Table of contents

Deploy Smart Check to EKS with a Network Load Balancer or an Application Load Balancer

When deploying Smart Check in an EKS environment, the current default load balancer is the Classic Load Balancer (CLB).

The EC2-Classic Load Balancer will reach its end of service as of August 15, 2022. As a result, AWS recommends either migrating Classic Load Balancers from the EC2-Classic network to a VPC, or using the Network Load Balancer (NLB) or Application Load Balancer (ALB).

The following information includes steps on how to configure Smart Check to use either the NLB or the ALB. Since EKS is provisioned in a VPC, the following steps are optional but recommended for many existing Smart Check users.

These instructions assume a basic knowledge on deploying Smart Check. For more information, see Install Deep Security Smart Check.

Deploy Smart Check using the NLB

  1. Install and deploy the AWS Load Balancer controller in your cluster. Follow the instructions provided by AWS and carefully note the prerequisites.

  2. Set the proper annotations in the overrides.yaml file:

    service:
      type: LoadBalancer
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internet-facing"
        service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
  3. Run the following commands to:

    • upgrade the Smart Check deployment:

      helm upgrade \
        --values overrides.yaml \
        deepsecurity-smartcheck \
        https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz

    • deploy if this is the first deployment:

      helm install \
        --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz

  4. (Optional) In the Amazon Web Console, the new Network Load Balancer should be visible, either in the Provisioning or Active state. If it is not visible, please review the overrides.yaml file and ensure that the changes to service.annotations have been saved and applied.

  5. Run the following command to determine Smart Check's service endpoint:

    export SERVICE_IP=$(kubectl get svc proxy –o jsonpath='{.status.loadBalancer.ingress[0].ip}')
    echo https://$SERVICE_IP:443

  6. Navigate to the service endpoint. If the page does not load, please wait a few minutes in case the Load Balancer is still provisioning.

Deploy Smart Check using the ALB

  1. Install and deploy the AWS Load Balancer controller in your cluster. Please follow the instructions provided by AWS.

  2. Set the proper annotations in the overrides.yaml file:

    service:
       type: NodePort
  3. Run the following commands to:

    • upgrade the Smart Check deployment:
    helm upgrade \
      --values overrides.yaml \
     deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz
    • deploy if this is the first deployment:
    helm install \
      --values overrides.yaml \
      deepsecurity-smartcheck \
      https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz
  4. Create an ingress manifest file for Smart Check and name it sc_ingress.yaml.
    You must have a certificate deployed in AWS to provide in the following manifest:

    Sample sc_ingress.yaml manifest file

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
        namespace: "default"
        name: "deepsecurity-smartcheck-ingress"
        annotations:
            alb.ingress.kubernetes.io/scheme: internet-facing
            alb.ingress.kubernetes.io/target-type: ip
            alb.ingress.kubernetes.io/backend-protocol: HTTPS
            alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
            alb.ingress.kubernetes.io/certificate-arn: <certificate-arn-here>
        labels:
            app: deepsecurity-smartcheck-ingress
    spec:
        ingressClassName: alb
        rules:
        - http:
            paths:
            - path: /
                pathType: Prefix
                backend:
                    service:
                        name: proxy
                        port:
                            number: 443

    The AWS Load Balancer Controller does not support the resource field of the backend.

  5. Deploy the ingress manifest file using the following command:

    kubectl apply -f sc_ingress.yaml

  6. Use the following to provide the endpoint where Smart Check will be available and create an ALB.

    kubectl get ingress

    Sample output

    NAMESPACE NAME CLASS HOSTS ADDRESS PORTS AGE
    default deepsecurity-smartcheck-ingress alb * k8s-default-deepsecu-593ed39b4a-2027600391.us-west-2.elb.amazonaws.com 80 16m

  7. (Optional) If you encounter any issues, see How do I troubleshoot service load balancers for Amazon EKS? and Troubleshooting.

    Issues are most often due to the AWS Load Balancer controller not being configured correctly. It may also be helpful to view any errors that have been posted by running the command:

    kubectl logs -n kube-system deployment.apps/aws-load-balancer-controller

  8. (Optional) If, when navigating to the webpage, it will not load, try running dig <endpoint> and navigating to the IPs produced to see if the webpage exists there instead. For example,

    k8s-default-deepsecu-593ed39b4a-1368766740.us-west-2.elb.amazonaws.com. 1 IN A 52.25.79.241
    k8s-default-deepsecu-593ed39b4a-1368766740.us-west-2.elb.amazonaws.com. 1 IN A 34.210.15.98
    k8s-default-deepsecu-593ed39b4a-1368766740.us-west-2.elb.amazonaws.com. 1 IN A 44.239.37.197
  9. Navigate to the service endpoint. If the page does not load, please wait a few minutes incase the Load Balancer is still provisioning.

Troubleshooting

Service IP is stuck in <pending>

Run through the steps to deploy the AWS Load Balancer controller and ensure that each step has been completed. Additionally, please ensure that the annotations have been set as per the overrides.yaml.

See How do I troubleshoot service load balancers for Amazon EKS? for more information.

Ingress controller does not resolve to an address or aws-load-balancer controller logs reveal an 'unauthorized' error

Ensure that the necessary policies, roles, and service accounts that are outlined in Installing the AWS Load Balancer Controller add-on are followed.

The following command can also be used to help with debugging:

kubectl logs -n kube-system deployment.apps/aws-load-balancer-controller

Additional resources

Migrate from EC2-Classic to a VPC

EC2-Classic Networking is Retiring – Here’s How to Prepare