wip

Author: cirisked

examples/eks/eks_private_link/README.MD

@@ -0,0 +1,34 @@
+# Example of EKS cluster connected to CAST AI with enabled Kvisor security agent
+Following this example creates EKS cluster and its supporting resources using AWS community modules.\
+After EKS cluster is created it is onboarded to CAST AI.\
+[Kvisor security agent](https://docs.cast.ai/docs/kvisor) is deployed to the cluster and security policies are enabled.\
+See `install_security_agent` and `kvisor_values` variables in `castai.tf` file.\
+Example configuration should be analysed in the following order:
+1. Create VPC - `vpc.tf`
+2. Create EKS cluster - `eks.tf`
+3. Create CAST AI related resources to connect EKS cluster to CAST AI with Kvisor enabled - `castai.tf`
+
+# Usage
+1. Rename `tf.vars.example` to `tf.vars`
+2. Update `tf.vars` file with your cluster name, cluster region and CAST AI API token
+
+| Variable | Description |
+| --- | --- |
+| cluster_name                = "" | Name of cluster |
+| cluster_region              = "" | Name of region of cluster |
+| castai_api_token            = "" | Cast api token |
+
+3. Initialize Terraform. Under example root folder run:
+```
+terraform init
+```
+4. Run Terraform apply:
+```
+terraform apply -var-file=tf.vars
+```
+5. To destroy resources created by this example:
+```
+terraform destroy -var-file=tf.vars
+```
+
+Please refer to this guide if you run into any issues https://docs.cast.ai/docs/terraform-troubleshooting

examples/eks/eks_private_link/castai.tf

@@ -0,0 +1,142 @@
+# 3. Connect EKS cluster to CAST AI with enabled Kvisor security agent.
+
+# Configure Data sources and providers required for CAST AI connection.
+data "aws_caller_identity" "current" {}
+
+# Configure EKS cluster connection using CAST AI eks-cluster module.
+resource "castai_eks_clusterid" "cluster_id" {
+  account_id   = data.aws_caller_identity.current.account_id
+  region       = var.cluster_region
+  cluster_name = var.cluster_name
+}
+
+resource "castai_eks_user_arn" "castai_user_arn" {
+  cluster_id = castai_eks_clusterid.cluster_id.id
+}
+
+# Create AWS IAM policies and a user to connect to CAST AI.
+module "castai-eks-role-iam" {
+  source  = "castai/eks-role-iam/castai"
+  version = "~> 1.0"
+
+  aws_account_id     = data.aws_caller_identity.current.account_id
+  aws_cluster_region = var.cluster_region
+  aws_cluster_name   = var.cluster_name
+  aws_cluster_vpc_id = module.vpc.vpc_id
+
+  castai_user_arn = castai_eks_user_arn.castai_user_arn.arn
+
+  create_iam_resources_per_cluster = true
+}
+
+# Install CAST AI with enabled Kvisor security agent.
+module "castai-eks-cluster" {
+  source  = "castai/eks-cluster/castai"
+  version = "~> 13.0"
+
+  kvisor_grpc_addr = var.kvisor_grpc_addr
+
+  # Kvisor is an open-source security agent from CAST AI.
+  # install_security_agent by default installs Kvisor controller (k8s: deployment)
+  # https://docs.cast.ai/docs/kvisor
+  install_security_agent = true
+
+  # Kvisor configuration examples, enable certain features:
+  kvisor_values = [
+    yamlencode({
+      controller = {
+        extraArgs = {
+          # UI: Vulnerability management configuration = API: IMAGE_SCANNING
+          "image-scan-enabled" = true
+          # UI: Compliance configuration = API: CONFIGURATION_SCANNING
+          "kube-bench-enabled"  = true
+          "kube-linter-enabled" = true
+        }
+      }
+
+      # UI: Runtime Security = API: RUNTIME_SECURITY
+      agent = {
+        # In order to enable Runtime security set agent.enabled to true.
+        # This will install Kvisor agent (k8s: daemonset)
+        # https://docs.cast.ai/docs/sec-runtime-security
+        "enabled" = true
+
+        extraArgs = {
+          # Runtime security configuration examples:
+          # By default, most users enable the eBPF events and file hash enricher.
+          # For all flag explanations and code, see: https://github.com/castai/kvisor/blob/main/cmd/agent/daemon/daemon.go
+          "ebpf-events-enabled"        = true
+          "file-hash-enricher-enabled" = true
+          # other examples
+          "netflow-enabled"              = false
+          "netflow-export-interval"      = "30s"
+          "ebpf-program-metrics-enabled" = false
+          "prom-metrics-export-enabled"  = false
+          "prom-metrics-export-interval" = "30s"
+          "process-tree-enabled"         = false
+        }
+      }
+    })
+  ]
+
+  # Deprecated, leave this empty, to prevent setting defaults.
+  kvisor_controller_extra_args = {}
+
+  # Everything else...
+
+  wait_for_cluster_ready = false
+
+  install_egressd             = false
+  install_workload_autoscaler = false
+  install_pod_mutator         = false
+  delete_nodes_on_disconnect  = false
+
+  api_url          = var.castai_api_url
+  castai_api_token = var.castai_api_token
+  grpc_url         = var.castai_grpc_url
+
+  aws_account_id     = data.aws_caller_identity.current.account_id
+  aws_cluster_region = var.cluster_region
+  aws_cluster_name   = var.cluster_name
+
+  aws_assume_role_arn = module.castai-eks-role-iam.role_arn
+
+  default_node_configuration = module.castai-eks-cluster.castai_node_configurations["default"]
+  node_configurations = {
+    default = {
+      subnets = module.vpc.private_subnets
+      tags    = {}
+      security_groups = [
+        module.eks.cluster_security_group_id,
+        module.eks.node_security_group_id,
+      ]
+      instance_profile_arn = module.castai-eks-role-iam.instance_profile_arn
+    }
+  }
+
+  node_templates = {
+    default_by_castai = {
+      name             = "default-by-castai"
+      configuration_id = module.castai-eks-cluster.castai_node_configurations["default"]
+      is_default       = true
+      is_enabled       = true
+      should_taint     = false
+
+      constraints = {
+        on_demand          = true
+        spot               = false
+        use_spot_fallbacks = false
+
+        enable_spot_diversity                       = false
+        spot_diversity_price_increase_limit_percent = 20
+
+        spot_interruption_predictions_enabled = false
+        spot_interruption_predictions_type    = "aws-rebalance-recommendations"
+      }
+    }
+  }
+
+  # module "castai-eks-cluster" has to be destroyed before module "castai-eks-role-iam".
+  depends_on = [module.castai-eks-role-iam, module.eks, module.vpc]
+}
+

examples/eks/eks_private_link/eks.tf

@@ -0,0 +1,50 @@
+# 2. Create EKS cluster.
+
+module "eks" {
+  source       = "terraform-aws-modules/eks/aws"
+  version      = "19.4.2"
+  putin_khuylo = true
+
+  cluster_name                   = var.cluster_name
+  cluster_version                = var.cluster_version
+  cluster_endpoint_public_access = true
+
+  cluster_addons = {
+    coredns = {
+      most_recent = true
+    }
+    kube-proxy = {
+      most_recent = true
+    }
+    vpc-cni = {
+      most_recent = true
+    }
+  }
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  eks_managed_node_groups = {
+    node_group_1 = {
+      name           = "${var.cluster_name}-ng-1"
+      instance_types = ["m5.large", "m5.xlarge", "t3.large"]
+      desired_size   = 2
+      subnets        = module.vpc.private_subnets
+    }
+  }
+
+  manage_aws_auth_configmap = true
+
+  aws_auth_roles = [
+    # Add the CAST AI IAM role which required for CAST AI nodes to join the cluster.
+    {
+      rolearn  = module.castai-eks-role-iam.instance_profile_role_arn
+      username = "system:node:{{EC2PrivateDNSName}}"
+      groups = [
+        "system:bootstrappers",
+        "system:nodes",
+      ]
+    }
+  ]
+
+}

examples/eks/eks_private_link/endpoints.tf

@@ -0,0 +1,143 @@
+resource "aws_security_group" "cast_ai_vpc_service" {
+  name   = "SG used by NGINX proxy VMs"
+  vpc_id = module.vpc.vpc_id
+
+  ingress {
+    description      = "Accessing CAST AI endpoints"
+    from_port        = 443
+    to_port          = 443
+    protocol         = "tcp"
+    cidr_blocks      = ["0.0.0.0/0"]
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
+locals {
+  interface_endpoints = [
+    "ecr.api",
+    "ecr.dkr",
+    "logs",
+    "sts"
+  ]
+}
+
+resource "aws_vpc_endpoint" "interface_endpoints" {
+  for_each = toset(local.interface_endpoints)
+
+  vpc_id              = module.vpc.vpc_id
+  service_name        = "com.amazonaws.${var.cluster_region}.${each.key}"
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  private_dns_enabled = true
+  security_group_ids  = [aws_security_group.vpce_sg.id]
+}
+
+resource "aws_vpc_endpoint" "s3" {
+  vpc_id          = module.vpc.vpc_id
+  service_name    = "com.amazonaws.${var.cluster_region}.s3"
+  route_table_ids = module.vpc.private_route_table_ids
+}
+
+resource "aws_security_group" "vpce_sg" {
+  name        = "vpc-endpoints-sg"
+  description = "Allow access to VPC interface endpoints"
+  vpc_id      = module.vpc.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = [module.vpc.vpc_cidr_block]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_vpc_endpoint" "cast_ai_rest_api" {
+  vpc_id              = module.vpc.vpc_id
+  service_name        = var.rest_api_service_name
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  security_group_ids  = [aws_security_group.cast_ai_vpc_service.id]
+  private_dns_enabled = true
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
+resource "aws_vpc_endpoint" "cast_ai_grpc" {
+  vpc_id              = module.vpc.vpc_id
+  service_name        = var.grpc_service_name
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  security_group_ids  = [aws_security_group.cast_ai_vpc_service.id]
+  private_dns_enabled = true
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
+resource "aws_vpc_endpoint" "cast_ai_api_grpc" {
+  vpc_id              = module.vpc.vpc_id
+  service_name        = var.api_grpc_service_name
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  security_group_ids  = [aws_security_group.cast_ai_vpc_service.id]
+  private_dns_enabled = true
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
+resource "aws_vpc_endpoint" "cast_ai_files" {
+  vpc_id              = module.vpc.vpc_id
+  service_name        = var.files_service_name
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  security_group_ids  = [aws_security_group.cast_ai_vpc_service.id]
+  private_dns_enabled = true
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
+resource "aws_vpc_endpoint" "cast_ai_kvisor" {
+  vpc_id              = module.vpc.vpc_id
+  service_name        = var.kvisor_service_name
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  security_group_ids  = [aws_security_group.cast_ai_vpc_service.id]
+  private_dns_enabled = true
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
+resource "aws_vpc_endpoint" "cast_ai_telemetry" {
+  vpc_id              = module.vpc.vpc_id
+  service_name        = var.telemetry_service_name
+  vpc_endpoint_type   = "Interface"
+  subnet_ids          = module.vpc.private_subnets
+  security_group_ids  = [aws_security_group.cast_ai_vpc_service.id]
+  private_dns_enabled = true
+
+  depends_on = [
+    module.vpc
+  ]
+}
+
+