Adding security examples

Author: Arnas Navašinskas

examples/aks/aks_cluster_with_security/README.MD

@@ -0,0 +1,27 @@
+# Example of AKS cluster connected to CAST AI with enabled Kvisor security agent
+Following example creates AKS cluster and its supporting resources.\
+After AKS cluster is created it is onboarded to CAST AI.\
+[Kvisor security agent](https://docs.cast.ai/docs/kvisor) is deployed to the cluster and security policies are enabled.\
+See `install_security_agent` and `kvisor_values` variables in `castai.tf` file.\
+Example configuration should be analysed in the following order:
+1. Create Virtual network - `vnet.tf`
+2. Create AKS cluster - `aks.tf`
+3. Create CAST AI related resources to connect AKS cluster to CAST AI - `castai.tf`
+
+# Usage
+1. Rename `tf.vars.example` to `tf.vars`
+2. Update `tf.vars` file with your cluster name, cluster region and CAST AI API token.
+3. Initialize Terraform. Under example root folder run:
+```
+terraform init
+```
+4. Run Terraform apply:
+```
+terraform apply -var-file=tf.vars
+```
+5. To destroy resources created by this example:
+```
+terraform destroy -var-file=tf.vars
+```
+
+Please refer to this guide if you run into any issues https://docs.cast.ai/docs/terraform-troubleshooting

examples/aks/aks_cluster_with_security/aks.tf

@@ -0,0 +1,25 @@
+# 2. Create AKS cluster.
+
+resource "azurerm_kubernetes_cluster" "this" {
+  name                = var.cluster_name
+  resource_group_name = azurerm_resource_group.this.name
+  location            = azurerm_resource_group.this.location
+  dns_prefix          = var.cluster_name
+  node_resource_group = "${var.cluster_name}-ng"
+
+  default_node_pool {
+    name = "default"
+    # Node count has to be > 2 to successfully deploy CAST AI controller.
+    node_count     = 2
+    vm_size        = "Standard_D2_v2"
+    vnet_subnet_id = azurerm_subnet.internal.id
+  }
+
+  identity {
+    type = "SystemAssigned"
+  }
+
+  tags = {
+    Environment = "Test"
+  }
+}

examples/aks/aks_cluster_with_security/castai.tf

@@ -0,0 +1,87 @@
+# 3. Connect AKS cluster to CAST AI with enabled Kvisor security agent.
+
+# Configure Data sources and providers required for CAST AI connection.
+data "azurerm_subscription" "current" {}
+
+# Configure AKS cluster connection to CAST AI using CAST AI aks-cluster module with enabled Kvisor security agent.
+module "castai-aks-cluster" {
+  source = "castai/aks/castai"
+
+  kvisor_grpc_addr = var.kvisor_grpc_addr
+
+  # Kvisor is an open-source security agent from CAST AI.
+  # install_security_agent by default installs Kvisor controller (k8s: deployment)
+  # https://docs.cast.ai/docs/kvisor
+  install_security_agent = true
+
+  # Kvisor configuration examples, enable certain features:
+  kvisor_values = [
+    yamlencode({
+      controller = {
+        extraArgs = {
+          # UI: Vulnerability management configuration = API: IMAGE_SCANNING
+          "image-scan-enabled" = true
+          # UI: Compliance configuration = API: CONFIGURATION_SCANNING
+          "kube-bench-enabled"  = true
+          "kube-linter-enabled" = true
+        }
+      }
+
+      # UI: Runtime Security = API: RUNTIME_SECURITY
+      agent = {
+        # In order to enable Runtime security set agent.enabled to true.
+        # This will install Kvisor agent (k8s: daemonset)
+        # https://docs.cast.ai/docs/sec-runtime-security
+        "enabled" = true
+
+        extraArgs = {
+          # Runtime security configuration examples:
+          # By default, most users enable the eBPF events and file hash enricher.
+          # For all flag explanations and code, see: https://github.com/castai/kvisor/blob/main/cmd/agent/daemon/daemon.go
+          "ebpf-events-enabled"        = true
+          "file-hash-enricher-enabled" = true
+          # other examples
+          "netflow-enabled"              = false
+          "netflow-export-interval"      = "30s"
+          "ebpf-program-metrics-enabled" = false
+          "prom-metrics-export-enabled"  = false
+          "prom-metrics-export-interval" = "30s"
+          "process-tree-enabled"         = false
+        }
+      }
+    })
+  ]
+
+  # Deprecated, leave this empty, to prevent setting defaults.
+  kvisor_controller_extra_args = {}
+
+  # Everything else...
+
+  wait_for_cluster_ready = false
+
+  install_workload_autoscaler = false
+  install_pod_mutator         = false
+  delete_nodes_on_disconnect  = var.delete_nodes_on_disconnect
+
+  api_url          = var.castai_api_url
+  castai_api_token = var.castai_api_token
+  grpc_url         = var.castai_grpc_url
+
+  aks_cluster_name    = var.cluster_name
+  aks_cluster_region  = var.cluster_region
+  node_resource_group = azurerm_kubernetes_cluster.this.node_resource_group
+  resource_group      = azurerm_kubernetes_cluster.this.resource_group_name
+
+  subscription_id = data.azurerm_subscription.current.subscription_id
+  tenant_id       = data.azurerm_subscription.current.tenant_id
+
+  default_node_configuration = module.castai-aks-cluster.castai_node_configurations["default"]
+
+  node_configurations = {
+    default = {
+      disk_cpu_ratio = 25
+      subnets        = [azurerm_subnet.internal.id]
+      tags           = var.tags
+    }
+  }
+}

examples/aks/aks_cluster_with_security/providers.tf

@@ -0,0 +1,23 @@
+# Following providers required by AKS and Vnet resources.
+provider "azurerm" {
+  features {}
+  subscription_id = var.subscription_id
+}
+
+provider "castai" {
+  api_token = var.castai_api_token
+  api_url   = var.castai_api_url
+}
+
+provider "azuread" {
+  tenant_id = data.azurerm_subscription.current.tenant_id
+}
+
+provider "helm" {
+  kubernetes {
+    host                   = azurerm_kubernetes_cluster.this.kube_config.0.host
+    client_certificate     = base64decode(azurerm_kubernetes_cluster.this.kube_config.0.client_certificate)
+    client_key             = base64decode(azurerm_kubernetes_cluster.this.kube_config.0.client_key)
+    cluster_ca_certificate = base64decode(azurerm_kubernetes_cluster.this.kube_config.0.cluster_ca_certificate)
+  }
+}

examples/aks/aks_cluster_with_security/tf.vars.example

@@ -0,0 +1,4 @@
+cluster_name     = "<place-holder>"
+cluster_region   = "<place-holder>"
+castai_api_token = "<place-holder>"
+subscription_id  = "<place-holder>"

examples/aks/aks_cluster_with_security/variables.tf

@@ -0,0 +1,51 @@
+# AKS  cluster variables.
+variable "cluster_name" {
+  type        = string
+  description = "Name of the AKS cluster, resources will be created for."
+}
+
+variable "cluster_region" {
+  type        = string
+  description = "Region of the AKS cluster, resources will be created for."
+}
+
+variable "castai_api_url" {
+  type        = string
+  description = "URL of alternative CAST AI API to be used during development or testing"
+  default     = "https://api.cast.ai"
+}
+
+# Variables required for connecting EKS cluster to CAST AI
+variable "castai_api_token" {
+  type        = string
+  description = "CAST AI API token created in console.cast.ai API Access keys section"
+}
+
+variable "castai_grpc_url" {
+  type        = string
+  description = "CAST AI gRPC URL used by pod pinner"
+  default     = "grpc.cast.ai:443"
+}
+
+variable "kvisor_grpc_addr" {
+  type        = string
+  description = "CAST AI Kvisor optimized GRPC API address"
+  default     = "kvisor.prod-master.cast.ai:443" // If your cluster is in the EU region, update the grpcAddr to: https://kvisor.prod-eu.cast.ai:443
+}
+
+variable "delete_nodes_on_disconnect" {
+  type        = bool
+  description = "Optional parameter, if set to true - CAST AI provisioned nodes will be deleted from cloud on cluster disconnection. For production use it is recommended to set it to false."
+  default     = true
+}
+
+variable "tags" {
+  type        = map(any)
+  description = "Optional tags for new cluster nodes. This parameter applies only to new nodes - tags for old nodes are not reconciled."
+  default     = {}
+}
+
+variable "subscription_id" {
+  type        = string
+  description = "Azure subscription ID"
+}

examples/aks/aks_cluster_with_security/versions.tf

@@ -0,0 +1,14 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source = "hashicorp/azurerm"
+    }
+    azuread = {
+      source = "hashicorp/azuread"
+    }
+    castai = {
+      source = "castai/castai"
+    }
+  }
+  required_version = ">= 0.13"
+}

examples/aks/aks_cluster_with_security/vnet.tf

@@ -0,0 +1,20 @@
+# 1. Create virtual network and resource group for the cluster.
+
+resource "azurerm_resource_group" "this" {
+  name     = var.cluster_name
+  location = var.cluster_region
+}
+
+resource "azurerm_virtual_network" "this" {
+  name                = "${var.cluster_name}-network"
+  location            = azurerm_resource_group.this.location
+  resource_group_name = azurerm_resource_group.this.name
+  address_space       = ["10.1.0.0/16"]
+}
+
+resource "azurerm_subnet" "internal" {
+  name                 = "internal"
+  virtual_network_name = azurerm_virtual_network.this.name
+  resource_group_name  = azurerm_resource_group.this.name
+  address_prefixes     = ["10.1.0.0/22"]
+}

examples/eks/eks_cluster_with_security/README.MD

@@ -0,0 +1,34 @@
+# Example of EKS cluster connected to CAST AI with enabled Kvisor security agent
+Following this example creates EKS cluster and its supporting resources using AWS community modules.\
+After EKS cluster is created it is onboarded to CAST AI.\
+[Kvisor security agent](https://docs.cast.ai/docs/kvisor) is deployed to the cluster and security policies are enabled.\
+See `install_security_agent` and `kvisor_values` variables in `castai.tf` file.\
+Example configuration should be analysed in the following order:
+1. Create VPC - `vpc.tf`
+2. Create EKS cluster - `eks.tf`
+3. Create CAST AI related resources to connect EKS cluster to CAST AI in read-only mode - `castai.tf`
+
+# Usage
+1. Rename `tf.vars.example` to `tf.vars`
+2. Update `tf.vars` file with your cluster name, cluster region and CAST AI API token
+
+| Variable | Description |
+| --- | --- |
+| cluster_name                = "" | Name of cluster |
+| cluster_region              = "" | Name of region of cluster |
+| castai_api_token            = "" | Cast api token |
+
+3. Initialize Terraform. Under example root folder run:
+```
+terraform init
+```
+4. Run Terraform apply:
+```
+terraform apply -var-file=tf.vars
+```
+5. To destroy resources created by this example:
+```
+terraform destroy -var-file=tf.vars
+```
+
+Please refer to this guide if you run into any issues https://docs.cast.ai/docs/terraform-troubleshooting