Installing the Intel® SecL Kubernetes Extensions and Integration Hub
Installing the Intel® SecL Kubernetes Extensions and Integration Hub
Intel® SecL uses Custom Resource Definitions to add the ability to base orchestration decisions on Intel® SecL security attributes to Kubernetes. These CRDs allow Kubernetes administrators to configure pods to require specific security attributes so that the Kubernetes Control Plane Node will schedule those pods only on Worker Nodes that match the specified attributes.
Two CRDs are required for integration with Intel® SecL – an extension
for the Control Plane nodes, and a scheduler extension. The extensions are deployed as a Kubernetes
deployment in the isecl
namespace.
Deploy Intel® SecL Custom Controller
#Install skopeo to load container image for controller and scheduler from archive
dnf install -y skopeo
-
Copy
isecl-k8s-extensions-*.tar.gz
to Kubernetes Control plane machine and extract the contents#Copy scp /<build_path>/binaries/isecl-k8s-extensions-*.tar.gz <user>@<k8s_controller_machine>:/<path>/ #Extract tar -xvzf /<path>/isecl-k8s-extensions-*.tar.gz cd /<path>/isecl-k8s-extensions/
-
Create
hostattributes.crd.isecl.intel.com
CRD#1.17<=k8s_version<=1.22 kubectl apply -f yamls/crd-1.17.yaml
-
Check whether the CRD is created
kubectl get crds
- Load the
isecl-controller
container image
cd /<path>/isecl-k8s-extensions/
skopeo copy oci-archive:<isecl-k8s-controller-*.tar> docker://<docker_private_registry_server>:5000/<imageName>:<tagName>
-
Udate image name as above in controller yaml "/opt/isecl-k8s-extensions/yamls/isecl-controller.yaml"
containers: - name: isecl-controller image: <docker_private_registry_server>:5000/<imageName>:<tagName>
-
Deploy
isecl-controller
kubectl apply -f yamls/isecl-controller.yaml
- Check whether the isecl-controller is up and running
kubectl get deploy -n isecl
- Create clusterRoleBinding for ihub to get access to cluster nodes
kubectl create clusterrolebinding isecl-clusterrole --clusterrole=system:node --user=system:serviceaccount:isecl:isecl
- Fetch token required for ihub installation
kubectl get secrets -n isecl
#The below token will be used for ihub installation to update 'KUBERNETES_TOKEN' in ihub.env when configured with Kubernetes Tenant
kubectl describe secret default-token-<name> -n isecl
- Additional Optional Configurable fields for isecl-controller configuration in
isecl-controller.yaml
Field | Required | Type | Default | Description |
---|---|---|---|---|
LOG_LEVEL | Optional |
string |
INFO | Determines the log level |
LOG_MAX_LENGTH | Optional |
int |
1500 | Determines the maximum length of characters in a line in log file |
TAG_PREFIX | Optional |
string |
isecl | A custom prefix which can be applied to isecl attributes that are pushed from IH. For example, if the tag-prefix is isecl. and trusted attribute in CRD becomes isecl.trusted. |
TAINT_UNTRUSTED_NODES | Optional |
string |
false | If set to true. NoExec taint applied to the nodes for which trust status is set to false, Applicable only for HVS based attestation |
Installing the Intel® SecL Integration Hub
Note
The Integration Hub is only required to integrate Intel® SecL with third-party scheduler services, such as OpenStack Nova or Kubernetes. The Hub is not required for usage models that do not require Intel® SecL security attributes to be pushed to an integration endpoint.
Required For
The Hub is REQUIRED for the following use cases.
- Workload Confidentiality (both VMs and Containers)
The Hub is OPTIONAL for the following use cases (used only if orchestration or other integration support is needed):
- Platform Integrity with Data Sovereignty and Signed Flavors
- Application Integrity
Deployment Architecture Considerations for the Hub
A separate Hub instance is REQUIRED for each Cloud environment (also referred to as a Hub "tenant"). For example, if a single datacenter will have an OpenStack cluster and also two separate Kubernetes clusters, a total of three Hub instances must be installed, though additional instances of other Intel SecL services are not required (in the same example, only a single Verification Service is required). Each Hub will manage a single orchestrator environment. Each Hub instance should be installed on a separate VM or physical server
Prerequisites
The Intel® Security Libraries Integration Hub can be run as a VM or as a bare-metal server. The Hub may be installed on the same server (physical or VM) as the Verification Service.
- The Verification Service must be installed and available
- The Authentication and Authorization Service must be installed and available
- The Certificate Management Service must be installed and available
- (REQUIRED for Kubernetes integration only) The Intel SecL Custom Resource Definitions must be installed and available (see the Integration section for details)
Package Dependencies
The Intel® SecL Integration Hub requires a number of packages and their dependencies:
If these are not already installed, the Integration Hub installer attempts to install these packages automatically using the package manager. Automatic installation requires access to package repositories (the RHEL subscription repositories, the EPEL repository, or a suitable mirror), which may require an Internet connection. If the packages are to be installed from the package repository, be sure to update your repository package lists before installation.
Supported Operating Systems
The Intel Security Libraries Integration Hub supports Red Hat Enterprise Linux 8.4
Recommended Hardware
-
1 vCPUs
-
RAM: 2 GB
-
1 GB free space to install the Verification Service services. Additional free space is needed for the Integration Hub database and logs (database and log space requirements are dependent on the number of managed servers).
-
One network interface with network access to the Verification Service.
-
One network interface with network access to any integration endpoints (for example, OpenStack Nova).
Installing the Integration Hub
To install the Integration Hub, follow these steps:
- Copy the API Server certificate of the Kubernetes Controller to machine where Integration Hub will be installed to
/root/
directory
Note
In most Kubernetes distributions the Kubernetes certificate and key is normally present under /etc/kubernetes/pki
. However this might differ in case of some specific Kubernetes distributions.
In ihub.env KUBERNETES_TOKEN
token can be retrieved from Kubernetes using the following command:
kubectl get secrets -n isecl -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='default')].data.token}"|base64 --decode
KUBERNETES_CERT_FILE=/<any_path>/apiserver.crt
in this path can be specified any ex: /root
which can taken care by IHUB during installation and copied to '/etc/ihub' directory.
- Create the
ihub.env
installation answer file. See the sample file below.
# Authentication URL and service account credentials
AAS_API_URL=https://isecl-aas:8444/aas/v1
IHUB_SERVICE_USERNAME=<Username for the Hub service user>
IHUB_SERVICE_PASSWORD=<Password for the Hub service user>
# CMS URL and CMS webserivce TLS hash for server verification
CMS_BASE_URL=https://isecl-cms:8445/cms/v1
CMS_TLS_CERT_SHA384=<TLS hash>
# TLS Configuration
TLS_SAN_LIST=127.0.0.1,192.168.1.1,hub.server.com #comma-separated list of IP addresses and hostnames for the Hub to be used in the Subject Alternative Names list in the TLS Certificate
# Verification Service URL
HVS_BASE_URL=https://isecl-hvs:8443/hvs/v2
ATTESTATION_TYPE=HVS
#Integration tenant type. Currently supported values are "KUBENETES" or "OPENSTACK"
TENANT=<KUBERNETES or OPENSTACK>
# OpenStack Integration Credentials - required for OpenStack integration only
OPENSTACK_AUTH_URL=<OpenStack Keystone URL; typically http://openstack-ip:5000/>
OPENSTACK_PLACEMENT_URL=<OpenStack Nova API URL; typically http://openstack-ip:8778/>
OPENSTACK_USERNAME=<OpenStack username>
OPENSTACK_PASSWORD=<OpenStack password>
# Kubernetes Integration Credentials - required for Kubernetes integration only
KUBERNETES_URL=https://kubernetes:6443/
KUBERNETES_CRD=custom-isecl
KUBERNETES_CERT_FILE=/root/apiserver.crt
KUBERNETES_TOKEN=eyJhbGciOiJSUzI1NiIsImtpZCI6Ik......
# Installation admin bearer token for CSR approval request to CMS - mandatory
BEARER_TOKEN=eyJhbGciOiJSUzM4NCIsImtpZCI6ImE…
Deploy Intel® SecL Custom Controller
along with other relevant tenant configuration options in ihub.env
- Copy the Integration Hub installation binary to the
/root
directory & execute the installer binary.
./ihub-v4.1.1.bin
- Copy the
/etc/ihub/ihub_public_key.pem
to Kubernetes Controller machine to/<path>/secrets/
directory
#On K8s-Controller machine
mkdir -p /<path>/secrets
#On IHUB machine, copy
scp /etc/ihub/ihub_public_key.pem <user>@<k8s_controller_machine>:/<path>/secrets/hvs_ihub_public_key.pem
After installation, the Hub must be configured to integrate with a Cloud orchestration platform (for example, OpenStack or Kubernetes). See the Integration section for details.
Deploy Intel® SecL Extended Scheduler
- Install
cfssl
andcfssljson
on Kubernetes Control Plane
#Install wget
dnf install wget -y
#Download cfssl to /usr/local/bin/
wget -O /usr/local/bin/cfssl http://pkg.cfssl.org/R1.2/cfssl_linux-amd64
chmod +x /usr/local/bin/cfssl
#Download cfssljson to /usr/local/bin
wget -O /usr/local/bin/cfssljson http://pkg.cfssl.org/R1.2/cfssljson_linux-amd64
chmod +x /usr/local/bin/cfssljson
- Create TLS key-pair for
isecl-scheduler
service which is signed by Kubernetesapiserver.crt
cd /<path>/isecl-k8s-extensions/
chmod +x create_k8s_extsched_cert.sh
#Set K8s_CONTROLLER_IP,HOSTNAME
export CONTROLLER_IP=<k8s_machine_ip>
export HOSTNAME=<k8s_machine_hostname>
#Create TLS key-pair
./create_k8s_extsched_cert.sh -n "K8S Extended Scheduler" -s "$CONTROLLER_IP","$HOSTNAME" -c <k8s_ca_authority_cert> -k <k8s_ca_authority_key>
Note
In most Kubernetes distributions the Kubernetes certificate and key is normally present under /etc/kubernetes/pki
. However this might differ in case of some specific Kubernetes distributions.
- Copy the TLS key-pair generated to
/<path>/secrets/
directory
cp /<path>/isecl-k8s-extensions/server.key /<path>/secrets/
cp /<path>/isecl-k8s-extensions/server.crt /<path>/secrets/
- Load the
isecl-scheduler
container image
cd /<path>/isecl-k8s-extensions/
skopeo copy oci-archive:<isecl-k8s-scheduler-*.tar> docker://<docker_private_registry_server>:5000/<imageName>:<tagName>
-
Update image name as above in scheduler yaml "/opt/isecl-k8s-extensions/yamls/isecl-scheduler.yaml"
containers: - name: isecl-scheduler image: <docker_private_registry_server>:5000/<imageName>:<tagName>
-
Create scheduler-secret for isecl-scheduler
cd /<path>/
kubectl create secret generic scheduler-certs --namespace isecl --from-file=secrets
- The
isecl-scheduler.yaml
file includes support for both SGX and Workload Security put together. For only working with Workload Security scenarios , the following line needs to be made empty in the yaml file. The scheduler and controller yaml files are located under/<path>/isecl-k8s-extensions/yamls
- name: SGX_IHUB_PUBLIC_KEY_PATH
value: ""
- Deploy
isecl-scheduler
cd /<path>/isecl-k8s-extensions/
kubectl apply -f yamls/isecl-scheduler.yaml
- Check whether the
isecl-scheduler
is up and running
kubectl get deploy -n isecl
- Additional optional fields for isecl-scheduler configuration in
isecl-scheduler.yaml
Field | Required | Type | Default | Description |
---|---|---|---|---|
LOG_LEVEL | Optional |
string |
INFO | Determines the log level |
LOG_MAX_LENGTH | Optional |
int |
1500 | Determines the maximum length of characters in a line in log file |
TAG_PREFIX | Optional |
string |
isecl. | A custom prefix which can be applied to isecl attributes that are pushed from IH. For example, if the tag-prefix is *isecl.* and *trusted* attribute in CRD becomes *isecl.trusted*. |
PORT | Optional |
int |
8888 | ISecl scheduler service port |
HVS_IHUB_PUBLIC_KEY_PATH | Required |
string |
Required for IHub with HVS Attestation | |
SGX_IHUB_PUBLIC_KEY_PATH | Required |
string |
Required for IHub with SGX Attestation | |
TLS_CERT_PATH | Required |
string |
Path of tls certificate signed by kubernetes CA | |
TLS_KEY_PATH | Required |
string |
Path of tls key |
Configuring kube-scheduler to establish communication with isecl-scheduler
Note
The below is a sample when using kubeadm
as the Kubernetes distribution, the scheduler configuration files would be different for any other Kubernetes distributions being used.
-
Add a mount path to the
/etc/kubernetes/manifests/kube-scheduler.yaml
file for the Intel SecL scheduler extension:- mountPath: /<path>/isecl-k8s-extensions/ name: extendedsched readOnly: true
-
Add a volume path to the
/etc/kubernetes/manifests/kube-scheduler.yaml
file for the Intel SecL scheduler extension:- hostPath: path: /<path>/isecl-k8s-extensions/ type: "" name: extendedsched
-
Add
policy-config-file
path in the/etc/kubernetes/manifests/kube-scheduler.yaml
file undercommand
section:
- command:
- kube-scheduler
- --policy-config-file=/<path>/isecl-k8s-extensions/scheduler-policy.json
- --bind-address=127.0.0.1
- --kubeconfig=/etc/kubernetes/scheduler.conf
- --leader-elect=true
- Restart kubelet
systemctl restart kubelet
Logs will be appended to older logs in
/var/log/isecl-k8s-extensions
-
Whenever the CRD's are deleted and restarted for updates, the CRD's using the yaml files present under
/opt/isecl-k8s-extensions/yamls/
. Kubernetes Version 1.17-1.22 usescrd-1.17.yaml
kubectl delete crd hostattributes.crd.isecl.intel.com kubectl apply -f /opt/isecl-k8s-extensions/yamls/crd-<version>.yaml
-
(Optional) Verify that the Intel ® SecL K8s extensions have been started:
To verify the Intel SecL CRDs have been deployed:
kubectl get -o json hostattributes.crd.isecl.intel.com