0%

Antrea IDPS deployment YAML

---
# Source: antrea-idps/templates/agent/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: antrea-idps-agent
  namespace: kube-system
  labels:
    app: antrea-idps
---
# Source: antrea-idps/templates/controller/serviceaccount.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: antrea-idps-controller
  namespace: kube-system
  labels:
    app: antrea-idps
---
# Source: antrea-idps/templates/controller/secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: antrea-idps-licenses
  namespace: kube-system
  labels:
    app: antrea-idps
type: Opaque
data:
  nsx-license: "<add your base64 encoded NSX license here"
---
# Source: antrea-idps/templates/configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: antrea-idps-config
  namespace: kube-system
  labels:
    app: antrea-idps
data:
  idps-agent.conf: ""
  idps-controller.conf: |
    # The port for the antrea-idps-controller APIServer to serve on.
    # Note that if it's set to another value, the `containerPort` of the `api` port of the
    # `antrea-idps-controller` container must be set to the same value.
    apiPort: 20349

    # The configuration for signature provider NTICS.
    signatureProviderNTICS:
      # The base URL of NTICS APIs.
      apiBaseURL: https://api.prod.nsxti.vmware.com

      # The interval to sync the signature data.
      syncInterval: 600
  idps-suricata.home-network.yaml: |
    %YAML 1.1
    ---

    HOME_NETWORK: "[10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.200.0.0/16]"
---
# Source: antrea-idps/templates/crds/idpspolicy.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: idpspolicies.crd.antrea.tanzu.vmware.com
spec:
  group: crd.antrea.tanzu.vmware.com
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - spec
          properties:
            spec:
              type: object
              required:
                - appliedTo
              properties:
                appliedTo:
                  type: object
                  properties:
                    podSelector:
                      type: object
                      properties:
                        matchExpressions:
                          type: array
                          items:
                            type: object
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                type: array
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                        matchLabels:
                          x-kubernetes-preserve-unknown-fields: true
                    namespaceSelector:
                      type: object
                      properties:
                        matchExpressions:
                          type: array
                          items:
                            type: object
                            properties:
                              key:
                                type: string
                              operator:
                                enum:
                                  - In
                                  - NotIn
                                  - Exists
                                  - DoesNotExist
                                type: string
                              values:
                                type: array
                                items:
                                  type: string
                                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
                        matchLabels:
                          x-kubernetes-preserve-unknown-fields: true
  scope: Cluster
  names:
    plural: idpspolicies
    singular: idpspolicy
    kind: IDPSPolicy
---
# Source: antrea-idps/templates/crds/idpssignatureproviderinfo.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: idpssignatureproviderinfos.crd.antrea.tanzu.vmware.com
spec:
  group: crd.antrea.tanzu.vmware.com
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - signatureBundle
          properties:
            signatureBundle:
              type: object
              required:
                - version
                - sha256CheckSum
              properties:
                version:
                  type: integer
                sha256CheckSum:
                  type: string
                  pattern: "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$"
  scope: Cluster
  names:
    plural: idpssignatureproviderinfos
    singular: idpssignatureproviderinfo
    kind: IDPSSignatureProviderInfo
    shortNames:
      - ispi
---
# Source: antrea-idps/templates/crds/nsxregistration.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  name: nsxregistrations.crd.antrea.tanzu.vmware.com
spec:
  group: crd.antrea.tanzu.vmware.com
  versions:
    - name: v1alpha1
      served: true
      storage: true
      schema:
        openAPIV3Schema:
          type: object
          required:
            - timestamp
          properties:
            timestamp:
              type: string
  scope: Cluster
  names:
    plural: nsxregistrations
    singular: nsxregistration
    kind: NSXRegistration
    shortNames:
      - nsxreg
---
# Source: antrea-idps/templates/agent/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-idps-agent
  labels:
    app: antrea-idps
rules:
  - apiGroups:
      - ""
    resourceNames:
      - antrea-idps-ca
    resources:
      - configmaps
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.tanzu.vmware.com
    resources:
      - idpssignatureproviderinfos
    verbs:
      - get
      - watch
      - list
  - nonResourceURLs:
      - /signatures/ntics
    verbs:
      - get
---
# Source: antrea-idps/templates/controller/clusterrole.yaml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-idps-controller
  labels:
    app: antrea-idps
rules:
  - apiGroups:
      - ""
    resourceNames:
      - extension-apiserver-authentication
    resources:
      - configmaps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resourceNames:
      - antrea-idps-ca
    resources:
      - configmaps
    verbs:
      - get
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
    verbs:
      - create
  - apiGroups:
      - crd.antrea.io
    resources:
      - trafficcontrols
    verbs:
      - create
      - delete
      - update
      - patch
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.tanzu.vmware.com
    resources:
      - idpspolicies
    verbs:
      - create
      - delete
      - update
      - patch
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.tanzu.vmware.com
    resources:
      - idpssignatureproviderinfos
    verbs:
      - create
      - update
      - get
      - watch
      - list
  - apiGroups:
      - crd.antrea.tanzu.vmware.com
    resources:
      - nsxregistrations
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - authentication.k8s.io
    resources:
      - tokenreviews
    verbs:
      - create
  - apiGroups:
      - authorization.k8s.io
    resources:
      - subjectaccessreviews
    verbs:
      - create
---
# Source: antrea-idps/templates/agent/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-idps-agent
  labels:
    app: antrea-idps
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: antrea-idps-agent
subjects:
  - kind: ServiceAccount
    name: antrea-idps-agent
    namespace: kube-system
---
# Source: antrea-idps/templates/controller/clusterrolebinding.yaml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: antrea-idps-controller
  labels:
    app: antrea-idps
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: antrea-idps-controller
subjects:
  - kind: ServiceAccount
    name: antrea-idps-controller
    namespace: kube-system
---
# Source: antrea-idps/templates/controller/service.yaml
apiVersion: v1
kind: Service
metadata:
  name: antrea-idps
  namespace: kube-system
  labels:
    app: antrea-idps
spec:
  ports:
    - port: 443
      protocol: TCP
      targetPort: api
  selector:
    app: antrea-idps
    component: antrea-idps-controller
---
# Source: antrea-idps/templates/agent/daemonset.yaml
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: antrea-idps-agent
  namespace: kube-system
  labels:
    app: antrea-idps
    component: antrea-idps-agent
spec:
  selector:
    matchLabels:
      app: antrea-idps
      component: antrea-idps-agent
  updateStrategy:
    type: RollingUpdate
  template:
    metadata:
      annotations:
        # Starting with v1.21, Kubernetes supports default container annotation.
        # Using "kubectl logs/exec/attach/cp" doesn't have to specify "-c antrea-idps-agent" when troubleshooting.
        kubectl.kubernetes.io/default-container: antrea-idps-agent
        # Automatically restart Pods with a RollingUpdate if the ConfigMap changes
        # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
        checksum/config: ea40f09f69923141428fa493aeb7292c5323495bff0459745a03a0e8d77a647b
      labels:
        app: antrea-idps
        component: antrea-idps-agent
    spec:
      hostNetwork: true
      dnsPolicy: ClusterFirstWithHostNet
      priorityClassName: system-node-critical
      nodeSelector:
        kubernetes.io/os: linux
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - effect: NoSchedule
          operator: Exists
        - effect: NoExecute
          operator: Exists
      shareProcessNamespace: true
      serviceAccountName: antrea-idps-agent
      initContainers:
        - name: init
          image:  "projects.registry.vmware.com/antreainterworking/suricata:v1.7.1_vmware.1"
          imagePullPolicy: IfNotPresent
          command: ["/bin/bash"]
          args:
            - -c
            - "mkdir -p /etc/suricata/rules && \
              touch /etc/suricata/reference.config && \
              touch /etc/suricata/threshold.config && \
              touch /etc/suricata/idps-suricata.ntics.classification.config && \
              touch /etc/suricata/idps-suricata.ntics.addrs.yaml  && \
              touch /etc/suricata/idps-suricata.ntics.ports.yaml && \
              chown -R 1000:1000 /log /etc/suricata && \
              ip link show antrea-tap0 > /dev/null 2>&1 || ip link add dev antrea-tap0 type veth peer name suricata-tap0 && \
              ip link set antrea-tap0 up && \
              ip link set suricata-tap0 up"
          securityContext:
            capabilities:
              add:
                - NET_ADMIN
          volumeMounts:
            - name: host-var-log-antrea
              mountPath: /log
              subPath: suricata
            - name: empty-dir-signatures
              mountPath: /etc/suricata
      containers:
        - name: antrea-idps-agent
          image: "projects.registry.vmware.com/antreainterworking/idps-debian:v1.7.1_vmware.1"
          imagePullPolicy: IfNotPresent
          command: ["antrea-idps-agent"]
          args:
            - "--config=/etc/antrea/idps/idps-agent.conf"
            - "--logtostderr=false"
            - "--log_dir=/var/log/antrea/idps"
            - "--alsologtostderr"
            - "--log_file_max_size=100"
            - "--log_file_max_num=4"
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          resources:
            requests:
              cpu: 200m
          volumeMounts:
          - name: antrea-idps-config
            mountPath: /etc/antrea/idps/idps-agent.conf
            subPath: idps-agent.conf
            readOnly: true
          - name: host-var-log-antrea
            mountPath: /var/log/antrea/idps
            subPath: idps
          - name: empty-dir-signatures
            mountPath: /etc/suricata
        - name: suricata
          image: "projects.registry.vmware.com/antreainterworking/suricata:v1.7.1_vmware.1"
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 200m
          command: ["/entrypoint.sh"]
          env:
            - name: SERVICE_UID
              value: "1000"
            - name: SERVICE_GID
              value: "1000"
            - name: CAPTURE_MODE
              value: af-packet
            - name: TILLER_YAML
              value: |
                ---
                global:
                  engine:
                    runmode: workers
                    classification_file: '/etc/suricata/idps-suricata.ntics.classification.config'
                  sniff_ifaces: ["suricata-tap0"]
                  af_packet:
                    threads:
                  common:
                    af_packet_enabled: true
                  vars:
                    custom_addrs_conf: '/etc/suricata/idps-suricata.ntics.addrs.yaml'
                    custom_ports_conf: '/etc/suricata/idps-suricata.ntics.ports.yaml'
                    home_network_conf: '/etc/suricata/idps-suricata.ntics.home-network.yaml'
                  rules:
                    files:
                      - 'ntics.rules'
                  outputs:
                    eve_log:
                      alert:
                        filetype: 'regular'
                        filename: '/log/eve.alert.%Y-%m-%d.json'
                        rotate-interval: day
                      file_store:
                        enabled: no
                  logging:
                    console:
                      enabled: yes
                    file:
                      enabled: no
                      filename: '/log/suricata.log'
          securityContext:
            capabilities:
              add:
                - IPC_LOCK
                - NET_ADMIN
                - NET_RAW
                - SYS_NICE
          volumeMounts:
          - name: host-var-log-antrea
            mountPath: /log
            subPath: suricata
          - name: empty-dir-signatures
            mountPath: /etc/suricata
          - name: antrea-idps-config
            subPath: idps-suricata.home-network.yaml
            mountPath: /etc/suricata/idps-suricata.ntics.home-network.yaml
            readOnly: true
      volumes:
        - name: antrea-idps-config
          configMap:
            name: antrea-idps-config
        - name: host-var-log-antrea
          hostPath:
            path: /var/log/antrea
            type: DirectoryOrCreate
        - name: empty-dir-signatures
          emptyDir: {}
---
# Source: antrea-idps/templates/controller/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: antrea-idps-controller
  namespace: kube-system
  labels:
    app: antrea-idps
    component: antrea-idps-controller
spec:
  strategy:
    # Ensure the existing Pod is stopped before the new one is created.
    type: Recreate
  selector:
    matchLabels:
      app: antrea-idps
      component: antrea-idps-controller
  replicas: 1
  template:
    metadata:
      annotations:
        # Automatically restart Pod if the ConfigMap changes
        # See https://helm.sh/docs/howto/charts_tips_and_tricks/#automatically-roll-deployments
        checksum/config: ea40f09f69923141428fa493aeb7292c5323495bff0459745a03a0e8d77a647b
      labels:
        app: antrea-idps
        component: antrea-idps-controller
    spec:
      nodeSelector:
        kubernetes.io/os: linux
      hostNetwork: true
      priorityClassName: system-cluster-critical
      tolerations:
        - key: CriticalAddonsOnly
          operator: Exists
        - effect: NoSchedule
          key: node-role.kubernetes.io/master
        - effect: NoSchedule
          key: node-role.kubernetes.io/control-plane
      serviceAccountName: antrea-idps-controller
      containers:
        - name: antrea-idps-controller
          image: "projects.registry.vmware.com/antreainterworking/idps-debian:v1.7.1_vmware.1"
          imagePullPolicy: IfNotPresent
          resources:
            requests:
              cpu: 200m
          command: ["antrea-idps-controller"]
          args:
            - "--config=/etc/antrea/idps/idps-controller.conf"
            - "--logtostderr=false"
            - "--log_dir=/var/log/antrea/idps"
            - "--alsologtostderr"
            - "--log_file_max_size=100"
            - "--log_file_max_num=4"
          ports:
            - containerPort: 20349
              name: api
              protocol: TCP
          readinessProbe:
            httpGet:
              host: localhost
              path: /readyz
              port: api
              scheme: HTTPS
            initialDelaySeconds: 5
            timeoutSeconds: 5
            periodSeconds: 10
            failureThreshold: 5
          livenessProbe:
            httpGet:
              host: localhost
              path: /livez
              port: api
              scheme: HTTPS
            timeoutSeconds: 5
            periodSeconds: 10
            failureThreshold: 5
          volumeMounts:
            - name: antrea-idps-config
              mountPath: /etc/antrea/idps/idps-controller.conf
              subPath: idps-controller.conf
              readOnly: true
            - name: host-var-log-antrea
              mountPath: /var/log/antrea/idps
              subPath: idps
            - name: antrea-idps-licenses
              mountPath: /var/run/antrea/idps/licenses
              readOnly: true
      volumes:
        - name: antrea-idps-config
          configMap:
            name: antrea-idps-config
        - name: antrea-idps-licenses
          secret:
            secretName: antrea-idps-licenses
            defaultMode: 0400
        - name: host-var-log-antrea
          hostPath:
            path: /var/log/antrea
            type: DirectoryOrCreate