Mahira Technology Private Limited's Blog
Deploying Deepfence Console on Kubernetes Cluster: The One Skill That Will Skyrocket Your Career

Deploying Deepfence Console on Kubernetes Cluster: The One Skill That Will Skyrocket Your Career

Mahira Technology Private Limited's photo
Mahira Technology Private Limited
·

3 min read

Setup StorageThe OpenEBS storage is required only when running PostgreSQL and Elasticsearch locally. For those using cloud-based PersistentVolume or cloud-hosted databases, setting up OpenEBS is unnecessary.

OpenEBS Local PV ProvisionerFirst, create a namespace for OpenEBS:

kubectl create ns openebs

Then, install OpenEBS using the Helm chart repository:

helm install openebs --namespace openebs --repo "https://openebs.github.io/charts" openebs --set analytics.enabled=false

Wait for the pods to initialize:

kubectl get pods -o wide --namespace openebs -w

Setup Metrics Server (if not already present)Verify the installation of the metrics server:

kubectl get deployment metrics-server -n kube-system

If it's missing, execute the following command:

kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml

Install the Deepfence Console Helm Chart

Quick StartAdd the Deepfence repo:

helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/threatmapper

Install the Deepfence console:

helm install deepfence-console deepfence/deepfence-console --namespace default

Detailed SetupAgain, add the Deepfence repository:

helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/threatmapper

Create a values file:

helm show values deepfence/deepfence-console > deepfence_console_values.yaml

(Optional) Modify this values file to set a Docker Hub username and password if using a personal registry.

Registry Settings:

registry:
  name: "https://index.docker.io/v1/"
  imagePrefix: ""
  username: ""
  password: ""

Specify the image tag:

image:
  tag: 1.5.0

(Optional) Configure a custom SSL certificate.Custom certificates can be added using either an existing secret or directly passing the certificate and key in Helm chart values. If not specified, a self-signed certificate from Deepfence will be used.

To input certificates in values file, use the format:

tls:
  cert: |-
    -----BEGIN CERTIFICATE-----
    MIIFCTCCAvGgAwIBAgIUNshy8GFTjfUR7inZ1JCcN+tDuh4wDQYJKoZIhvcNAQEL
    .....
    JY7f+DC42mQvWWXbll+I60CEtZyExtfBEbSihOR2NoG3WMhXEGAXO5C/jEnSDHKt
    BMepE4d9+TQFcPQ/OKSlP8FB2nPKZJdM+JlXDFWqeKvbdYS4QErRLd33qUmq
    -----END CERTIFICATE-----
  key: |-
    -----BEGIN PRIVATE KEY-----
    MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDECeUraonCz/89
    .....
    uK1Rv6SE6KrBFb8JYEpjyjiAlVUGDANqbMtB2dvJ/GD6vTch/kLyZ95x7+V0qXGV
    bHEvWp7ugCTFhurM+lla0d+ElDO2
    -----END PRIVATE KEY-----

If a TLS certificate is already available as a secret in the same namespace as the console, specify the secret name in the Helm chart values:

tls:
  secretName: console-tls-certs

(Optional) Select the storage class.Deepfence defaults to using the Local Volume Provisioner, but it can be switched to any cloud-managed Persistent Volumes, with ‘default’ as a common selection in many clouds.

Volume configuration:

volume:
  storageClass: openebs-hostpath

(Optional) Configure the database.Deepfence deploys Elasticsearch, PostgreSQL, and Redis in-cluster by default in HA mode. These can be configured to use cloud-managed databases like RDS for PostgreSQL or AWS Elasticsearch service. Adjust hostnames and ports as necessary.

Database settings:

db:
  #  Modify these values for externally managed databases
  postgresUserDb:
    host: deepfence-postgres
    port: "5432"
    user: "cve"
    password: "cve"
    dbname: "users"
    sslmode: "disable"
  elasticsearch:
    scheme: "http"
    host: deepfence-es
    port: "9200"
    user: ""
    password: ""
  redis:
    host: deepfence-redis
    port: "6379"

Set the container runtime socket path. By default, Docker is disabled while containerd is enabled.

Mount container runtime socket path:

mountContainerRuntimeSocket:
  dockerSock: false
  # Modify the socket path if necessary
  dockerSockPath: "/var/run/docker.sock"
  containerdSock: true
  # Modify the socket path if necessary
  containerdSockPath: "/run/containerd/containerd.sock"
  crioSock: false
  # Modify the socket path if necessary
  crioSockPath: "/var/run/crio/crio.sock"

Install the Deepfence Console Helm Chart using the values file:

helm install -f deepfence_console_values.yaml deepfence-console deepfence/deepfence-console --namespace default

Wait for the pods to become active:

kubectl get pods -o wide -w

Retrieve the Deepfence management console IP:

kubectl get --namespace default svc deepfence-router -w

Conclusion :-

And there you have it, friends! We’ve talked about why deploying Deepfence Console on Kubernetes is such a valuable skill to have in your tech arsenal. It’s not just about adding another line to your resume — it’s about positioning yourself at the forefront of cloud security and container orchestration.

Remember, every expert was once a beginner. Don’t be afraid to dive in and start learning. You might face some challenges along the way, but that’s all part of the journey. And who knows? This could be the skill that opens up exciting new opportunities in your career.

deepfenceKubernetesDevopsbest practicesdeploymentclusterminikubeHelm