Installing the Agent in a Third-Party Public Network Cluster_Host Security Service

Scenario

Install the agent on a third-party cluster that can access the public network. After the configuration is complete, HSS automatically installs the agent on existing cluster nodes, installs the agent on new nodes when the cluster is scaled out, and uninstalls the agent from removed nodes when the cluster is scaled in.

Constraints and Limitations

Supported cluster orchestration platforms: Kubernetes 1.19 or later
Supported node OS: Linux
Node specifications: at least 2 vCPUs, 4 GiB memory, 40 GiB system disk, and 100 GiB data disk
The agent is incompatible with clusters using Galera 3.34 and MySQL 5.6.51.

Step 1: Create a VPC

Log in to the console and go to the page for Creating a VPC.

On the Create VPC page, set parameters for the VPC and subnets as prompted.

You are advised to set some parameters by referring to Table 1 and retain the default values for other parameters. For details about how to create a VPC, see Creating a VPC.

**Table 1** Parameters for creating a VPC
Parameter	Description	Example Value
Region	Select a region near you to ensure the lowest latency possible.	CN-Hong Kong
Name	VPC name. The name: Must contain 1 to 64 characters. Can contain letters, numbers, underscores (_), hyphens (-), and periods (.).	HSS-outside-anp-VPC
Enterprise Project	Enterprise project to which the VPC belongs. An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is default. For details about creating and managing enterprise projects, see the Enterprise Management User Guide.	default
Subnet Name	Subnet name. The name: Must contain 1 to 64 characters. Can contain letters, numbers, underscores (_), hyphens (-), and periods (.).	HSS-outside-subnet

Click Create Now. You can view the VPC after it is created.

Step 2: Create a Security Group

In the navigation pane on the left, choose Access Control > Security Groups.
Click Create Security Group in the upper right corner.

Configure security group parameters as prompted.

You are advised to configure some parameters by referring to Table 2 and configure other parameters based on site requirements. For details about how to create a security group, see Creating a Security Group.

**Table 2** Parameters for creating a security group
Parameter	Description	Example Value
Region	Select a region near you to ensure the lowest latency possible.	CN-Hong Kong
Name	Specify the name of the security group. The name: Must contain 1 to 64 characters. Can contain letters, numbers, underscores (_), hyphens (-), and periods (.).	HSS-outside-anp-secGroups
Enterprise Project	When creating a security group, you can add the security group to an enterprise project that has been enabled. An enterprise project facilitates project-level management and grouping of cloud resources and users. The default project is default. For details about creating and managing enterprise projects, see the Enterprise Management User Guide.	default
Preset Rule	Inbound and outbound rules are preset in security group rules. You can select a rule as needed to quickly create a security group.	All ports open

Click Create Now. You can view the security group after it is created.

Step 3: Create an ECS

Click in the upper left corner and Compute > Elastic Cloud Server.
In the upper right corner, click Buy ECS.

Configure ECS parameters as prompted.

You are advised to configure some parameters by referring to Table 3 and configure other parameters based on site requirements.

**Table 3** Parameters for purchasing an ECS
Parameter	Description	Example Value
Billing Mode	ECS billing mode. Yearly/Monthly: Prepaid mode. Yearly/monthly ECSs are billed by the purchased duration specified in the order. Pay-per-use: Postpaid billing mode. You pay as you go and just pay for what you use. Pay-per-use ECSs are billed by the second and settled by the hour. Spot price: Spot pricing is a postpaid billing mode. You pay as you go and just pay for what you use. In Spot pricing billing mode, your purchased ECS is billed at a lower price than that of a pay-per-use ECS with the same specifications. In Spot pricing billing mode, you can select Spot or Spot block for the Spot Type. Spot ECSs and Spot block ECSs are billed by the second and settled by the hour.	Pay-per-use
Region	Select a region near you to ensure the lowest latency possible.	CN-Hong Kong
CPU Architecture	Select a CPU architecture. The value can be x86.	x86
Instance	Select vCPUs and memory, or enter a keyword to search for ECS specifications. You can search for ECS flavors when you select By Type. Select ECS specifications by instance family and generation from the list.	General computing, 2 vCPUs, 4 GiB
Image	An image is an ECS template that contains an OS. It may also contain proprietary software and application software. You can use images to create ECSs.	Public image, EulerOS 2 5 64bit (40 GiB)
System Disk	Stores the OS of an ECS, and is automatically created and initialized upon ECS creation.	Ultra-high I/O
Network	VPC allows you to create logically isolated, configurable, and manageable virtual networks for VPCs. You can configure security groups, Virtual Private Network (VPNs), CIDR blocks, and bandwidths in your VPC. ECSs in different VPCs cannot communicate with each other by default.	HSS-outside-anp-VPC (VPC created in Step 1: Create a VPC)
Security Group	Select an available security group from the drop-down list. You can select multiple security groups for an ECS (no more than five security groups are recommended). The access rules of all the selected security groups apply to the ECS.	HSS-outside-anp-secGroups (Security group created in Step 2: Create a Security Group)
EIP	An EIP is a static public IP address bound to a cloud server in a VPC. Using the EIP, the cloud server provides services externally.	Buy now, static BGP
ECS Name	This parameter will be set to the initial server name (hostname) in the ECS OS. The name can contain only letters, digits, underscores (_), hyphens (-), and periods (.).	HSS-outside-anp-ECS
Enterprise Project	When purchasing an ECS, you can add it to an enabled enterprise project. An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is default. For details about creating and managing enterprise projects, see the Enterprise Management User Guide.	default
Login Mode	Method for logging in to an ECS.	Password

Click Create. In the displayed dialog box, click Agree and Create. After the payment is complete, the ECS will be automatically created and started by default.

Step 4: Set Up Nginx

Log in to the server created in Step 3: Create an ECS.
Go to the temp directory.

cd /temp
Run the following command to create the install_nginx.sh file:

vi install_nginx.sh

Press i to enter the editing mode and copy the following content to the install_nginx.sh file:

#!/bin/bash

yum -y install pcre-devel zlib-devel popt-devel openssl-devel openssl
wget http://www.nginx.org/download/nginx-1.21.0.tar.gz
tar zxf nginx-1.21.0.tar.gz -C /usr/src/
cd /usr/src/nginx-1.21.0/
useradd -M -s /sbin/nologin nginx
./configure \
--prefix=/usr/local/nginx \
--user=nginx \
--group=nginx \
--with-file-aio \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-http_flv_module \
--with-http_ssl_module \
--with-stream \
--with-pcre && make && make install
ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/
nginx

Enter ECS, run the following command, and press Enter to exit.

:wq!
Run the following command to install Nginx:

bash /tmp/install_nginx.sh

Run the following command to modify the Nginx configuration file:

cat <<END >> /usr/local/nginx/conf/nginx.conf
stream {
  upstream backend_hss_anp {
    server {{ANP_proxy_address}}:8091 weight=5 max_fails=3 fail_timeout=30s;
  }
  server {
    listen 8091 so_keepalive=on;
    proxy_connect_timeout 10s;
    proxy_timeout 300s;
    proxy_pass backend_hss_anp ;
  }
}
END

Replace {{ANP_proxy_address}} with the actual address and then run the command. For details, see Table 4.

**Table 4** ANP proxy address
Region	ANP proxy address
Guiyang1, Bangkok, Shanghai2, Guangzhou, Beijing4, Beijing2, and Shanghai1	hss-proxy.RegionCode.myhuaweicloud.com
Other	hss-anp.RegionCode.myhuaweicloud.com
For details about region codes, see Regions and Endpoints.

Run the following command to make the Nginx configuration take effect:

nginx -s reload
Run the following command to check whether port 8091 is listened on properly:

netstat -anp | grep 8091

If information similar to Figure 1 is displayed, the listening is normal.

Figure 1 Listening on port 8091 is normal.

Step 5: Buy and Configure a ELB

Log in to the console and go to the page for Buying ELB page.

Set ELB parameters as prompted.

You are advised to configure some parameters by referring to Table 5 and configure other parameters based on site requirements. For details about how to buy a load balancer, see Creating a Dedicated Load Balancer.

**Table 5** Parameters for buying an ELB
Parameter	Description	Example Value
Type	Specifies the type of the shared load balancer. The type cannot be changed after the load balancer is created. Dedicated load balancers work well for heavy-traffic and high-concurrency workloads, such as large websites, cloud native applications, IoV, and multi-AZ disaster recovery applications.	Dedicated
Billing Mode	Billing mode of a dedicated load balancer. Yearly/Monthly: prepaid billing mode. You pay in advance for a subscription term, and in exchange, you get a discounted rate. Pay-per-use: postpaid billing mode. You pay as you go and just pay for what you use. The load balancer usage is calculated by the second but billed every hour.	Pay-per-use
Region	Select a region near you to ensure the lowest latency possible.	CN-Hong Kong
Name	Specifies the load balancer name. The name can contain: 1 to 64 characters. Letters, digits, underscores (_), hyphens (-), and periods (.).	HSS-outside-anp-ELB
Enterprise Project	When creating a load balancer, you can add it to an enabled enterprise project. An enterprise project facilitates project-level management and grouping of cloud resources and users. The name of the default project is default. For details about creating and managing enterprise projects, see the Enterprise Management User Guide.	default
Specification	Select Elastic or Fixed if pay-per-use is chosen as the billing mode. Specifications: Elastic specifications work well for fluctuating traffic, and you will be charged for how many LCUs you use. Fixed specifications are suitable for stable traffic, and you will be charged for the specifications you select.	Fixed Network load balancing Small
Network Configuration	Network Type: You can select one or more network types. Private IPv4 network: The load balancer routes IPv4 requests from the clients to backend servers in a VPC. If you want the load balancer to route requests from the Internet, bind an EIP to the load balancer. IPv6 network: An IPv6 address will be assigned to the load balancer to route requests from IPv6 clients. VPC: VPC where the dedicated load balancer works. You cannot change the VPC after the load balancer is created. Plan the VPC as required. Select an existing VPC, or click View VPCs to create a desired one. Frontend Subnet: Subnet where the dedicated load balancer is located. The system allocates an IP address from this subnet to the load balancer for external services. After a load balancer is created, you can unbind the IP address from it and assign an IP address from a new frontend subnet to the load balancer. Backend Subnet: The load balancer uses IP addresses in the backend subnet to establish connections with backend servers.	Private IPv4 network HSS-outside-anp-VPC (VPC created in Step 1: Create a VPC) HSS-outside-subnet (VPC subnet created in Step 1: Create a VPC) Subnet of the load balancer
Elastic IPs	Specifies the public IP address that will be bound to the load balancer for receiving and forwarding requests over the Internet.	Buy Now Dynamic BGP Bandwidth

After setting the parameters, click Next.
On the ELB page, view the created ELB and record the public IPv4 address.
In the row of a load balancer, click Add now in the Listener (Frontend Protocol/Port) column.

Set the listener parameters as prompted.

You are advised to configure some parameters by referring to Table 6 and configure other parameters based on site requirements. For details, see Adding a TCP Listener.

**Table 6** Parameters for adding a listener
Parameter		Description	Example Value
Configure Listener	Name	Listener name.	HSS-outside-anp-Listener
	Protocol	Protocol used by the client and listener to distribute traffic.	TCP
	Frontend Port	Port used by the client and listener to distribute traffic.	8091
	Access Control	Supports access control based on the whitelist and blacklist.	All IP addresses
Configure Routing Policy	Backend Server Group	A group of backend servers with the same features. New Use existing	New
	Name	Specifies the name of the backend server group.	HSS-outside-anp-server-group
	Backend Protocol	Specifies the protocol that backend servers in the backend server group use to receive requests from the listeners. The protocol varies depending on the forwarding mode:	TCP
	Load Balancing Algorithm	Algorithm used by the load balancer. Weighted round robin: Requests are routed to different servers based on their weights. Backend servers with higher weights receive proportionately more requests, whereas equal-weighted servers receive the same number of requests. Weighted least connections: In addition to the number of connections, each server is assigned a weight based on its capacity. Requests are routed to the server with the lowest connections-to-weight ratio. Source IP hash: Allows requests from different clients to be routed based on source IP addresses and ensures that requests from the same client are forwarded to the same server.	Weighted Round Robin
Add Backend Server	Backend Servers	When you use ELB to route requests, ensure that at least one backend server is running properly and can receive requests routed by the load balancer. Click Add Backend Servers.	HSS-outside-anp-ECS Set the service port to 8091. (Server created in Step 3: Create an ECS)

On the page for confirming the configuration, check parameter settings.
Click Submit complete the configuration.

Step 6: Modify a Security Group

Click in the upper left corner of the management console and choose Network > Virtual Private Cloud.
In the navigation tree on the left, choose Security Groups.
Locate the security group created in Step 2: Create a Security Group and click Manage Rules.
Delete the IPv6 full passing rule, as shown in Figure 2.

Figure 2 Deleting the IPv6 full passing rule
Modify the IPv4 full bypass rule, as shown in Figure 3.
1. Change the value of Protocol & Port from Protocols > All to Protocols / TCP (Custom ports) and set the port number to 8091.
2. Click OK.
Figure 3 Modifying the IPv4 full passing rule

Step 7: Prepare the kubeconfig File

The kubeconfig file specifies the cluster permissions assigned to HSS. The kubeconfig file configured using method 1 contains the cluster administrator permissions, whereas the file generated using method 2 contains only the permissions required by HSS. If you want to minimize HSS permissions, prepare the file using method 2.

Method 1: configuring the default kubeconfig file
The default kubeconfig file is in the $HOME/.kube/config directory. Perform the following operations to create a dedicated namespace for HSS:]
1. Log in to a cluster node.
2. Create the hss.yaml file and copy the following content to the file:
```
{"metadata":{"name":"hss"},"apiVersion":"v1","kind":"Namespace"}
```
3. Run the following command to create a namespace:
```
kubectl apply -f hss.yaml
```

Method 2: generating a kubeconfig file dedicated to HSS

Create a dedicated namespace and an account for HSS.

Log in to a cluster node.

Create the hss-account.yaml file and copy the following content to the file:

{"metadata":{"name":"hss"},"apiVersion":"v1","kind":"Namespace"}{"metadata":{"name":"hss-user","namespace":"hss"},"apiVersion":"v1","kind":"ServiceAccount"}{"metadata":{"name":"hss-user-token","namespace":"hss","annotations":{"kubernetes.io/service-account.name":"hss-user"}},"apiVersion":"v1","kind":"Secret","type":"kubernetes.io/service-account-token"}

Run the following command to create a namespace and an account:
```
kubectl apply -f hss-account.yaml
```

Generate the kubeconfig file.

Create the gen_kubeconfig.sh file and copy the following content to the file:

#!/bin/bash

KUBE_APISERVER=`kubectl config view  --output=jsonpath='{.clusters[].cluster.server}' | head -n1 `
CLUSTER_NAME=`kubectl config view -o jsonpath='{.clusters[0].name}'`
kubectl get secret hss-user-token -n hss -o yaml |grep ca.crt: | awk '{print $2}' |base64 -d >hss_ca_crt

kubectl config set-cluster ${CLUSTER_NAME} --server=${KUBE_APISERVER}  --certificate-authority=hss_ca_crt  --embed-certs=true --kubeconfig=hss_kubeconfig.yaml
kubectl config set-credentials hss-user --token=$(kubectl describe secret hss-user-token -n hss | awk '/token:/{print $2}') --kubeconfig=hss_kubeconfig.yaml
kubectl config set-context hss-user@kubernetes --cluster=${CLUSTER_NAME} --user=hss-user --kubeconfig=hss_kubeconfig.yaml
kubectl config use-context hss-user@kubernetes --kubeconfig=hss_kubeconfig.yaml

Run the following command to generate the kubeconfig file named hss_kubeconfig.yaml:
```
bash gen_kubeconfig.sh
```

Step 8: Install the Agent for a Third-Party Public Network Cluster

The image repositories used by a cluster are classified into public and private image repositories.

Public network image repository: An image repository that can be accessed as long as it can connect to the Internet. It is usually provided by a third party and paid by enterprises.
Private image repository: an image repository deployed and maintained by an enterprise. Only authorized users can access the image repository.

Install the agent for the cluster based on the image repository type.

Public Network Image Repository

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
In the navigation pane, choose Installation & Configuration > Container Install & Config.
On the Cluster tab page, click Install Container Agent. The Container Asset Access and Installation slide-out panel is displayed.
Select Non-CCE cluster (Internet access) and click Configure Now.

Configure cluster access information and click Generate Command. For more information, see Table 7.

Figure 4 Configuring cluster access information

**Table 7** Access parameters
Parameter	Description
Cluster Name	Name of the cluster to be connected.
Provider	Service provider of the cluster. Currently, the clusters of the following service providers are supported: Alibaba Cloud Tencent Cloud AWS Azure User-built On-premises IDC
KubeConfig	Add and upload the kubeconfig file configured as required in Step 7: Prepare the kubeconfig File.
Context	After the kubeconfig file is uploaded, HSS automatically parses the context.
Validity Period	After the kubeconfig file is uploaded, HSS automatically parses the validity period. You can also specify a time before the final validity period. After the specified validity period expires, you need to connect to the asset again.

Perform the following operations to install the cluster connection component (ANP-agent) and establish a connection between HSS and the cluster:
1. In the Container Asset Access and Installation dialog box, click Download a YAML File.
  Figure 5 Downloading the YAML file
2. Copy the file to the directory of any node and run the following command to replace the proxy address:
```
sed -i 's#proxy-server-host=.*","--proxy-server-port#proxy-server-host={{Forwarding address}}","--proxy-server-port#' proxy-agent.yaml
```
  Change {{Forwarding address}} to the public IPv4 address recorded in 4 and then run the command again.
3. Run the following command to install the cluster connection component (ANP-Agent):
```
kubectl apply -f proxy-agent.yaml
```
4. Run the following command to check whether the cluster connection component (ANP-agent) is successfully installed:
```
kubectl get pods -n hss | grep proxy-agent
```
  If the command output shown in Figure 6 is displayed, the cluster connection component (ANP-agent) is successfully installed.
  
  Figure 6 ANP-Agent installed
5. Run the following command to check whether the cluster is connected to HSS:
```
for a in $(kubectl get pods -n hss| grep proxy-agent | cut -d ' ' -f1); do kubectl -n hss logs $a | grep 'Start serving';done
```
  If the command output shown in Figure 7 is displayed, the cluster is connected to HSS.
  
  Figure 7 Cluster connected to HSS
Click Next.

Configure agent parameters. For more information, see Table 8.

**Table 8** Agent parameters
Parameter	Description
Configuration Rules	Select an agent configuration rule. Default Rule: Select this if the sock address of your container runtime is a common address. By default, the agent will be installed on nodes having no taints. Custom: Select this rule if the sock address of your container runtime is not a common address or needs to be modified, or if you only want to install the agent on specific nodes. NOTE: If the sock address of your container runtime is incorrect, some HSS functions may be unavailable after the cluster is connected to HSS. You are advised to select all runtime types.
(Optional) Advanced Configuration	This parameter can be set if Custom is selected for Configuration Rules. Click to expand all advanced configuration items. Enabling auto upgrade agent Configure whether to enable automatic agent upgrade. If it is enabled, HSS automatically upgrades the agent to the latest version between 00:00 to 06:00 every day to provide you with better services. Node Selector Configuration Click Reference Node Label to select the label of the nodes where the agent is to be installed. If this parameter is not specified, the agent will be installed on all nodes having no taints by default. Tolerance Configuration If the taint tag is selected in Node Selector Configuration and the agent needs to be installed on the taint node, you can click Reference Node Taint and configure taint toleration.

Click OK to start installing the HSS agent.
In the cluster list, check the cluster status. If the cluster status is Running, the cluster is successfully connected to HSS.

Private Image Repository

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
In the navigation pane, choose Installation & Configuration > Container Install & Config.
On the Cluster tab page, click Access Assets. The Container Asset Access and Installation dialog box is displayed.
Select Non-CCE cluster (private network access) and click Configure Now.

Configure image repository information and click Generate Command. For more information, see Table 9.

**Table 9** Image repository parameters
Parameter	Description
Third-Party Image Repository Address	Third-party image repository address. Example: hub.docker.com
Image Repository Type	Type of the image repository. Currently, the following types are supported: Harbor Quay Jfrog Other
Organization Name	Organization name of the image repository.
Username	Image repository username.
Password	Password of the image repository.

Perform the following operations to upload the images of the cluster connection component (ANP-agent) and the HSS agent to your private image repository:
1. In the Access and Install Container Assets dialog box, click cluster protection component image package.rar to download the package to the local PC and copy the package to any cluster node.
2. In the Container Asset Access and Installation dialog box, click Copy Image Upload Command to copy the command and run it on the cluster node.
  Figure 8 Copying image upload commands
  
  If the command output shown in Figure 9 is displayed, the upload succeeded.
  
  Figure 9 Image uploaded
In the Container Asset Access and Installation dialog box, click Next.

Configure cluster access information and click Generate Command. For more information, see Table 10.

Figure 10 Configuring cluster access information

**Table 10** Access parameters
Parameter	Description
Cluster Name	Name of the cluster to be connected.
Provider	Service provider of the cluster. Currently, the clusters of the following service providers are supported: Alibaba Cloud Tencent Cloud AWS Azure User-built On-premises IDC
KubeConfig	Add and upload the kubeconfig file configured as required in Step 7: Prepare the kubeconfig File.
Context	After the kubeconfig file is uploaded, HSS automatically parses the context.
Validity Period	After the kubeconfig file is uploaded, HSS automatically parses the validity period. You can also specify a time before the final validity period. After the specified validity period expires, you need to connect to the asset again.

Perform the following operations to install the cluster connection component (ANP-agent) and establish a connection between HSS and the cluster:
1. In the Container Asset Access and Installation dialog box, click Copy Command.
  Figure 11 Copying a command
2. Log in to a node and run the copied command to create a credential for the cluster to pull private images:
3. In the Container Asset Access and Installation dialog box, click Download a YAML File.
  Figure 12 Downloading the YAML file
4. Copy the file to the directory of any node and run the following command to replace the proxy address:
```
sed -i 's#proxy-server-host=.*","--proxy-server-port#proxy-server-host={{Forwarding address}}","--proxy-server-port#' proxy-agent.yaml
```
  Change {{Forwarding address}} to the public IPv4 address recorded in 4 and then run the command again.
5. Run the following command to install the cluster connection component (ANP-Agent):
```
kubectl apply -f proxy-agent.yaml
```
6. Run the following command to check whether the cluster connection component (ANP-agent) is successfully installed:
```
kubectl get pods -n hss | grep proxy-agent
```
  If the command output shown in Figure 13 is displayed, the cluster connection component (ANP-agent) is successfully installed.
  
  Figure 13 ANP-Agent installed
7. Run the following command to check whether the cluster is connected to HSS:
```
for a in $(kubectl get pods -n hss| grep proxy-agent | cut -d ' ' -f1); do kubectl -n hss logs $a | grep 'Start serving';done
```
  If the command output shown in Figure 14 is displayed, the cluster is connected to HSS.
  
  Figure 14 Cluster connected to HSS
Click Next.

Installing the Agent in a Third-Party Public Network Cluster