Table of contents
Topics on this page

Install Deep Security Smart Check on AWS Fargate with EKS

Why does installing Smart Check on AWS Fargate with Elastic Kubernetes System (EKS) require a different procedure than the standard Install Deep Security Smart Check?

  • You must use an external database on AWS Fargate with EKS. AWS Fargate supports persistent volumes only through AWS Elastic File System (EFS), which is not recommended.

  • AWS Fargate supports load balancers only through the AWS Load Balancer Controller.

Here is the procedure to install Smart Check on AWS Fargate with EKS.

  1. Ensure you are using Helm 3.
    (This procedure will not work with Helm 2.)
    helm version

  2. Ensure you have a recent version of eksctl installed. Installation instructions are here.

  3. Use eksctl to create the cluster:
    eksctl create cluster --region=<us-east-1> --name=<clustername-eks> --fargate

  4. Allow up to 20 minutes for the cluster to be created.

  5. Verify that kubetcl is connected to your cluster with this command:
    kubectl get nodes
    You should see some Fargate nodes returned.

  6. Deploy the AWS Load Balancer Controller as detailed here.

  7. Verify that the controller is installed with this command:
    kubectl get deployment -n kube-system aws-load-balancer-controller

  8. Create a database for Smart Check to use.

    Ensure the database has the appropriate network access to the cluster. We recommend using the same virtual private cloud and modifying the security group to allow port 5432 from the security group itself.

  9. Create the config map for allowing TLS connection to an external database.
    kubectl create configmap dssc-db-trust --from-file=ca=rds-ca-2019-root.pem
    To download rds-ca-2019-root.pem, click here.

  10. Create an overrides.yaml file that allocates resources to 1GB vCPU and 3GB memory, above the usual minimum. For more explanation, see here.

    auth:
      secretSeed: "<some random characters>"
    service:
      type: LoadBalancer
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "nlb-ip"
    db:
      user: "postgres"
      password: "<db password>"
      host: "<db hostname>"
      port: "5432"
      tls:
        ca:
          valueFrom:
            configMapKeyRef:
              name: "dssc-db-trust"
              key: "ca"
    resources:
      vulnerabilityScan:
        requests:
          cpu: 1000m
          memory: 3Gi
        limits:
          cpu: 1000m
          memory: 3Gi
    
  11. Verify the resources provisioned with this command:
    kubectl describe pod vulnerabilityScan

  12. Install Smart Check with this command:
    helm upgrade -i --values overrides.yaml deepsecurity-smartcheck https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz

  13. Ensure that Smart Check pods become ready with this command:
    kubectl get pods

  14. Get the Network Load Balancer address using the instructions from the output of helm upgrade.

  15. Get the application URL by running these commands:
    export SERVICE_IP=$(kubectl get svc proxy -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')
    echo https://$SERVICE_IP:443/

  16. Log in to Smart Check.

How to uninstall Smart Check

Clean up the resources you used (unless you are looking to preserve your environment):

  1. Delete the Deep Security Smart Check deployment to clean up the load balancer with this command:
    helm uninstall deepsecurity-smartcheck

  2. Delete the database.

  3. Delete the cluster with this command:
    eksctl delete cluster --name <clustername-eks> --region <us-east-1>