HSS can protect Huawei Cloud CCE clusters, third-party cloud clusters, on-premises clusters, and independent containers. This section describes how to connect these assets to HSS.
Context
In earlier versions, HSS provides cluster agent management to connect to containers. However, the containers connected in this way cannot use some container-related functions, such as container firewall and container cluster protection.
To solve this problem, in Linux agent 3.2.12 or later and Windows agent 4.0.23 or later, HSS supports installation and configuration management on containers to replace cluster agent management. Using the new function, cluster assets can fully connect to HSS and enjoy all the container-related functions provided.
If you have connected HSS to your cluster assets through cluster agent management, you are advised to uninstall the agent from your clusters, and then connect to them again by following the instructions provided in this section. In this way, you can fully enjoy cluster security functions. For more information, see Uninstalling the Agent from a Cluster.
Notice on ANP-Agent
ANP-Agent is different from HSS Agent. When a non-CCE cluster is connected to HSS, ANP-Agent is used to enable the communication between HSS and the cluster. For details about the HSS agent, see Agent Overview.
Prerequisites
- Before connecting CCE clusters to HSS, grant the CCEOperatePolicy permission to HSS. For details, see Granting Permissions on Associated Cloud Services.
- Before connecting a non-CCE cluster to HSS, prepare the kubeconfig file. The procedure is as follows:
The kubeconfig file specifies the cluster permissions assigned to HSS. The kubeconfig file configured using method 1 contains the cluster administrator permissions, whereas the file generated using method 2 contains only the permissions required by HSS. If you want to minimize HSS permissions, prepare the file using method 2.
- Method 1: configuring the default kubeconfig file
The default kubeconfig file is in the
$HOME/.kube/config directory. Perform the following operations to create a dedicated namespace for HSS:
- Log in to a cluster node.
- Create the hss.yaml file and copy the following content to the file:
{"metadata":{"name":"hss"},"apiVersion":"v1","kind":"Namespace"}
- Run the following command to create a namespace:
kubectl apply -f hss.yaml
- Method 2: generating a kubeconfig file dedicated to HSS
- Create a dedicated namespace and an account for HSS.
- Log in to a cluster node.
- Create the hss-account.yaml file and copy the following content to the file:
{"metadata":{"name":"hss"},"apiVersion":"v1","kind":"Namespace"}{"metadata":{"name":"hss-user","namespace":"hss"},"apiVersion":"v1","kind":"ServiceAccount"}{"metadata":{"name":"hss-user-token","namespace":"hss","annotations":{"kubernetes.io/service-account.name":"hss-user"}},"apiVersion":"v1","kind":"Secret","type":"kubernetes.io/service-account-token"}
- Run the following command to create a namespace and an account:
kubectl apply -f hss-account.yaml
- Generate the kubeconfig file.
- Create the gen_kubeconfig.sh file and copy the following content to the file:
#!/bin/bash
KUBE_APISERVER=`kubectl config view --output=jsonpath='{.clusters[].cluster.server}' | head -n1 `
CLUSTER_NAME=`kubectl config view -o jsonpath='{.clusters[0].name}'`
kubectl get secret hss-user-token -n hss -o yaml |grep ca.crt: | awk '{print $2}' |base64 -d >hss_ca_crt
kubectl config set-cluster ${CLUSTER_NAME} --server=${KUBE_APISERVER} --certificate-authority=hss_ca_crt --embed-certs=true --kubeconfig=hss_kubeconfig.yaml
kubectl config set-credentials hss-user --token=$(kubectl describe secret hss-user-token -n hss | awk '/token:/{print $2}') --kubeconfig=hss_kubeconfig.yaml
kubectl config set-context hss-user@kubernetes --cluster=${CLUSTER_NAME} --user=hss-user --kubeconfig=hss_kubeconfig.yaml
kubectl config use-context hss-user@kubernetes --kubeconfig=hss_kubeconfig.yaml
- Run the following command to generate the kubeconfig file named hss_kubeconfig.yaml:
bash gen_kubeconfig.sh
Constraints and Limitations
- CCE cluster constraints:
- Editions: CCE standard and Turbo editions
- Node resource requirements: at least 50 MiB memory and 200m CPU available
- Constraints on third-party or on-premises clusters:
- Node specifications: at least 2 vCPUs, 4 GiB memory, 40 GiB system disk, and 100 GiB data disk
- Constraints on private networks to access regions: Currently, only CN North-Beijing1, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN South-Guangzhou, AP-Hong Kong, AP-Singapore, CN Southwest-Guiyang1, and AP-Jakarta allow third-party cloud clusters or on-premises clusters to access HSS through private networks.
Connecting an Independent Node to HSS
The method of connecting an independent container to HSS is the same as that of connecting a server to HSS. You simply need to install the agent on the container. For more information, see Installing the Agent on Servers.
Connecting a Cluster to HSS
To connect a cluster to HSS, install the agent on cluster nodes. The following sections describe how to connect different types of clusters to HSS.
Connecting a CCE Cluster to HSS
HSS agent can be automatically installed on CCE cluster nodes, installed on new nodes in a scale-out, or uninstalled from the nodes removed in a scale-in.
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
- In the navigation pane, choose .
- On the Cluster tab page, click Access Assets. The Container Asset Access and Installation dialog box is displayed.
- Select CCE Cluster Installation and click Configure Now.
- Select a cluster and click Next.
- Configure agent parameters. For more information, see Table 1.
Table 1 Agent parameters
Parameter |
Description |
Configuration Rules |
Select an agent configuration rule.
- Default Rule: Select this if the sock address of your container runtime is a common address. By default, the agent will be installed on nodes having no taints.
- Custom: Select this rule if the sock address of your container runtime is not a common address or needs to be modified, or if you only want to install the agent on specific nodes.
NOTE:
- If the sock address of your container runtime is incorrect, some HSS functions may be unavailable after the cluster is connected to HSS.
- You are advised to select all runtime types.
|
(Optional) Advanced Configuration |
This parameter can be set if Custom is selected for Configuration Rules.
Click to expand all advanced configuration items.
- Enabling auto upgrade agent
Configure whether to enable automatic agent upgrade. If it is enabled, HSS automatically upgrades the agent to the latest version between 00:00 to 06:00 every day to provide you with better services.
- Node Selector Configuration
Click Reference Node Label to select the label of the nodes where the agent is to be installed. If this parameter is not specified, the agent will be installed on all nodes having no taints by default.
- Tolerance Configuration
If the taint tag is selected in Node Selector Configuration and the agent needs to be installed on the taint node, you can click Reference Node Taint and configure taint toleration.
|
- Click OK to start installing the HSS agent.
- In the cluster list, check the cluster status. If the cluster status is Running, the cluster is successfully connected to HSS.
Connecting a Non-CCE Cluster to HSS (via Internet)
This section is applicable to user-built clusters or third-party cloud clusters that can access the SWR image repository. After configuration, HSS agent can be automatically installed on cluster nodes, installed on new nodes in a scale-out, or uninstalled from the nodes removed in a scale-in.
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
- In the navigation pane, choose .
- On the Cluster tab page, click Access Assets. The Container Asset Access and Installation dialog box is displayed.
- Select Non-CCE cluster (Internet access) and click Configure Now.
- Configure cluster access information and click Generate Command. For more information, see Table 2.
Figure 1 Configuring cluster access information
Table 2 Access parameters
Parameter |
Description |
Cluster Name |
Name of the cluster to be connected. |
Provider |
Service provider of the cluster. Currently, the clusters of the following service providers are supported:
- Alibaba Cloud
- Tencent Cloud
- AWS
- Azure
- User-built
- On-premises IDC
|
KubeConfig |
Add and upload the kubeconfig file configured as required in Prerequisites. |
Context |
After the kubeconfig file is uploaded, HSS automatically parses the context. |
Validity Period |
After the kubeconfig file is uploaded, HSS automatically parses the validity period. You can also specify a time before the final validity period. After the specified validity period expires, you need to connect to the asset again. |
- Perform the following operations to install the cluster connection component (ANP-agent) and establish a connection between HSS and the cluster:
- Click Download a YAML File to download the generated command file.
Figure 2 Downloading the YAML file
- Copy the file to the directory of any node and run the following command to install the cluster connection component (ANP-agent):
kubectl apply -f proxy-agent.yaml
- Run the following command to check whether the cluster connection component (ANP-agent) is successfully installed:
kubectl get pods -n hss | grep proxy-agent
If the command output shown in Figure 3 is displayed, the cluster connection component (ANP-agent) is successfully installed.
Figure 3 ANP-Agent installed
- Run the following command to check whether the cluster is connected to HSS:
for a in $(kubectl get pods -n hss| grep proxy-agent | cut -d ' ' -f1); do kubectl -n hss logs $a | grep 'Start serving';done
If the command output shown in Figure 4 is displayed, the cluster is connected to HSS.
Figure 4 Cluster connected to HSS
- Click Next.
- Configure agent parameters. For more information, see Table 3.
Table 3 Agent parameters
Parameter |
Description |
Configuration Rules |
Select an agent configuration rule.
- Default Rule: Select this if the sock address of your container runtime is a common address. By default, the agent will be installed on nodes having no taints.
- Custom: Select this rule if the sock address of your container runtime is not a common address or needs to be modified, or if you only want to install the agent on specific nodes.
NOTE:
- If the sock address of your container runtime is incorrect, some HSS functions may be unavailable after the cluster is connected to HSS.
- You are advised to select all runtime types.
|
(Optional) Advanced Configuration |
This parameter can be set if Custom is selected for Configuration Rules.
Click to expand all advanced configuration items.
- Enabling auto upgrade agent
Configure whether to enable automatic agent upgrade. If it is enabled, HSS automatically upgrades the agent to the latest version between 00:00 to 06:00 every day to provide you with better services.
- Node Selector Configuration
Click Reference Node Label to select the label of the nodes where the agent is to be installed. If this parameter is not specified, the agent will be installed on all nodes having no taints by default.
- Tolerance Configuration
If the taint tag is selected in Node Selector Configuration and the agent needs to be installed on the taint node, you can click Reference Node Taint and configure taint toleration.
|
- Click OK to start installing the HSS agent.
- In the cluster list, check the cluster status. If the cluster status is Running, the cluster is successfully connected to HSS.
Connecting a Non-CCE Cluster to HSS (via Private Network)
This section is applicable to user-built Kubernetes clusters or third-party cloud clusters that are in a private network and cannot access the SWR image repository. You need to manually connect the network and configure the image repository information. After the configuration, HSS agent can be automatically installed on cluster nodes, installed on new nodes in a scale-out, or uninstalled from the nodes removed in a scale-in.
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
- In the navigation pane, choose .
- On the Cluster tab page, click Access Assets. The Container Asset Access and Installation dialog box is displayed.
- Select Non-CCE cluster (private network access) and click Configure Now.
- Configure image repository information and click Generate Command. For more information, see Table 4.
Table 4 Image repository parameters
Parameter |
Description |
Third-Party Image Repository Address |
Third-party image repository address.
Example: hub.docker.com |
Image Repository Type |
Type of the image repository. Currently, the following types are supported:
|
Organization Name |
Organization name of the image repository. |
Username |
Image repository username. |
Password |
Password of the image repository. |
- Perform the following operations to upload the images of the cluster connection component (ANP-agent) and the HSS agent to your private image repository:
- Click cluster protection component image package, download the package to the local PC, and copy the package to a cluster node.
- Click Copy Image Upload Command, copy the commands, and run the commands on the cluster node.
Figure 5 Copy image upload commands
If the command output shown in Figure 6 is displayed, the upload succeeded.
Figure 6 Image uploaded
- Click Next.
- Configure cluster access information and click Generate Command. For more information, see Table 5.
Figure 7 Configuring cluster access information
Table 5 Access parameters
Parameter |
Description |
Cluster Name |
Name of the cluster to be connected. |
Provider |
Service provider of the cluster. Currently, the clusters of the following service providers are supported:
- Alibaba Cloud
- Tencent Cloud
- AWS
- Azure
- User-built
- On-premises IDC
|
KubeConfig |
Add and upload the kubeconfig file configured as required in Prerequisites. |
Context |
After the kubeconfig file is uploaded, HSS automatically parses the context. |
Validity Period |
After the kubeconfig file is uploaded, HSS automatically parses the validity period. You can also specify a time before the final validity period. After the specified validity period expires, you need to connect to the asset again. |
- Perform the following operations to install the cluster connection component (ANP-agent) and establish a connection between HSS and the cluster:
- Click Copy Command.
Figure 8 Copying a command
- Log in to a node and run the copied command to create a credential for the cluster to pull private images:
- Click Download a YAML File to download the generated command file.
Figure 9 Downloading the YAML file
- Copy the file to the directory of any node and run the following command to install the cluster connection component (ANP-agent):
kubectl apply -f proxy-agent.yaml
- Run the following command to check whether the cluster connection component (ANP-agent) is successfully installed:
kubectl get pods -n hss | grep proxy-agent
If the command output shown in Figure 10 is displayed, the cluster connection component (ANP-agent) is successfully installed.
Figure 10 ANP-Agent installed
- Run the following command to check whether the cluster is connected to HSS:
for a in $(kubectl get pods -n hss| grep proxy-agent | cut -d ' ' -f1); do kubectl -n hss logs $a | grep 'Start serving';done
If the command output shown in Figure 11 is displayed, the cluster is connected to HSS.
Figure 11 Cluster connected to HSS
- Click Next.
- Configure agent parameters. For more information, see Table 6.
Table 6 Agent parameters
Parameter |
Description |
Configuration Rules |
Select an agent configuration rule.
- Default Rule: Select this if the sock address of your container runtime is a common address. By default, the agent will be installed on nodes having no taints.
- Custom: Select this rule if the sock address of your container runtime is not a common address or needs to be modified, or if you only want to install the agent on specific nodes.
NOTE:
- If the sock address of your container runtime is incorrect, some HSS functions may be unavailable after the cluster is connected to HSS.
- You are advised to select all runtime types.
|
(Optional) Advanced Configuration |
This parameter can be set if Custom is selected for Configuration Rules.
Click to expand all advanced configuration items.
- Enabling auto upgrade agent
Configure whether to enable automatic agent upgrade. If it is enabled, HSS automatically upgrades the agent to the latest version between 00:00 to 06:00 every day to provide you with better services.
- Node Selector Configuration
Click Reference Node Label to select the label of the nodes where the agent is to be installed. If this parameter is not specified, the agent will be installed on all nodes having no taints by default.
- Tolerance Configuration
If the taint tag is selected in Node Selector Configuration and the agent needs to be installed on the taint node, you can click Reference Node Taint and configure taint toleration.
|
- Click OK to start installing the HSS agent.
- In the cluster list, check the cluster status. If the cluster status is Running, the cluster is successfully connected to HSS.
Follow-up Procedure
After the cluster nodes or independent containers are connected to HSS, you need to enable protection for them. For details, see Enabling Container Protection.