0%
Antrea IDPS deployment YAML
---
# Source: antrea-idps/templates/agent/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: antrea-idps-agent
namespace: kube-system
labels:
app: antrea-idps
---
# Source: antrea-idps/templates/controller/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
name: antrea-idps-controller
namespace: kube-system
labels:
app: antrea-idps
---
# Source: antrea-idps/templates/controller/secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: antrea-idps-licenses
namespace: kube-system
labels:
app: antrea-idps
type: Opaque
data:
nsx-license: "<add your base64 encoded NSX license here"
---
# Source: antrea-idps/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: antrea-idps-config
namespace: kube-system
labels:
app: antrea-idps
data:
idps-agent.conf: ""
idps-controller.conf: |
# The port for the antrea-idps-controller APIServer to serve on.
# Note that if it's set to another value, the `containerPort` of the `api` port of the
# `antrea-idps-controller` container must be set to the same value.
apiPort: 20349
# The configuration for signature provider NTICS.
signatureProviderNTICS:
# The base URL of NTICS APIs.
apiBaseURL: https://api.prod.nsxti.vmware.com
# The interval to sync the signature data.
syncInterval: 600
idps-suricata.home-network.yaml: |
%YAML 1.1
---
HOME_NETWORK: "[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.200.0.0/16]"
---
# Source: antrea-idps/templates/crds/idpspolicy.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: idpspolicies.crd.antrea.tanzu.vmware.com
spec:
group: crd.antrea.tanzu.vmware.com
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- spec
properties:
spec:
type: object
required:
- appliedTo
properties:
appliedTo:
type: object
properties:
podSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
namespaceSelector:
type: object
properties:
matchExpressions:
type: array
items:
type: object
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
type: array
items:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
matchLabels:
x-kubernetes-preserve-unknown-fields: true
scope: Cluster
names:
plural: idpspolicies
singular: idpspolicy
kind: IDPSPolicy
---
# Source: antrea-idps/templates/crds/idpssignatureproviderinfo.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: idpssignatureproviderinfos.crd.antrea.tanzu.vmware.com
spec:
group: crd.antrea.tanzu.vmware.com
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- signatureBundle
properties:
signatureBundle:
type: object
required:
- version
- sha256CheckSum
properties:
version:
type: integer
sha256CheckSum:
type: string
pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
scope: Cluster
names:
plural: idpssignatureproviderinfos
singular: idpssignatureproviderinfo
kind: IDPSSignatureProviderInfo
shortNames:
- ispi
---
# Source: antrea-idps/templates/crds/nsxregistration.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: nsxregistrations.crd.antrea.tanzu.vmware.com
spec:
group: crd.antrea.tanzu.vmware.com
versions:
- name: v1alpha1
served: true
storage: true
schema:
openAPIV3Schema:
type: object
required:
- timestamp
properties:
timestamp:
type: string
scope: Cluster
names:
plural: nsxregistrations
singular: nsxregistration
kind: NSXRegistration
shortNames:
- nsxreg
---
# Source: antrea-idps/templates/agent/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-idps-agent
labels:
app: antrea-idps
rules:
- apiGroups:
- ""
resourceNames:
- antrea-idps-ca
resources:
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- crd.antrea.tanzu.vmware.com
resources:
- idpssignatureproviderinfos
verbs:
- get
- watch
- list
- nonResourceURLs:
- /signatures/ntics
verbs:
- get
---
# Source: antrea-idps/templates/controller/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-idps-controller
labels:
app: antrea-idps
rules:
- apiGroups:
- ""
resourceNames:
- extension-apiserver-authentication
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- antrea-idps-ca
resources:
- configmaps
verbs:
- get
- update
- watch
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- crd.antrea.io
resources:
- trafficcontrols
verbs:
- create
- delete
- update
- patch
- get
- watch
- list
- apiGroups:
- crd.antrea.tanzu.vmware.com
resources:
- idpspolicies
verbs:
- create
- delete
- update
- patch
- get
- watch
- list
- apiGroups:
- crd.antrea.tanzu.vmware.com
resources:
- idpssignatureproviderinfos
verbs:
- create
- update
- get
- watch
- list
- apiGroups:
- crd.antrea.tanzu.vmware.com
resources:
- nsxregistrations
verbs:
- get
- watch
- list
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
---
# Source: antrea-idps/templates/agent/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-idps-agent
labels:
app: antrea-idps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-idps-agent
subjects:
- kind: ServiceAccount
name: antrea-idps-agent
namespace: kube-system
---
# Source: antrea-idps/templates/controller/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: antrea-idps-controller
labels:
app: antrea-idps
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: antrea-idps-controller
subjects:
- kind: ServiceAccount
name: antrea-idps-controller
namespace: kube-system
---
# Source: antrea-idps/templates/controller/service.yaml
apiVersion: v1
kind: Service
metadata:
name: antrea-idps
namespace: kube-system
labels:
app: antrea-idps
spec:
ports:
- port: 443
protocol: TCP
targetPort: api
selector:
app: antrea-idps
component: antrea-idps-controller
---
# Source: antrea-idps/templates/agent/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: antrea-idps-agent
namespace: kube-system
labels:
app: antrea-idps
component: antrea-idps-agent
spec:
selector:
matchLabels:
app: antrea-idps
component: antrea-idps-agent
updateStrategy:
type: RollingUpdate
template:
metadata:
annotations:
# Starting with v1.21, Kubernetes supports default container annotation.
# Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-idps-agent" when troubleshooting.
kubectl.kubernetes.io/default-container: antrea-idps-agent
# Automatically restart Pods with a RollingUpdate if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: ea40f09f69923141428fa493aeb7292c5323495bff0459745a03a0e8d77a647b
labels:
app: antrea-idps
component: antrea-idps-agent
spec:
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
priorityClassName: system-node-critical
nodeSelector:
kubernetes.io/os: linux
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
operator: Exists
- effect: NoExecute
operator: Exists
shareProcessNamespace: true
serviceAccountName: antrea-idps-agent
initContainers:
- name: init
image: "projects.registry.vmware.com/antreainterworking/suricata:v1.7.1_vmware.1"
imagePullPolicy: IfNotPresent
command: ["/bin/bash"]
args:
- -c
- "mkdir -p /etc/suricata/rules && \
touch /etc/suricata/reference.config && \
touch /etc/suricata/threshold.config && \
touch /etc/suricata/idps-suricata.ntics.classification.config && \
touch /etc/suricata/idps-suricata.ntics.addrs.yaml && \
touch /etc/suricata/idps-suricata.ntics.ports.yaml && \
chown -R 1000:1000 /log /etc/suricata && \
ip link show antrea-tap0 > /dev/null 2>&1 || ip link add dev antrea-tap0 type veth peer name suricata-tap0 && \
ip link set antrea-tap0 up && \
ip link set suricata-tap0 up"
securityContext:
capabilities:
add:
- NET_ADMIN
volumeMounts:
- name: host-var-log-antrea
mountPath: /log
subPath: suricata
- name: empty-dir-signatures
mountPath: /etc/suricata
containers:
- name: antrea-idps-agent
image: "projects.registry.vmware.com/antreainterworking/idps-debian:v1.7.1_vmware.1"
imagePullPolicy: IfNotPresent
command: ["antrea-idps-agent"]
args:
- "--config=/etc/antrea/idps/idps-agent.conf"
- "--logtostderr=false"
- "--log_dir=/var/log/antrea/idps"
- "--alsologtostderr"
- "--log_file_max_size=100"
- "--log_file_max_num=4"
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
resources:
requests:
cpu: 200m
volumeMounts:
- name: antrea-idps-config
mountPath: /etc/antrea/idps/idps-agent.conf
subPath: idps-agent.conf
readOnly: true
- name: host-var-log-antrea
mountPath: /var/log/antrea/idps
subPath: idps
- name: empty-dir-signatures
mountPath: /etc/suricata
- name: suricata
image: "projects.registry.vmware.com/antreainterworking/suricata:v1.7.1_vmware.1"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
command: ["/entrypoint.sh"]
env:
- name: SERVICE_UID
value: "1000"
- name: SERVICE_GID
value: "1000"
- name: CAPTURE_MODE
value: af-packet
- name: TILLER_YAML
value: |
---
global:
engine:
runmode: workers
classification_file: '/etc/suricata/idps-suricata.ntics.classification.config'
sniff_ifaces: ["suricata-tap0"]
af_packet:
threads:
common:
af_packet_enabled: true
vars:
custom_addrs_conf: '/etc/suricata/idps-suricata.ntics.addrs.yaml'
custom_ports_conf: '/etc/suricata/idps-suricata.ntics.ports.yaml'
home_network_conf: '/etc/suricata/idps-suricata.ntics.home-network.yaml'
rules:
files:
- 'ntics.rules'
outputs:
eve_log:
alert:
filetype: 'regular'
filename: '/log/eve.alert.%Y-%m-%d.json'
rotate-interval: day
file_store:
enabled: no
logging:
console:
enabled: yes
file:
enabled: no
filename: '/log/suricata.log'
securityContext:
capabilities:
add:
- IPC_LOCK
- NET_ADMIN
- NET_RAW
- SYS_NICE
volumeMounts:
- name: host-var-log-antrea
mountPath: /log
subPath: suricata
- name: empty-dir-signatures
mountPath: /etc/suricata
- name: antrea-idps-config
subPath: idps-suricata.home-network.yaml
mountPath: /etc/suricata/idps-suricata.ntics.home-network.yaml
readOnly: true
volumes:
- name: antrea-idps-config
configMap:
name: antrea-idps-config
- name: host-var-log-antrea
hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
- name: empty-dir-signatures
emptyDir: {}
---
# Source: antrea-idps/templates/controller/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
name: antrea-idps-controller
namespace: kube-system
labels:
app: antrea-idps
component: antrea-idps-controller
spec:
strategy:
# Ensure the existing Pod is stopped before the new one is created.
type: Recreate
selector:
matchLabels:
app: antrea-idps
component: antrea-idps-controller
replicas: 1
template:
metadata:
annotations:
# Automatically restart Pod if the ConfigMap changes
# See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
checksum/config: ea40f09f69923141428fa493aeb7292c5323495bff0459745a03a0e8d77a647b
labels:
app: antrea-idps
component: antrea-idps-controller
spec:
nodeSelector:
kubernetes.io/os: linux
hostNetwork: true
priorityClassName: system-cluster-critical
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
key: node-role.kubernetes.io/master
- effect: NoSchedule
key: node-role.kubernetes.io/control-plane
serviceAccountName: antrea-idps-controller
containers:
- name: antrea-idps-controller
image: "projects.registry.vmware.com/antreainterworking/idps-debian:v1.7.1_vmware.1"
imagePullPolicy: IfNotPresent
resources:
requests:
cpu: 200m
command: ["antrea-idps-controller"]
args:
- "--config=/etc/antrea/idps/idps-controller.conf"
- "--logtostderr=false"
- "--log_dir=/var/log/antrea/idps"
- "--alsologtostderr"
- "--log_file_max_size=100"
- "--log_file_max_num=4"
ports:
- containerPort: 20349
name: api
protocol: TCP
readinessProbe:
httpGet:
host: localhost
path: /readyz
port: api
scheme: HTTPS
initialDelaySeconds: 5
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 5
livenessProbe:
httpGet:
host: localhost
path: /livez
port: api
scheme: HTTPS
timeoutSeconds: 5
periodSeconds: 10
failureThreshold: 5
volumeMounts:
- name: antrea-idps-config
mountPath: /etc/antrea/idps/idps-controller.conf
subPath: idps-controller.conf
readOnly: true
- name: host-var-log-antrea
mountPath: /var/log/antrea/idps
subPath: idps
- name: antrea-idps-licenses
mountPath: /var/run/antrea/idps/licenses
readOnly: true
volumes:
- name: antrea-idps-config
configMap:
name: antrea-idps-config
- name: antrea-idps-licenses
secret:
secretName: antrea-idps-licenses
defaultMode: 0400
- name: host-var-log-antrea
hostPath:
path: /var/log/antrea
type: DirectoryOrCreate
