Skip to main content
Version: File Inspection Engine 1.0.0

Air-Gapped Kubernetes Deployment

If the network topology of a Kubernetes cluster prevents access to the ReversingLabs registry and APIs, several objects must be manually transferred and uploaded to the cluster. It is crucial to have Kubernetes API access available since kubectl will be used throughout this process.

Steps:

  • Download the threat data manually: Use a FIE instance with internet access to download threat data.
  • Deploy FIE in production: Deploy the production FIE application with cloud updates disabled
  • Transfer threat data: Copy the downloaded threat data to the air-gapped FIE instance.

To complete this process, you will need:

Manually download the threat data

The detailed process for downloading threat data is available here.

Deploy the FIE application

After the threat data downloads, deploy FIE using the Helm chart.

Making the container image available to Kubernetes

To make the FIE container image available to the Kubernetes cluster, you need to pull it from the ReversingLabs registry and push it to your own registry.

Follow these steps:

  1. Load the image
$ podman image load -i file-inspection-engine-v1.0.0.tar.gz
  1. Tag the image
$ podman image tag localhost/file-inspection-engine:1.0.0 your-repo.local/fie-gapped/file-inspection-engine:1.0.0
  1. Push the image to your registry
$ podman image push your-repo.local/fie-gapped/file-inspection-engine:1.0.0
note

Podman is used in this example, but the syntax should be similar if using Docker.

Installing FIE Using HELM

Prepare a custom values file to configure the deployment using the FIE Helm Chart. Consult with your Kubernetes administrator to decide how to expose the FIE service (e.g., LoadBalancer, Ingress).

In this example, we use a LoadBalancer service to expose FIE, and we override the default image repository and tag with the settings from the previous step.

Example Configuration (configuration.yaml):

# Use image from your own repository
image:
  # Replace with your repository address from previous steps
  repository: your-repo.local/fie-gapped/file-inspection-engine:1.0.0
  tag: 1.0.0

# Exposes the Service using an internal load balancer
service:
  annotations:
    networking.gke.io/load-balancer-type: "Internal"
  type: LoadBalancer

# Ephemeral storage limit for Autopilot cluster - skip for Standard clusters
resources:
  requests:
    ephemeral-storage: 10Gi

settings:
  # No RL API access
  cloudUpdates: false
  # Run FIE with the "--add-file-type enabled" parameter
  addFileType: "enabled"

Once you have prepared the values file, you can proceed to install the Helm chart. The Helm chart can be pushed to a chart repository, an OCI repository, or used directly as shown below:

Example Helm installation command

helm install fie ./fie-0.2.1.tgz --create-namespace --namespace fie-gapped \
  --set settings.cloudPassword="$RL_CLOUD_PASSWORD" \
  --values configuration.yaml --set-file licenseFileContent=RL-license.enc
NAME: fie
LAST DEPLOYED: Mon Aug 26 11:57:56 2024
NAMESPACE: fie-ag
STATUS: deployed
REVISION: 1
TEST SUITE: None

Copy the threat data

There are multiple ways to transfer the threat data to the air-gapped environment. Below is one example workflow:

  1. Download the tar package

    We will store the threat data into a .tar file. This requires the tar package to be installed in the FIE pod.

    Since this is an air-gapped environment, the tar package must be downloaded externally and then transferred to the pod:

    curl -O https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/Packages/t/tar-1.30-9.el8.x86_64.rpm

    This is an example command, make sure to check that you're downloading the latest available version.

  2. Upload the tar package to FIE and install it

    cat tar-1.30-9.el8.x86_64.rpm | kubectl -n fie-gapped exec -it deploy/fie -- cp /dev/stdin /tar-1.30-9.el8.x86_64.rpm
    kubectl -n fie-gapped exec -it deploy/fie -- rpm -ihv /tar-1.30-9.el8.x86_64.rpm

  3. Store and transfer threat data

    Once tar installs, threat data can be stored into a .tar archive and moved over to the pod:

    $ cd /external/dir
    $ tar cvf - * | kubectl -n fie-gapped exec -i deploy/fie -- tar xf - -C /rl/threat-data --no-same-owner

  4. Restart the pod

    After everything is installed and copied over, restart the pod:

    kubectl -n fie-gapped rollout restart deploy/fie

Contact ReversingLabs Support for more information and guidance.

Get the application URL

To confirm that the File Inspection Engine is up and running, retrieve the application URL and perform a test file submission. You can follow the steps provided in the Kubernetes Deployment guide.