Deploy on Kubernetes with Kustomize

In this tutorial you will be guided through the necessary steps to set-up the Eclipse Steady backend services in a Kubernetes cluster using Kustomize version 2.0.3

Kustomize and Kubectl

kubectl starting version 1.14 already comes with Kustomize 2.0.3 bundled. As of now Kustomize 3.1.0 is not supported by kubectl so it will also not be supported by Eclipse Steady

Pre-requisites

  • git
  • kubectl
  • a Kubernetes cluster

Setup

Clone locally vulnerability-assessment-tool repository and change the directory to Kustomize's folder

git clone https://github.com/eclipse/steady.git
cd steady/kubernetes/kustomize

Make a copy of the files in kubernetes/kustomize/secrets and edit them to match your needs.

cp secrets/.env.sample secrets/.env
cp secrets/bugs-frontend-credentials.sample secrets/bugs-frontend-credentials
# edit the above files

Run

You are now ready to deploy Eclipse Steady inside your Kubernetes cluster:

kubectl apply -k .

The above command will create a Namespace called vulnerability-assessment-tool and install all the component on it. To check if everything is starting successfully you can watch the deployments by running the command kubectl -n vulnerability-assessment-tool get pods -w. The deployment will request two PersistentVolumeClaims and a Service type:LoadBalancer which could need some time to be created depending on the provider you are running on.

Reaching Eclipse Steady from the Internet

Eclipse Steady uses a Service of type LoadBalancer to allow Internet traffic to reach the cluster. This Service will request an external LoadBalancer to your provider and will connect to it. This LoadBalancer will be exposed on the Internet so be careful. The Service type:LoadBalancer should work with most providers such as GKE, Azure. If not, you can follow this ingress-nginx guide

Debugging Eclipse Steady from the local network

You can avoid listening to the Internet by disabling the Service present in the services/cloud.yml file. To disable the file you can just comment the relative line in the root-level kustomization.yaml file. You can then connect to the main Service by port-forwarding with the command kubectl -n vulnerability-assessment-tool port-forward svc/haproxy-ingress 7000:8080 and then opening your browser at localhost:8080/apps

Populate/maintain the vulnerability database

In order for the tool to detect vulnerabilities, you need to import and analyze them first so that they are available in the tool's vulnerability database. Large part of CVE's and bugs are open sourced in vulnerability-assessment-kb.

Follow the instructions mentioned here, to import and build all the vulnerabilities' knowledge.


Get going:

  1. Import all the CVEs and bugs in your local database
  2. Setup your workspace (if you don't have one)
  3. Become familiar with the various analysis goals (first time users)
  4. Analyze your Java or Python application (on a regular basis)
  5. Assess findings using the apps Web frontend (following every analysis)

Further links: