Help Center/ Host Security Service/ User Guide/ Installation and Configuration/ Installation and Configuration on Containers/ Connecting to Cluster Container Assets
Updated on 2024-08-02 GMT+08:00
View PDF

Connecting to Cluster Container Assets

HSS can protect Huawei Cloud CCE clusters, third-party cloud clusters, on-premises clusters, and independent containers. This section describes how to connect these assets to HSS.

Context

In earlier versions, HSS provides cluster agent management to connect to containers. However, the containers connected in this way cannot use some container-related functions, such as container firewall and container cluster protection.

To solve this problem, in Linux agent 3.2.12 or later and Windows agent 4.0.23 or later, HSS supports installation and configuration management on containers to replace cluster agent management. Using the new function, cluster assets can fully connect to HSS and enjoy all the container-related functions provided.

If you have connected HSS to your cluster assets through cluster agent management, you are advised to uninstall the agent from your clusters, and then connect to them again by following the instructions provided in this section. In this way, you can fully enjoy cluster security functions. For more information, see Uninstalling the Agent from a Cluster.

Notice on ANP-Agent

ANP-Agent is different from HSS Agent. When a non-CCE cluster is connected to HSS, ANP-Agent is used to enable the communication between HSS and the cluster. For details about the HSS agent, see Agent Overview.

Prerequisites

  • Before connecting CCE clusters to HSS, grant the CCEOperatePolicy permission to HSS. For details, see Granting Permissions on Associated Cloud Services.
  • Before connecting a non-CCE cluster to HSS, prepare the kubeconfig file. The procedure is as follows:

    The kubeconfig file specifies the cluster permissions assigned to HSS. The kubeconfig file configured using method 1 contains the cluster administrator permissions, whereas the file generated using method 2 contains only the permissions required by HSS. If you want to minimize HSS permissions, prepare the file using method 2.

    • Method 1: configuring the default kubeconfig file
      The default kubeconfig file is in the $HOME/.kube/config directory. Perform the following operations to create a dedicated namespace for HSS:
      1. Log in to a cluster node.
      2. Create the hss.yaml file and copy the following content to the file:
        {"metadata":{"name":"hss"},"apiVersion":"v1","kind":"Namespace"}
      3. Run the following command to create a namespace:
        kubectl apply -f hss.yaml
    • Method 2: generating a kubeconfig file dedicated to HSS
      1. Create a dedicated namespace and an account for HSS.
        1. Log in to a cluster node.
        2. Create the hss-account.yaml file and copy the following content to the file:
          {"metadata":{"name":"hss"},"apiVersion":"v1","kind":"Namespace"}{"metadata":{"name":"hss-user","namespace":"hss"},"apiVersion":"v1","kind":"ServiceAccount"}{"metadata":{"name":"hss-user-token","namespace":"hss","annotations":{"kubernetes.io/service-account.name":"hss-user"}},"apiVersion":"v1","kind":"Secret","type":"kubernetes.io/service-account-token"}
        3. Run the following command to create a namespace and an account:
          kubectl apply -f hss-account.yaml
      2. Generate the kubeconfig file.
        1. Create the gen_kubeconfig.sh file and copy the following content to the file:
          #!/bin/bash

KUBE_APISERVER=`kubectl config view  --output=jsonpath='{.clusters[].cluster.server}' | head -n1 `
CLUSTER_NAME=`kubectl config view -o jsonpath='{.clusters[0].name}'`
kubectl get secret hss-user-token -n hss -o yaml |grep ca.crt: | awk '{print $2}' |base64 -d >hss_ca_crt

kubectl config set-cluster ${CLUSTER_NAME} --server=${KUBE_APISERVER}  --certificate-authority=hss_ca_crt  --embed-certs=true --kubeconfig=hss_kubeconfig.yaml
kubectl config set-credentials hss-user --token=$(kubectl describe secret hss-user-token -n hss | awk '/token:/{print $2}') --kubeconfig=hss_kubeconfig.yaml
kubectl config set-context hss-user@kubernetes --cluster=${CLUSTER_NAME} --user=hss-user --kubeconfig=hss_kubeconfig.yaml
kubectl config use-context hss-user@kubernetes --kubeconfig=hss_kubeconfig.yaml
        2. Run the following command to generate the kubeconfig file named hss_kubeconfig.yaml:
          bash gen_kubeconfig.sh

Constraints and Limitations

  • CCE cluster constraints:
    • Editions: CCE standard and Turbo editions
    • Node resource requirements: at least 50 MiB memory and 200m CPU available
  • Constraints on third-party or on-premises clusters:
    • Node specifications: at least 2 vCPUs, 4 GiB memory, 40 GiB system disk, and 100 GiB data disk
    • Constraints on private networks to access regions: Currently, only CN North-Beijing1, CN North-Beijing4, CN East-Shanghai1, CN East-Shanghai2, CN South-Guangzhou, AP-Hong Kong, AP-Singapore, CN Southwest-Guiyang1, and AP-Jakarta allow third-party cloud clusters or on-premises clusters to access HSS through private networks.

Connecting an Independent Node to HSS

The method of connecting an independent container to HSS is the same as that of connecting a server to HSS. You simply need to install the agent on the container. For more information, see Installing the Agent on Servers.

Connecting a Cluster to HSS

To connect a cluster to HSS, install the agent on cluster nodes. The following sections describe how to connect different types of clusters to HSS.

Connecting a CCE Cluster to HSS

HSS agent can be automatically installed on CCE cluster nodes, installed on new nodes in a scale-out, or uninstalled from the nodes removed in a scale-in.

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Installation & Configuration > Container Install & Config.
  4. On the Cluster tab page, click Access Assets. The Container Asset Access and Installation dialog box is displayed.
  5. Select CCE Cluster Installation and click Configure Now.
  6. Select a cluster and click Next.
  7. Configure agent parameters. For more information, see Table 1.

    Table 1 Agent parameters

    Parameter

    Description

    Configuration Rules

    Select an agent configuration rule.

    • Default Rule: Select this if the sock address of your container runtime is a common address. By default, the agent will be installed on nodes having no taints.
    • Custom: Select this rule if the sock address of your container runtime is not a common address or needs to be modified, or if you only want to install the agent on specific nodes.
    NOTE:
    • If the sock address of your container runtime is incorrect, some HSS functions may be unavailable after the cluster is connected to HSS.
    • You are advised to select all runtime types.

    (Optional) Advanced Configuration

    This parameter can be set if Custom is selected for Configuration Rules.

    Click to expand advanced configurations. The Enabling auto upgrade agent option is selected by default.

    • Enabling auto upgrade agent

      Configure whether to enable automatic agent upgrade. If it is enabled, HSS automatically upgrades the agent to the latest version between 00:00 to 06:00 every day to provide you with better services.

    • Node Selector Configuration

      Click Reference Node Label to select the label of the nodes where the agent is to be installed. If this parameter is not specified, the agent will be installed on all nodes having no taints by default.

    • Tolerance Configuration

      If the taint tag is selected in Node Selector Configuration and the agent needs to be installed on the taint node, you can click Reference Node Taint and configure taint toleration.

  8. Click OK to start installing the HSS agent.
  9. Click the cluster name to go to the cluster node details page. Check the agent installation status of each node.

    If the agent is successfully installed on a node, it indicates the node has been connected to HSS.

Connecting a Non-CCE Cluster to HSS (via Internet)

This section is applicable to user-built clusters or third-party cloud clusters that can access the SWR image repository. After configuration, HSS agent can be automatically installed on cluster nodes, installed on new nodes in a scale-out, or uninstalled from the nodes removed in a scale-in.

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Installation & Configuration > Container Install & Config.
  4. On the Cluster tab page, click Access Assets. The Container Asset Access and Installation dialog box is displayed.
  5. Select Non-CCE cluster (Internet access) and click Configure Now.
  6. Configure cluster access information and click Generate Command. For more information, see Table 2.

    Figure 1 Configuring cluster access information
    Table 2 Access parameters

    Parameter

    Description

    Cluster Name

    Name of the cluster to be connected.

    Provider

    Service provider of the cluster. Currently, the clusters of the following service providers are supported:

    • Alibaba Cloud
    • Tencent Cloud
    • AWS
    • Azure
    • User-built
    • On-premises IDC

    KubeConfig

    Add and upload the kubeconfig file configured as required in Prerequisites.

    Context

    After the kubeconfig file is uploaded, HSS automatically parses the context.

    Validity Period

    After the kubeconfig file is uploaded, HSS automatically parses the validity period. You can also specify a time before the final validity period. After the specified validity period expires, you need to connect to the asset again.

  7. Perform the following operations to install the cluster connection component (ANP-agent) and establish a connection between HSS and the cluster:

    1. Click Download a YAML File to download the generated command file.
    2. Copy the file to the directory of any node and run the following command to install the cluster connection component (ANP-agent):
      kubectl apply -f proxy-agent.yaml
    3. Run the following command to check whether the cluster connection component (ANP-agent) is successfully installed:
      kubectl get pods -n hss | grep proxy-agent

      If the command output shown in Figure 2 is displayed, the cluster connection component (ANP-agent) is successfully installed.

      Figure 2 ANP-Agent installed
    4. Run the following command to check whether the cluster is connected to HSS:
      for a in $(kubectl get pods -n hss| grep proxy-agent | cut -d ' ' -f1); do kubectl -n

      If the command output shown in Figure 3 is displayed, the cluster is connected to HSS.

      Figure 3 Cluster connected to HSS

  8. Click Next.
  9. Configure agent parameters. For more information, see Table 3.

    Table 3 Agent parameters

    Parameter

    Description

    Configuration Rules

    Select an agent configuration rule.

    • Default Rule: Select this if the sock address of your container runtime is a common address. By default, the agent will be installed on nodes having no taints.
    • Custom: Select this rule if the sock address of your container runtime is not a common address or needs to be modified, or if you only want to install the agent on specific nodes.
    NOTE:
    • If the sock address of your container runtime is incorrect, some HSS functions may be unavailable after the cluster is connected to HSS.
    • You are advised to select all runtime types.

    (Optional) Advanced Configuration

    This parameter can be set if Custom is selected for Configuration Rules.

    Click to expand advanced configurations. The Enabling auto upgrade agent option is selected by default.

    • Enabling auto upgrade agent

      Configure whether to enable automatic agent upgrade. If it is enabled, HSS automatically upgrades the agent to the latest version between 00:00 to 06:00 every day to provide you with better services.

    • Node Selector Configuration

      Click Reference Node Label to select the label of the nodes where the agent is to be installed. If this parameter is not specified, the agent will be installed on all nodes having no taints by default.

    • Tolerance Configuration

      If the taint tag is selected in Node Selector Configuration and the agent needs to be installed on the taint node, you can click Reference Node Taint and configure taint toleration.

  10. Click OK to start installing the HSS agent.
  11. Click the cluster name to go to the cluster node details page. Check the agent installation status of each node.

    If the agent is successfully installed on a node, it indicates the node has been connected to HSS.

Connecting a Non-CCE Cluster to HSS (via Private Network)

This section is applicable to user-built Kubernetes clusters or third-party cloud clusters that are in a private network and cannot access the SWR image repository. You need to manually connect the network and configure the image repository information. After the configuration, HSS agent can be automatically installed on cluster nodes, installed on new nodes in a scale-out, or uninstalled from the nodes removed in a scale-in.

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
  3. In the navigation pane, choose Installation & Configuration > Container Install & Config.
  4. On the Cluster tab page, click Access Assets. The Container Asset Access and Installation dialog box is displayed.
  5. Select Non-CCE cluster (private network access) and click Configure Now.
  6. Configure image repository information and click Generate Command. For more information, see Table 4.

    Table 4 Image repository parameters

    Parameter

    Description

    Third-Party Image Repository Address

    Third-party image repository address.

    Example: hub.docker.com

    Image Repository Type

    Type of the image repository. Currently, the following types are supported:

    • Harbor
    • Quay
    • Jfrog
    • Other

    Organization Name

    Organization name of the image repository.

    Username

    Image repository username.

    Password

    Password of the image repository.

  7. Perform the following operations to upload the images of the cluster connection component (ANP-agent) and the HSS agent to your private image repository:

    1. Click cluster protection component image package, download the package to the local PC, and copy the package to a cluster node.
    2. Click Copy Image Upload Command, copy the commands, and run the commands on the cluster node.
      Figure 4 Copy image upload commands

      If the command output shown in Figure 5 is displayed, the upload succeeded.

      Figure 5 Image uploaded

  8. Click Next.
  9. Configure cluster access information and click Generate Command. For more information, see Table 5.

    Figure 6 Configuring cluster access information
    Table 5 Access parameters

    Parameter

    Description

    Cluster Name

    Name of the cluster to be connected.

    Provider

    Service provider of the cluster. Currently, the clusters of the following service providers are supported:

    • Alibaba Cloud
    • Tencent Cloud
    • AWS
    • Azure
    • User-built
    • On-premises IDC

    KubeConfig

    Add and upload the kubeconfig file configured as required in Prerequisites.

    Context

    After the kubeconfig file is uploaded, HSS automatically parses the context.

    Validity Period

    After the kubeconfig file is uploaded, HSS automatically parses the validity period. You can also specify a time before the final validity period. After the specified validity period expires, you need to connect to the asset again.

  10. Perform the following operations to install the cluster connection component (ANP-agent) and establish a connection between HSS and the cluster:

    1. Log in to a node and run the following command to create a credential for the cluster to pull private images:
      kubectl --namespace hss create secret docker-registry hss-regcred --docker-server=192.168.0.1:1111 --docker-username=admin --docker-password=123456
    2. Click Download a YAML File to download the generated command file.
    3. Copy the file to the directory of any node and run the following command to install the cluster connection component (ANP-agent):
      kubectl apply -f proxy-agent.yaml
    4. Run the following command to check whether the cluster connection component (ANP-agent) is successfully installed:
      kubectl get pods -n hss | grep proxy-agent

      If the command output shown in Figure 7 is displayed, the cluster connection component (ANP-agent) is successfully installed.

      Figure 7 ANP-Agent installed
    5. Run the following command to check whether the cluster is connected to HSS:
      for a in $(kubectl get pods -n hss| grep proxy-agent | cut -d ' ' -f1); do kubectl -n

      If the command output shown in Figure 8 is displayed, the cluster is connected to HSS.

      Figure 8 Cluster connected to HSS

  11. Click Next.
  12. Configure agent parameters. For more information, see Table 6.

    Table 6 Agent parameters

    Parameter

    Description

    Configuration Rules

    Select an agent configuration rule.

    • Default Rule: Select this if the sock address of your container runtime is a common address. By default, the agent will be installed on nodes having no taints.
    • Custom: Select this rule if the sock address of your container runtime is not a common address or needs to be modified, or if you only want to install the agent on specific nodes.
    NOTE:
    • If the sock address of your container runtime is incorrect, some HSS functions may be unavailable after the cluster is connected to HSS.
    • You are advised to select all runtime types.

    (Optional) Advanced Configuration

    This parameter can be set if Custom is selected for Configuration Rules.

    Click to expand advanced configurations. The Enabling auto upgrade agent option is selected by default.

    • Enabling auto upgrade agent

      Configure whether to enable automatic agent upgrade. If it is enabled, HSS automatically upgrades the agent to the latest version between 00:00 to 06:00 every day to provide you with better services.

    • Node Selector Configuration

      Click Reference Node Label to select the label of the nodes where the agent is to be installed. If this parameter is not specified, the agent will be installed on all nodes having no taints by default.

    • Tolerance Configuration

      If the taint tag is selected in Node Selector Configuration and the agent needs to be installed on the taint node, you can click Reference Node Taint and configure taint toleration.

  1. Click OK to start installing the HSS agent.
  2. Click the cluster name to go to the cluster node details page. Check the agent installation status of each node.

    If the agent is successfully installed on a node, it indicates the node has been connected to HSS.

Follow-up Procedure

After the cluster nodes or independent containers are connected to HSS, you need to enable protection for them. For details, see Enabling Container Protection.

Parent Topic: Installation and Configuration on Containers