AppsCode
  • KubeDB

    Run Production-Grade Databases on Kubernetes

    Stash

    Backup and Recovery Solution for Kubernetes

    KubeVault

    Run Production-Grade Vault on Kubernetes

    Voyager

    Secure Ingress Controller for Kubernetes

    ConfigSyncer

    Kubernetes Configuration Syncer

    Guard

    Kubernetes Authentication WebHook Server

    KubeDB

    KubeDB simplifies Provisioning, Upgrading, Scaling, Volume Expansion, Monitor, Backup, Restore for various Databases in Kubernetes on any Public & Private Cloud

    • check-boxLower administrative burden
    • check-boxNative Kubernetes Support
    • check-boxPerformance
    • check-boxAvailability and durability
    • check-boxManageability
    • check-boxCost-effectiveness
    • check-boxSecurity
    Stash

    A complete Kubernetes native disaster recovery solution for backup and restore your volumes and databases in Kubernetes on any public and private clouds.

    • check-boxDeclarative API
    • check-boxBackup Kubernetes Volumes
    • check-boxBackup Database
    • check-boxMultiple Storage Support
    • check-boxDeduplication
    • check-boxData Encryption
    • check-boxVolume Snapshot
    • check-boxPolicy Based Backup
    KubeVault

    KubeVault is a Git-Ops ready, production-grade solution for deploying and configuring Hashicorp's Vault on Kubernetes.

    • check-boxVault Kubernetes Deployment
    • check-boxAuto Initialization & Unsealing
    • check-boxVault Backup & Restore
    • check-boxConsume KubeVault Secrets with CSI
    • check-boxManage DB Users Privileges
    • check-boxStorage Backend
    • check-boxAuthentication Method
    • check-boxDatabase Secret Engine
    Voyager

    Secure Ingress Controller for Kubernetes

    • check-boxHTTP & TCP
    • check-boxSSL
    • check-boxPlatform support
    • check-boxHAProxy
    • check-boxPrometheus
    • check-boxLet's Encrypt
    configsyncer

    Kubernetes Configuration Syncer

    • check-boxConfiguration Syncer
    Guard

    Kubernetes Authentication WebHook Server

    • check-boxIdentity Providers
    • check-boxCLI
    • check-boxRBAC
  • RESOURCES
  • Webinar New
CONTACT SALES
Guard
github-icon twitterx-icon
TRY NOW FREE

New to Guard? Please start here.

Kops Installation Guide

Kops is a popular installer for production grade Kubernetes clusters. Please start here to get an overview of installation steps. This document only shows distinctions during Kops setup of guard.

During Initialize PKI

For creation of guard server config you need a free cluster ip. There is an easy trick which helps to find it in most cases: Just find out your nonMasqueradeCIDR through kops edit cluster --name <cluster_name> and then add x.x.10.96 to this range e.g. if it is 100.64.0.0 use 100.64.10.96.

If this does not work for some unknown reason, you have to describe one of your kube-api-server pods in kube-system namespace and find out service-cluster-ip-range. In this range you can use any ip which is not already assigned. You can show all ips through this command:

kubectl get svc --all-namespaces|grep ClusterIP |awk \'{print $4}\'|sort

guard init server --ips=100.64.10.96

During Deploy Guard server

Before you apply your guard config with kubectl apply -f verify installer.yaml (spec/clusterIP: 100.64.10.96) is filled with rigth ip address.

During Configure Kubernetes API Server

To configure your api server to use --authentication-token-webhook-config-file you need to edit your kops cluster spec: kops edit cluster --name <cluster_name>. There you add the following specifications:

spec:
  kubeAPIServer:
    authenticationTokenWebhookConfigFile: /srv/kubernetes/webhook-guard-config
  fileAssets:
  - content: |
       (OUTPUT of: guard get webhook-config your-github-org -o github --addr=100.64.10.96:443)       
    name: guard-github-auth
    path: /srv/kubernetes/webhook-guard-config
    roles:
    - Master

After you saved your config, you have to exchange your k8s master nodes. If you have a three master HA cluster, i recommend that you exchange one server with command: kops rolling-update cluster <cluster_name> --instance-group master-eu-west-1a --yes. Now theoretically every third request could work after your master node is online again. If the node does not join your cluster or things do not work, ssh to this master node and verify kubernetes api server logs in /var/log/. If some requests are working, exchange the other master nodes. This keeps your cluster working all the time.

This document only shows difference between kops setup and here.

What's on this Page

Search
Improve This Page