of this parameter, then do not specify the values for the rpp/upstream/certificateSecret and service/certificateSecret parameters. The same common certificate will be used by RPP to download the policy packages from the ESA and by the protector to download the policy packages from the RPP. |
| rpp/upstream/host | Specify the host name or IP address of the upstream server that is providing the policy packages. The upstream server can be another RPP or the ESA. |
| rpp/upstream/port | Specify the port number of the upstream server that is providing the policy packages. The default value is 25400. |
| rpp/upstream/certificateSecret | Specify the Kubernetes secret, which you have created in step 4, that contains the certificate used to authenticate the ESA. Note: This certificate is set only if you are not using the commonCertSecrets parameter. |
| logging/logLevel | Specify the details about the application log level during runtime. You can set one of the following values:
The default value is INFO. |
| logging/logHost | Specify the service hostname of the Log Forwarder, where the logs are forwarded. The default value is <Helm_Installation_Name>-<Helm_Chart_Name>.<Namespace>.svc.For example, iaplog-logforwarder.iaprest.svc. |
| logging/logPort | Specify the service port of the Log Forwarder, where the logs are forwarded. The default value is 15780. |
| service/certificateSecret | Specify the Kubernetes secret, which you have created in step 6, that enables the protector to authenticate the RPP. Note: This certificate is set only if you are not using the commonCertSecrets parameter. |
| service/cacheTTL | Specify the duration to refresh the cache. When a cache TTL expires, the cache has to be revalidated or updated. This interval controls the refresh time of the policy. The default value in seconds is 60. |
- Run the following command to deploy the RPP on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the RPP container> <Location of the directory that contains the Helm charts>
For example:
helm install rpp --namespace iap-rest rpproxy/
Ensure that you specify the same release name and namespace that you have used while creating the service TLS certificate in step 5.
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
rpp-rpproxy-5fd7d859b6-p9544 1/1 Running 0 11h
1.3 - Deploying the REST Container with Dynamic Method
Describes how to deploy the REST Container using the Dynamic deployment method.
The following steps describe how to deploy the REST Container.
- Run the following command to generate the client certificate for connecting to the RPP.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Release_Name>.<namespace>.svc
For example:
CreateCertificate_Linux_x64_<Version>.sh client --name rpproxy-client --dns rpp.iap-rest.svc
For more information about generating the client certificates, refer to the section Creating Certificates.
The following client certificates files are created in the rpproxy-client folder:
- cert.pem
- cert.key
- CA.pem
- secret.txt
This certificate is used by the protector as a client certificate to authenticate the RPP to download policy packages.
Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 7 while deploying the RPP Helm chart.
2. Run the following command to generate the secret for the RPP client certificate created in step 1.
kubectl -n <RPP_Namespace> create secret generic rpp-client-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>
For more information about generating the client certificates, refer to the section Creating Certificates.
Specify this secret as the value of the protector/policy/certificates parameter in the values.yaml file.
3. Run the following command to generate the TLS certificate for the server that hosts the REST Container endpoint.
CreateCertificate_Linux_x64_<Version>.sh server --name <Directory> --dns <DNS_Name> --noenc
CreateCertificate_Linux_x64_<Version>.sh server --name rest-server --dns test-sampleapp-10-v1.example.com --noenc
The following server certificates files are created in the rest-server folder:
- cert.pem
- cert.key
- CA.pem
For more information about generating the certificates, refer to step 6 in section Creating Certificates.
4. Run the following command to generate a secret using the server certificate for the REST Container endpoint.
kubectl -n <Namespace> create secret generic pty-rest-server-secret --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem>
For more information about generating the server certificates, refer to the section Creating Certificates.
Specify this secret as the value of the service/certificates parameter in the values.yaml file.
- Run the following command to generate the client certificate for accessing the REST Container endpoint.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Namespace_name> --noenc
CreateCertificate_Linux_x64_<Version>.sh client --name rest-client --dns test-sampleapp-10-v1.example.com --noenc
The following client certificates files are created in the rest-client folder:
- cert.pem
- cert.key
- CA.pem
These certificates are used in the curl command for invoking the REST APIs.
For more information about generating the certificates, refer to step 6 in section Creating Certificates.
On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the REST Container.
The dynamic > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.
# -- create image pull secrets and specify the name here.
# remove the [] after 'imagePullSecrets:' once you specify the secrets
imagePullSecrets: []
# - name: regcred
nameOverride: ""
fullnameOverride: ""
# REST protector image configuration
iaprestImage:
# -- rest protector image registry address
repository:
# -- rest protector image tag name
tag:
# -- The pullPolicy for a container and the tag of the image affect
# when the kubelet attempts to pull (download) the specified image.
pullPolicy: IfNotPresent
# Docker Hub Image (Root User): docker.io/nginx:stable
# To use nginx image that runs with non-root permissions
# Ref. https://hub.docker.com/r/nginxinc/nginx-unprivileged
nginxImage:
# -- nginx image registry address
repository:
# -- nginx image tag name
tag:
# -- The pullPolicy for a container and the tag of the image affect
# when the kubelet attempts to pull (download) the specified image.
pullPolicy: IfNotPresent
# specify CPU and memory requirement of REST protector container
iaprestResources:
limits:
cpu: 1000m
memory: 3000Mi
requests:
cpu: 500m
memory: 800Mi
# specify CPU and memory requirement of nginx proxy container
nginxResources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 200Mi
...
## -- pod service account to be used
## leave the field empty if not applicable
serviceAccount:
# The name of the service account to use.
name:
# Specify any additional annotation to be associated with pod
podAnnotations:
checksum/nginx-config: '{{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}'
checksum/rest-config: '{{ include (print $.Template.BasePath "/rest-configmap.yaml") . | sha256sum }}'
## set the Pod's security context object
## leave the field empty if not applicable
podSecurityContext:
fsGroup: 1000
## set the iapRest Container's security context object
## leave the field empty if not applicable
iaprestContainerSecurityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged : false
runAsNonRoot : true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
## set the nginx Container's security context object
## leave the field empty if not applicable
nginxContainerSecurityContext:
capabilities:
drop:
- ALL
allowPrivilegeEscalation: false
privileged : false
runAsNonRoot : true
readOnlyRootFilesystem: true
seccompProfile:
type: RuntimeDefault
# protector configuration
protector:
# Policy information for the protector initialization
policy:
# Cadence determines how often the protector connects with ESA / proxy to
# fetch the policy updates in background. Default is 60 seconds.
# So by default, every 60 seconds protector tries to fetch the policy updates.
# If the cadence is set to "0", then the protector will get the policy only
# once, which is not recommended.
#
# Default 60.
cadence: 60
# -- Host/IP to the service providing Resilient Packages either rpproxy
# service or ESA.
host:
# -- certificates used to communicate with service providing Resilient packages.
# specify certificate secret name.
# -- TLS certificate rp-proxy service.
# kubectl -n $NAMESPACE create secret generic pty-rpp-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem \
# --from-file=secret.txt=./certs/secret.txt
certificates:
# Logforwarder configuration
logs:
# -- In case that connection to fluent-bit is lost, set how audits/logs are handled
#
# drop : Protector throws logs away if connection to the fluentbit is lost.
# error : (default) Protector returns error without protecting/unprotecting
# data if connection to the fluentbit is lost.
mode: error
# -- Host/IP to fluent-bit where audits/logs will be forwarded from the protector
#
# Default localhost
host:
# nginx configuration
nginx:
# configure audit records generate by nginx service.
# The generated records are sent to stdout.
# Error logs are enabled by default.
logs:
# -- configure http client request access logs, by default the records
# are sent to stdout
request_logs: false
# -- configure kubelet health check probe access logs, by default the records
# are sent to stdout.
probe_logs: false
# -- specify the initial no. of rest Pod replicas
replicaCount: 1
# HPA configuration
autoScaling:
# -- lower limit on the number of replicas to which the autoscaler
# can scale down to.
minReplicas: 1
# -- upper limit on the number of replicas to which
# the autoscaler can scale up. It cannot be less that minReplicas.
maxReplicas: 10
# -- CPU utilization threshold which triggers the autoscaler
targetCPU: 70
# Kubernetes service configuration, represents a HTTP service to host
# REST protector endpoint.
service:
# -- Configure service type: LoadBalancer or ClusterIP for rest protector
# endpoint
type: ClusterIP
port: 443
# -- secret name containing server TLS certificates to host
# rest protector endpoint.
# kubectl -n $NAMESPACE create secret generic pty-rest-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem
certificates:
# -- Specify k8s service related annotations
# annotation can configure internal load balancer
# AWS internal load balancer
#service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# AZURE internal load balancer
#service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# GCP internal load balancer
#networking.gke.io/load-balancer-type: "Internal"
annotations:
#service.beta.kubernetes.io/aws-load-balancer-internal: "true"
#service.beta.kubernetes.io/azure-load-balancer-internal: "true"
#networking.gke.io/load-balancer-type: "Internal"
- Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| iaprestImage | Specify the repository and tag details for the REST Container image. |
| nginxImage | Specify the repository and tag details for the NGINX image. For example:
|
| iaprestResources | Specify the CPU and memory requirements for the REST Container. |
| nginxResources | Specify the CPU and memory requirements for the NGINIX container. |
| serviceAccount/name | Specify the name of the pod service account. Leave the field empty if it is not applicable. |
| podSecurityContext | Specify the privilege and access control settings for the pod. The default values are set as follows:
|
Container Security Context:
| Specify the privilege and access control settings for the REST Container and the NGINX containers respectively. |
| protector/policy/cadence | Specify the time interval in seconds after which the protector connects with the RPProxy to retrieve the policy package. By default, the value is set to 60. Ensure that the value is note set to 0. Else, the protector will retrieve the policy only once. |
| protector/policy/host | Specify the host name or IP address of the RPProxy. |
| protector/policy/certificates | Specify the name of the secret for the certificate, which you have created in step 2 that is used to authenticate the RPProxy for downloading the policy package. |
| protector/logs/mode | Specify one of the following options in case the connection to the Log Forwarder is lost:
By default, the value is set to error. |
| protector/logs/host | Specify the service hostname of the Log Forwarder, where the logs are forwarded. The default value is <Helm_Installation_Name>-<Helm_Chart_Name>.<Namespace>.svc. For example, iaplog-logforwarder.iaprest.svc. |
| nginx/logs/request_logs | Specify whether to enable or disable the HTTP client request access logs. By default, the value is set to False. |
| nginx/logs/probe_logs | Specify whether to enable or disable the Kubelet health check probe access logs. By default, the value is set to False. |
| replicaCount | Specify the initial number of the REST pod replicas. |
| autoScaling | Specify the configurations required for the Horizontal Pod Autoscaling. |
| service/type | Specify the service type for the REST Container. By default, this value is set to ClusterIP. Change this value to LoadBalancer to send an HTTPS request to the REST Container pod from outside the cluster. |
| service/port | Specify the service port number for the REST container. By default, the value is set to 443. |
| service/certificates | Specify the name of the secret, which you have created in step 4 that contains the server TLS certificates to the host the REST protector endpoint. |
| service/annotations | Specify the annotations for the respective Cloud platforms if you want to use the internal load balancer instead of the NGINX ingress. By default, this value is left blank. |
- Run the following command to deploy the REST Container on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the REST container> <Location of the directory that contains the Helm charts>
For example:
helm install iap-rest-dynamic --namespace iap-rest dynamic/
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
iap-rest-iap-rest-dynamic-7b97d5dff7-grqph 2/2 Running 0 11h
log1-logforwarder-f6gvj 1/1 Running 0 11h
log1-logforwarder-ls4hn 1/1 Running 0 11h
log1-logforwarder-phk4t 1/1 Running 0 11h
log1-logforwarder-z2mz7 1/1 Running 0 11h
rpp-rpproxy-5fd7d859b6-p9544 1/1 Running 0 11h
1.4 - Uninstalling the Protector in Dynamic Method
Describes steps to uninstall the REST container in dynamic method.
To uninstall the Protector:
- Run the following command to uninstall the Log Forwarder from the Kubernetes cluster.
helm uninstall <Release_Name> --namespace <Namespace where the Log Forwarder is deployed>
For example:
helm uninstall log1 --namespace iap-rest
- Run the following command to uninstall the RPP from the Kubernetes cluster.
helm uninstall <Release_Name> --namespace <Namespace where RPP is deployed>
For example:
helm uninstall rpp --namespace iap-rest
- Run the following command to uninstall the REST Container from the Kubernetes cluster.
helm uninstall <Release_Name> --namespace <Namespace where the REST Container is deployed>
For example:
helm uninstall iap-rest-dynamic --namespace iap-rest
- Run the following command to delete the Kubernetes secrets.
kubectl delete secret <Secret_Name> --namespace <Namespace where the REST Container is deployed>
For example:
kubectl delete secret common-cert --namespace iap-rest
Repeat this step to delete all the secrets that you have created while deploying the RPP and the REST Container:
- common-cert
- upstream-cert
- service-certs
- rpp-client-certs
- pty-rest-server-secret
- regcred
- Run the following command to delete the Kubernetes namespace.
helm delete namespace <Namespace where the REST Container is deployed>
For example:
helm delete namespace iap-rest
2 - Deploying REST Product in Static Mode
Deploy the REST Container in static mode.
This section describes how to deploy the REST Container in static mode.
2.1 - Retrieving the Policy Package from the ESA
Use the RPS API to retrieve the policy package from the ESA.
This section describes how to invoke the RPS APIs to retrieve the policy package using the ESA.
Note: Ensure that the Export Resilient Package permission is granted to the role that is assigned to the user exporting the package from the ESA.
Warning: Do not modify the package that has been exported using the RPS Service API.
To retrieve the policy package from the ESA:
Download the policy package from the ESA and encrypt the policy package using a KMS, then run the following command.
If you are using 10.1 ESA, then refer to the section Using the Encrypted Resilient Package REST APIs for more information about the RPS API.
If you are using 10.2 ESA, then refer to the section Using the Encrypted Resilient Package REST APIs for more information about the RPS API.
If you are using Protegrity Provisioned Cluster, then navigate to Protegrity Product Documentation. Then, navigate to Edition > AI Team Edition > Infrastructure > Protegrity REST APIs > Using the Encrypted Resilient Package REST APIs for more information about the RPS API.
The policy package is downloaded to your machine.
Copy the policy package file to an AWS S3 bucket or AWS EFS, as required.
2.2 - Deploying Log Forwarder
Describes how to deploy the Log Forwarder.
The Log Forwarder is deployed as a DaemonSet. The following steps describe how to deploy Log Forwarder.
On the Linux instance, run the following command to create the namespace required for Helm deployment.
kubectl create namespace <Namespace name>For example:
kubectl create namespace iap-restOn the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the Log Forwarder.
For more information about the extracted Helm charts, refer to the section Extracting the Installation Package.
The logforwarder > values.yaml file contains the default configuration values for deploying the Log Forwarder container on the Kubernetes cluster. The following content shows an extract of the values.yaml file.
... # - Protegrity PSU(Protegrity Storage Unit)/ESA configuration. # Logforwarder will send audit records to below specified hosts/ip. # User can specify multiple PSU/ESA distribute the audit records and avoid downtime. opensearch: # -- specify a given name to uniquely identify PSU/ESA in the deployment. - name: # -- hostname/ip address of PSU/ESA host: # -- port address of ESA/PSU port: 9200 # - name: node-2 # host: test-insight # port: 9200 # -- Kubernetes service configuration, represents a TCP endpoint to receive audit records # from the protectors. service: # -- Configure service type: ClusterIP for Logforwarder endpoint. type: ClusterIP # -- port to accept incoming audit records from the protector port: 15780 ...Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| opensearch/name | Specify the unique name for the ESA. |
| opensearch/host | Specify the host name or IP address of the ESA. |
| opensearch/port | Specify the port number of the ESA. The default value is 9200. |
| service/type | Specify the service type for the Log Forwarder. The default value is ClusterIP. |
| service/port | Specify the service port of the Log Forwarder, which receives the audit logs from the protectors. The default value is 15780. |
- Run the following command to deploy the Log Forwarder on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the RPP container> <Location of the directory that contains the Helm charts>
For example:
helm install log1 --namespace iap-rest <Custom_path>/commonlogforwarder/
<Custom_path> is the directory where you have extracted the installation package.
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
log1-logforwarder-f6gvj 1/1 Running 0 11h
log1-logforwarder-ls4hn 1/1 Running 0 11h
log1-logforwarder-phk4t 1/1 Running 0 11h
log1-logforwarder-z2mz7 1/1 Running 0 11h
As the Log Forwarder is deployed as a DaemonSet, one instance of Log Forwarder is deployed on each node. In this example, one Log Forwarder pod is deployed per node.
For information about configuring the Log Forwarder, refer to the section Configuration Parameters for Forwarding Audits and Logs.
2.3 - Deploying KMSProxy Container
Describes how to deploy the KMSProxy container.
The following steps describe how to deploy the KMSProxy container.
- Run the following command to generate the TLS server certificate for the KMS-Proxy service.
CreateCertificate_Linux_x64_<Version>.sh server --name <Directory> --dns <Release_Name>.<namespace>.svc
For example:
CreateCertificate_Linux_x64_<Version>.sh server --name kms-proxy-server --dns kms-proxy.<namespace>.svc
For more information about generating the client certificates, refer to the section Creating Certificates.
The following server certificates files are created in the kms-proxy-server folder:
- cert.pem
- cert.key
- CA.pem
- secret.txt
These certificates are used by the protector as a server certificate to authenticate the KMS-Proxy service.
Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 5 while deploying the KMS-Proxy Helm chart.
For more information about the data encryption key used in the AWS KMS, refer to the section Creating an Data Encryption Key (DEK).
2. Run the following command to generate the secret for the KMS-Proxy server certificate.
kubectl -n <KMS-Proxy_Namespace> create secret generic service-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>
For more information about generating the client certificates, refer to the section Creating Certificates.
Specify this secret as the value of the service/certificateSecret parameter in the values.yaml file.
On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the KMSProxy container.
For more information about the extracted Helm charts, refer to the section Extracting the Installation Package.The kms-proxy > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.
...
# -- service account must be linked to a cloud role to access appropriate KMS keyid.
# the cloud role must have decrypt permission on keyid
serviceAccount:
# The name of the service account to use.
name:
# Specify any additional annotation to be associated with pod
podAnnotations:
checksum/kmsproxy-config: '{{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}'
## set the Pod's security context object
podSecurityContext:
fsGroup: 2000
## set the Container's security context object
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
#-- cloud kms related configuration
kms:
# -- Specify Cloud KMS vendor
# expected values are: AWS, GCP, AZURE
vendor: ""
#--- specify identifier for RSA key hosted by the cloud KMS.
# In case of AWS identifier is the key ARN (Amazon resource identifier)
# In GCP, identifier is key resourceid
# and for Azure identifier is keyid
keyid: ""
# kms-proxy service configuration
application:
# -- The cache will keep the content(decrypted KEK) for the specified TTL(time to live)
# duration in seconds. Once the TTL expires the value from the cache is cleared.
# Based on amount of time require to update/install the protector deployment, update
# the ttl. Default is 1200 seconds(20 minutes)
ttl: 1200
# -- By default, log level for the application is set to INFO.
# available logging levels ares INFO, DEBUG, TRACE
# to enable http access log set the logLevel to TRACE
logLevel: INFO
# Kubernetes service configuration, represents a HTTP service to host
# kms proxy endpoint.
service:
# -- Configure service type: ClusterIP for kms-proxy endpoint
type: ClusterIP
port: 443
# -- TLS certificate of kms-proxy service.
# kubectl -n $NAMESPACE create secret generic pty-kms-proxy-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem \
# --from-file=secret.txt=./certs/secret.txt
certificates:
- Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| serviceAccount/name | Specify the name of the service account that is linked to a role having access to the Key ID of the respective cloud. Ensure that the role has decrypt permissions on the Key ID. |
| podSecurityContext | Specify the privilege and access control settings for the pod. The default values are set as follows:
|
| kms/vendor | Specify the cloud vendor. For example, AWS, Azure, or GCP. |
| kms/keyid | Specify the key Amazon Resource Name (ARN) for AWS. |
| application/ttl | Specify the time to live in seconds till which the KMSProxy cache retains the decrypted KEK. The default value is 1200, which equals 20 minutes. |
| application/logLevel | Specify the log level for the application. The following values are applicable:
Set this value to TRACE to enable HTTP access log. |
| service/type | Specify the HTTP service type to host the KMSProxy endpoint. The default value is ClusterIP. |
| service/port | Specify the port number for the KMSProxy end point. The default value is 443. |
| service/certificates | Specify the secret value of the TLS certificate for the KMS Proxy service that you have created in step 2. |
5. Run the following command to deploy the KMSProxy container on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace to deploy KMSProxy container> <Location of the directory containing Helm charts>
For example:
helm install kmsproxy --namespace iap-rest kms-proxy/
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
kms-10-v1-kms-proxy-7b97d5dff7-grqph 2/2 Running 0 11h
log1-logforwarder-f6gvj 1/1 Running 0 11h
log1-logforwarder-ls4hn 1/1 Running 0 11h
log1-logforwarder-phk4t 1/1 Running 0 11h
log1-logforwarder-z2mz7 1/1 Running 0 11h
2.4 - Deploying REST Container Using Static Method
Describes how to deploy the REST container using the Static deployment method.
The following steps describe how to deploy the REST Container.
- Run the following command to generate the client certificate to authenticate with the KMS-Proxy service.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Release_Name>.<namespace>.svc
For example:
CreateCertificate_Linux_x64_<Version>.sh client --name kms-client --dns kms-proxy.<namespace>.svc
For more information about generating the client certificates, refer to the section Creating Certificates.
The following client certificates files are created in the kms-client folder:
- cert.pem
- cert.key
- CA.pem
- secret.txt
This certificate is used by the protector as a client certificate to authenticate the protector with the KMS-Proxy service.
Ensure that the namespace and release name that you specify in this command are the same names that you specify in step 5 while deploying the KMS-Proxy Helm chart.
2. Run the following command to generate the secret for the KMS-Proxy client certificate created in step 1.
kubectl -n <KMS-Proxy_Namespace> create secret generic service-certs --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem> --from-file=secret.txt=<path-to-secret.txt>
For more information about generating the client certificates, refer to the section Creating Certificates.
Specify this secret as the value of the kms/certificates parameter in the values.yaml file.
- Run the following command to generate the TLS certificate for the server that hosts the REST Container endpoint.
CreateCertificate_Linux_x64_<Version>.sh server --name <Directory> --dns <DNS_Name> --noenc
CreateCertificate_Linux_x64_<Version>.sh server --name rest-server --dns test-sampleapp-10-v1.example.com --noenc
The following server certificates files are created in the rest-server folder:
- cert.pem
- cert.key
- CA.pem
For more information about generating the certificates, refer to the section Creating Certificates.
4. Run the following command to generate a secret using the server certificate for the REST Container endpoint.
kubectl -n <Namespace> create secret generic pty-rest-server-secret --from-file=CA.pem=<path-to-CA.pem> --from-file=cert.key=<path-to-cert.key> --from-file=cert.pem=<path-to-cert.pem>
For more information about generating the server certificates, refer to the section Creating Certificates.
Specify this secret as the value of the service/certificates parameter in the values.yaml file.
- Run the following command to generate the client secret for accessing the REST Container endpoint.
CreateCertificate_Linux_x64_<Version>.sh client --name <Directory> --dns <Namespace_name> --noenc
CreateCertificate_Linux_x64_<Version>.sh client --name rest-client --dns test-sampleapp-10-v1.example.com --noenc
The following client certificates files are created in the rest-client folder:
- cert.pem
- cert.key
- CA.pem
These certificates are used in the curl command for invoking the REST APIs.
For more information about generating the certificates, refer to the section Creating Certificates.
On the Linux instance, navigate to the location where you have extracted the Helm charts to deploy the REST Container.
The devops > values.yaml file contains the default configuration values for deploying the RPP container on the Kubernetes cluster.
## -- create image pull secrets and specify the name here.
## remove the [] after 'imagePullSecrets:' once you specify the secrets
imagePullSecrets: []
# - name: regcred
nameOverride: ""
fullnameOverride: ""
# REST protector image configuration
iaprestImage:
# -- rest protector image registry address
repository:
# -- rest protector image tag name
tag:
# -- The pullPolicy for a container and the tag of the image affect
# when the kubelet attempts to pull (download) the specified image.
pullPolicy: IfNotPresent
# policy loader sidecar image configuration
policyLoaderImage:
# -- policy loader sidecar container image registry address
repository:
# -- policy loader sidecar container image tag name
tag:
# -- The pullPolicy for a container and the tag of the image affect
# when the kubelet attempts to pull (download) the specified image.
pullPolicy: IfNotPresent
# Docker Hub Image (Root User): docker.io/nginx:stable
# To use nginx image that runs with non-root permissions
# Ref. https://hub.docker.com/r/nginxinc/nginx-unprivileged
nginxImage:
# -- nginx image registry address
repository:
# -- nginx image tag name
tag:
# -- The pullPolicy for a container and the tag of the image affect
# when the kubelet attempts to pull (download) the specified image.
pullPolicy: IfNotPresent
# specify CPU and memory requirement of REST protector container
iaprestResources:
limits:
cpu: 1000m
memory: 3000Mi
requests:
cpu: 500m
memory: 800Mi
# specify CPU and memory requirement of policy loader container
policyLoaderResources:
limits:
cpu: 200m
memory: 512Mi
requests:
cpu: 100m
memory: 200Mi
# specify CPU and memory requirement of nginx proxy container
nginxResources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 200m
memory: 200Mi
...
# -- pod service account to be used.
# A k8s service account can be linked to cloud identity to allow pod to access
# cloud services like Object storage solutions.
serviceAccount:
# The name of the service account to use.
name:
# Specify any additional annotation to be associated with pod
podAnnotations:
checksum/nginx-config: '{{ include (print $.Template.BasePath "/nginx-configmap.yaml") . | sha256sum }}'
checksum/rest-config: '{{ include (print $.Template.BasePath "/rest-configmap.yaml") . | sha256sum }}'
# set the Pod's security context object.
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
# set the iapRest Container's security context object
iaprestContainerSecurityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
privileged : false
seccompProfile:
type: RuntimeDefault
# -- set the policy loader sidecar Container's security context object
# leave the field empty if not applicable
policyLoaderContainerSecurityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
privileged : false
seccompProfile:
type: RuntimeDefault
# -- set the nginx Container's security context object.
# leave the field empty if not applicable
nginxContainerSecurityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
allowPrivilegeEscalation: false
privileged : false
seccompProfile:
type: RuntimeDefault
# protector configuration
protector:
# Policy information for the protector initialization
# Note: Policy update is control by policy puller sidecar, Below configuration
# are for protector to refresh policy once it is updated by policy puller sidecar.
policy:
# -- Cadence determines how often the protector connects local filesystem
# to fetch the policy updates in background. Default is 60 seconds.
# So by default, every 60 seconds protector tries to fetch the policy updates.
# If the cadence is set to "0", then the protector will get the policy only
# once, which is not recommended.
cadence: 60
# KMS proxy service configuration
kms:
# -- kms proxy service hostname.
# kms proxy service helps protector to decrypt resilient policy package.
host:
# -- certificates to authenticate with kms proxy service.
# Specify certificate secret name.
# kubectl -n $NAMESPACE create secret generic pty-kms-proxy-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem \
# --from-file=secret.txt=./certs/secret.txt
certificates:
# Logforwarder configuration
logs:
# -- specify log levels.
# In case that connection to fluent-bit is lost, set how audits/logs are handled
#
# drop : Protector throws logs away if connection to the fluentbit is lost
# error : (default) Protector returns error without protecting/unprotecting
# data if connection to the fluentbit is lost
mode: error
# -- Host/IP of Logforwarder service where audits/logs are forwarded by the
# REST protector
host:
# nginx configuration
nginx:
# control audit records generate by nginx proxy.
# the generated records are sent to stdout.
# error logs are enabled by default.
logs:
# -- configure http client request access logs, by default the records
# are sent to stdout
request_logs: false
# -- configure kubelet health check probe access logs, by default the records
# are sent to stdout.
probe_logs: false
# policy puller sidecar configuration
policyPuller:
policy:
# -- Control how often the sidecar application will read the configuration
# file for policy update information.
# Interval is reset when previous pull operation is completed.
# IMPORTANT: do not set interval to 0.
interval: 30
# -- If using VolumeMount as storage destination for policy package
# specify the persistent volume claim name to be used to mount the volume.
pvcName:
# -- Path to KMS encrypted Resilient policy package. Specify an URL encoded
# path to package file. Here are few examples,
# If stored in S3 then, s3://[s3 bucket name]/[to]/<[policy]>/<[package]>
# If stored in Azure Blob storage then, https://[storage account].blob.core.windows.net/[to]/<[policy]>/<[package]>
# If stored in GCS then, gs://[bucket name]/[to]/<[policy]>/<[package]>
# If stored in local filesystem (VolumeMount) then, [to]/<[policy]>/<[package]>
# Important: updating it will not trigger pod restart.
path:
logs:
# -- control policy puller log level
# logs are forwarded to stdout
# Supported Values
# INFO - default
# DEBUG
level: INFO
# -- specify the initial no. of rest Pod replicas
replicaCount: 1
# HPA configuration
autoScaling:
# -- lower limit on the number of replicas to which the autoscaler
# can scale down to.
minReplicas: 1
# -- upper limit on the number of replicas to which
# the autoscaler can scale up. It cannot be less that minReplicas.
maxReplicas: 10
# -- CPU utilization threshold which triggers the autoscaler
targetCPU: 70
# specify service type for rest container.
service:
# -- Configure service type: LoadBalancer or ClusterIP for rest protector
# endpoint
type: ClusterIP
port: 443
# -- secret name containing server TLS certificates to host
# rest protector endpoint.
# kubectl -n $NAMESPACE create secret generic pty-rest-tls \
# --from-file=cert.pem=./certs/cert.pem \
# --from-file=cert.key=./certs/cert.key \
# --from-file=CA.pem=./ca/CA.pem
certificates:
# -- Specify k8s service related annotations
# annotation can configure internal load balancer
# AWS internal load balancer
#service.beta.kubernetes.io/aws-load-balancer-internal: "true"
# AZURE internal load balancer
#service.beta.kubernetes.io/azure-load-balancer-internal: "true"
# GCP internal load balancer
#networking.gke.io/load-balancer-type: "Internal"
annotations:
#service.beta.kubernetes.io/aws-load-balancer-internal: "true"
#service.beta.kubernetes.io/azure-load-balancer-internal: "true"
#networking.gke.io/load-balancer-type: "Internal"
- Modify the default values in the values.yaml file as required.
| Field | Description |
|---|---|
| iaprestImage | Specify the repository and tag details for the REST Container image. |
| policyLoaderImage | Specify the repository and tag details for the Policy Loader image. |
| nginxImage | Specify the repository and tag details for the NGINX image. |
| iaprestResources | Specify the CPU and memory requirements for the REST Container. |
| policyLoaderResources | Specify the CPU and memory requirements for the Policy Loader container. |
| nginxResources | Specify the CPU and memory requirements for the NGINIX container. |
| serviceAccount/name | Specify the name of the service account that enables you to access the Object storage solutions of the Cloud service. |
| podSecurityContext | Specify the privilege and access control settings for the pod. The default values are set as follows:
|
Container Security Context:
| Specify the privilege and access control settings for the REST Container, Policy Loader container, and the NGINX containers respectively. |
| protector/policy/cadence | Specify the time interval in seconds after which the protector retrieves the policy that has been updated by the Policy Loader container. By default, the value is set to 60. Ensure that the value is not set to 0. Else, the protector will retrieve the policy only once. |
| protector/kms/host | Specify the host name of the KMS Proxy service that is used to decrypt the policy package. |
| protector/kms/certificates | Specify the name of the secret for the certificate that is used to authenticate with the KMS Proxy service, which you have created in step 2. |
| protector/logs/mode | Specify one of the following options in case the connection to the Log Forwarder is lost:
By default, the value is set to error. |
| protector/logs/host | Specify the service hostname of the Log Forwarder, where the logs are forwarded. The default value is <Helm_Installation_Name>-<Helm_Chart_Name>. For example, iaplog-logforwarder.iaprest.svc. |
| nginx/logs/request_logs | Specify whether to enable or disable the HTTP client request access logs. By default, the value is set to False. |
| nginx/logs/probe_logs | Specify whether to enable or disable the Kubelet health check probe access logs. By default, the value is set to False. |
| policyPuller/policy/interval | Specify the time interval in seconds after which the Policy Loader sidecar container will retrieve the policy package from the specified path. By default, the value is set to 30. Ensure that the interval is not set to 0. Else, the Policy Loader container will not retrieve the updated policy package. |
| policyPuller/path | Specify the path where the encrypted policy package has been uploaded. For example, if the package is stored in an AWS S3 bucket, then you need to specify the following path: s3://[s3 bucket name]/[to]/<[policy]>/<[package].If the package is stored in local filesystem VolumeMount, then you need to specify the following path: [to]/<[policy]>/<[package]>. |
| policyPuller/logs/level | Specify the log level of the Policy Loader container. By default, the value is set to INFO. |
| replicaCount | Specify the initial number of the REST pod replicas. |
| autoScaling | Specify the configurations required for the Horizontal Pod Autoscaling. |
| service/type | Specify the service type for the REST Container. By default, this value is set to ClusterIP. Change this value to LoadBalancer to send an HTTPS request to the REST Container pod from outside the cluster. |
| service/port | Specify the service port number for the REST container. By default, the value is set to 443. |
| service/certificates | Specify the name of the secret that contains the server TLS certificates to the host the REST protector endpoint, which you have created in step 4. |
| service/annotations | Specify the annotations for the respective Cloud platforms if you want to use the internal load balancer instead of the NGINX ingress. By default, this value is left blank. |
- Run the following command to deploy the REST Container on the Kubernetes cluster.
helm install <Release_Name> --namespace <Namespace where you want to deploy the REST container> <Location of the directory that contains the Helm charts>
For example:
helm install iap-rest-devops --namespace iap-rest devops/
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
kms-10-v1-kms-proxy-7b97d5dff7-grqph 2/2 Running 0 11h
log1-logforwarder-f6gvj 1/1 Running 0 11h
log1-logforwarder-ls4hn 1/1 Running 0 11h
log1-logforwarder-phk4t 1/1 Running 0 11h
log1-logforwarder-z2mz7 1/1 Running 0 11h
iap-rest-iap-rest-devops-5fd7d859b6-p9544 1/1 Running 0 11h
Alternatively, if you do not want to modify the values.yaml file, you can use set arguments to update the values during runtime.
For more information about deploying containers using set arguments, refer to the section Appendix - Deploying the Helm Charts by Using the Set Argument.
The test user can run the REST version API to verify the version of the REST protector.
2.5 - Updating the Policy Package
Describes how to update the policy or the policy path.
The following steps describe how to update the policy or the policy path.
Modify the policy or the location where the policy has been uploaded.
Run the
helm upgradecommand to update the policy package or the policy package path.
For example, the line --set policyPuller.policy.path="s3://restcontainer/static-iap-rest-rel-a/try/Sample_App_Policy.tgz" in the following code block indicates that the path where the policy package is stored has changed.
helm -n devops-10-v2 upgrade test-sampleapp-10-v1 iap-rest-devops/ \
--set imagePullSecrets[0].name="regcred" \
--set iaprestImage.repository="<Account_ID>.dkr.ecr.<region_name>.amazonaws.com/container" \
--set iaprestImage.tag="REST_RHUBI-9-64_x86-64_K8S_10.0.0.16.6a3a67.tgz" \
--set policyLoaderImage.repository="<Account_ID>.dkr.ecr.<region_name>.amazonaws.com/container" \
--set policyLoaderImage.tag="POLICY-LOADER_RHUBI-9-64_x86-64_K8S_1.0.0.11.bc1967.tgz" \
--set nginxImage.repository="nginxinc/nginx-unprivileged" \
--set nginxImage.tag="1.25.2" \
--set serviceAccount.name="s3-v1-sa" \
--set protector.kms.host="test-kms-10-v1-kms-proxy.devops-10-v2.svc" \
--set protector.kms.certificates="pty-certs-cli-secret" \
--set protector.logs.mode="error" \
--set protector.logs.host="test-devops-logforwarder10-v1.devops-10-v2.svc" \
--set nginx.logs.request_logs="false" \
--set nginx.logs.probe_logs="false" \
--set policyPuller.policy.interval="30" \
--set policyPuller.logs.level="DEBUG" \
--set protector.policy.cadence="60"\
--set policyPuller.policy.path="s3://restcontainer/static-iap-rest-rel-a/try/Sample_App_Policy.tgz" \
--set service.certificates="pty-rest-devops-secret"
For more information about using set arguments to deploy the Protector, refer to the section Appendix - Deploying the Helm Charts by Using the Set Argument.
- Run the following command to check the status of the pods.
kubectl get pods -n <Namespace>
For example:
kubectl get pods -n iap-rest
NAME READY STATUS RESTARTS AGE
test-devops-logforwarder10-v1-2m49b 1/1 Running 0 163m
test-devops-logforwarder10-v1-wwjzh 1/1 Running 0 165m
test-kms-10-v1-kms-proxy-687657cff9-dlzdz 1/1 Running 0 161m
test-sampleapp-10-v1-iap-rest-devops-54668997cf-kw628 3/3 Running 0 5m11s
- Run the following command to check the logs.
kubectl logs <Pod_name> -n <Namespace> -f
For example:
kubectl logs test-sampleapp-10-v1-iap-rest-devops-54668997cf-kw628 -n iap-rest -f
The following logs appear on the console output. The line [INFO ] 2025/10/29 11:47:19.335550 runner.go:226: New Policy source path s3://restcontainers/new-10-49-7-212/new/policy-sample-app-10-49-7-212-v1.json indicates that the policy package path has been updated.
Defaulted container "policy-loader" out of: policy-loader, iap-rest-devops, nginx
[INFO ] 2025/10/29 11:45:16.090634 runner.go:104: starting policy loader with version: 1.0.0+13.e0beab
Starting Health Server.
[INFO ] 2025/10/29 11:45:16.090811 runner.go:187: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:45:16.313683 runner.go:196: Loading policy from source path s3://restcontainers/new-10-49-7-212/policy-v1-10-49-7-212.json
[root@ip-10-49-5-222 ~]# kubectl logs test-sampleapp-10-v1-iap-rest-devops-7f4f9b9cc4-zbbkg -n devops-10-v6 -f
Defaulted container "policy-loader" out of: policy-loader, iap-rest-devops, nginx
[INFO ] 2025/10/29 11:45:16.090634 runner.go:104: starting policy loader with version: 1.0.0+13.e0beab
Starting Health Server.
[INFO ] 2025/10/29 11:45:16.090811 runner.go:187: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:45:16.313683 runner.go:196: Loading policy from source path s3://restcontainers/new-10-49-7-212/policy-v1-10-49-7-212.json
[INFO ] 2025/10/29 11:45:48.914901 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:45:48.914935 runner.go:242: Policy source path is same. Checking based on timestamp.
[INFO ] 2025/10/29 11:45:49.057011 runner.go:250: Policy source is not modified since last fetch. Skipping policy load operation.
[INFO ] 2025/10/29 11:46:19.057887 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:46:19.057916 runner.go:242: Policy source path is same. Checking based on timestamp.
[INFO ] 2025/10/29 11:46:19.201224 runner.go:250: Policy source is not modified since last fetch. Skipping policy load operation.
[INFO ] 2025/10/29 11:46:49.201456 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:46:49.201485 runner.go:242: Policy source path is same. Checking based on timestamp.
[INFO ] 2025/10/29 11:46:49.335206 runner.go:250: Policy source is not modified since last fetch. Skipping policy load operation.
[INFO ] 2025/10/29 11:47:19.335501 runner.go:220: fetching policy from storage media, AWS_S3
[INFO ] 2025/10/29 11:47:19.335536 runner.go:224: Policy source path is modified. Triggering policy load operation.
[INFO ] 2025/10/29 11:47:19.335545 runner.go:225: Old Policy source path s3://restcontainers/new-10-49-7-212/policy-v1-10-49-7-212.json.
[INFO ] 2025/10/29 11:47:19.335550 runner.go:226: New Policy source path s3://restcontainers/new-10-49-7-212/new/policy-sample-app-10-49-7-212-v1.json
2.6 - Uninstalling the Protector in Static Method
Describes steps to uninstall the REST container in static method.
To uninstall the Protector:
- Run the following command to uninstall the Log Forwarder from the Kubernetes cluster.
helm uninstall <Release_Name> --namespace <Namespace where the Log Forwarder is deployed>
For example:
helm uninstall log1 --namespace iap-rest
- Run the following command to uninstall the KMSProxy container from the Kubernetes cluster.
helm uninstall <Release_Name> --namespace <Namespace where KMSProxy container is deployed>
For example:
helm uninstall kmsproxy --namespace iap-rest
- Run the following command to uninstall the REST Container from the Kubernetes cluster.
helm uninstall <Release_Name> --namespace <Namespace where the REST Container is deployed>
For example:
helm uninstall iap-rest-devops --namespace iap-rest
- Run the following command to delete the Kubernetes secrets.
kubectl delete secret <Secret_Name> --namespace <Namespace where the REST Container is deployed>
For example:
kubectl delete secret service-certs --namespace iap-rest
Repeat this step to delete all the secrets that you have created while deploying the KMSProxy container and the REST Container:
- service-certs
- regcred
- Run the following command to delete the Kubernetes namespace.
helm delete namespace <Namespace where the REST Container is deployed>
For example:
helm delete namespace iap-rest