Kloudle is a Digital Assets Security Automation Platform for SREs and DevOps. When integrated with your Cloud or SaaS provider, Kloudle takes periodic security snapshots and provides complete security contextual visibility that allows you to make informed decisions about your infrastructure, the assets and their various configurations.
Kloudle collects metadata about the resources and analyzes them to identify misconfigurations and using a massive research powered knowledgebase, identifies what would go wrong if these misconfigurations were exploited and what you can do to fix them.
As part of making sure the lives of SREs and DevOps become easier, Kloudle offers the ability to create “rules” that allow a user to take automated actions against a baseline. These automated actions, which we call Security Processes, allow users to configure a series of steps that kick in when custom events occur to ensure the security of the monitored cloud and SaaS platform.
To onboard your standalone Kubernetes cluster to Kloudle, you need to have the following prerequisites ready to create the credentials required to onboard:
A Kubernetes cluster can exist as an external cluster (with a reachable public IP address) or as an internal cluster accessible through a private network. This blogpost covers instructions for both the type of setups.
These instructions are for an external cluster with a public IP address.
The credentials required by Kloudle to onboard a standalone Kubernetes cluster is the kubeconfig of a service account with read only access. We have published a script that allows for the generation of the required kubeconfig.yml that needs to be supplied to the Kloudle app.
kubectl cluster-info to ensure you are using the correct target cluster.curl -sS https://raw.githubusercontent.com/Kloudle/kloudle-kubernetes-onboarding/master/kubernetes-readonly-admin-creator.sh | sh Paste the output in the Kubernetes Onboarding page under “Manage” > “Kubernetes”, in the Kloudle app, as shown below
Click on Add Account to complete the onboarding.
The command, executed in the previous section, pulls a shell script hosted in the Kloudlekloudle-kubernetes-onboarding GitHub repository and executes it with sh.
The script uses the locally configured Kubernetes credentials to create the following readonly resources in the target cluster and prints a kubeconfig that is used to onboard the Kubernetes cluster to Kloudle.
These instructions are for an internal cluster without a public IP address. This setup uses a bastion host (commonly called jumpbox) to reach the Kubernetes cluster.
The credentials required by Kloudle to onboard a standalone Kubernetes cluster is the kubeconfig of a service account with read only access. We have published a script that allows for the generation of the required kubeconfig.yml that needs to be supplied to the Kloudle app.
Either set up a new small instance or SSH to an existing machine that will be used as the jumphost. Ubuntu 20.04 and above preferred.
This machine needs to fulfil the following requirements
The following commands are to be run on the bastion host
kubectl cluster-info to ensure you are using the correct target cluster.curl -sS https://raw.githubusercontent.com/Kloudle/kloudle-kubernetes-onboarding/master/kubernetes-jumpbox-proxy-readonly-admin-setup.sh | sh
Click on Add Account to complete the onboarding.
The command, executed in the previous section, pulls a shell script hosted in the Kloudlekloudle-kubernetes-onboarding GitHub repository and executes it with sh.
The script then sets up Tinyproxy to act as a HTTP/HTTPS proxy to reach the cluster and then creates the following readonly resources in the target internal cluster and prints a kubeconfig that is used to onboard the Kubernetes cluster to Kloudle.