Skip to main content
Version: File Inspection Engine 1.0.1

Kubernetes / GKE Deployment

Introduction

A typical File Inspection Engine (FIE) installation is performed on Kubernetes using Helm. Throughout this document, we'll be using Google Kubernetes Engine (GKE) as an example.

For managed Kubernetes solutions, you may also need to use vendor-specific tools to interact with the cluster. In our example, this will be gcloud. To install gcloud, follow these steps.


Deploying FIE Helm Chart to GKE

Here is an overview of deploying the FIE Helm chart to a GKE cluster:

Prerequisites

  • A GKE cluster is available.
  • kubectl is configured to work with your cluster.
  • Helm is installed.

Example: Configuring kubectl for a Specific Cluster

  1. List Available GKE Clusters:

    gcloud container clusters list

    Example Output:

    NAME                   LOCATION  MASTER_VERSION      MASTER_IP      MACHINE_TYPE  NODE_VERSION        NUM_NODES  STATUS
    gke-autopilot-ado-dev us-east4 1.28.8-gke.1095000 35.199.55.139 e2-small 1.28.8-gke.1095000 2 RUNNING
  2. Get Cluster Credentials:

    Run the following command to fetch cluster endpoint and authentication data:

    gcloud container clusters get-credentials gke-autopilot-ado-dev --region us-east4

    Output:

    Fetching cluster endpoint and auth data.
    kubeconfig entry generated for gke-autopilot-ado-dev.

The FIE Helm chart requires valid TitaniumCloud credentials, which will be provided by ReversingLabs.

Install FIE Using Helm

The examples provided use a placeholder account (u/example/fie). Be sure to replace this with your actual credentials wherever applicable.

Customize the Installation with a Values File

Below is an example of a custom values file:

$ cat values-deploy-example-gcp.yaml
# Use default storage class
storage:
className: standard-rwo

# Expose the Service using an internal load balancer
service:
annotations:
networking.gke.io/load-balancer-type: "Internal"
type: LoadBalancer

settings:
# Cloud account username, used only for default registry auth
cloudUsername: "u/example/fie"
# Run FIE with "--add-file-type enabled" parameter
addFileType: "enabled"

You can modify values such as ingress or storage class according to your needs. This example exposes the application internally using a load balancer service. The default values file is included here.

Set the password and install the Helm Chart

  1. Store the password in a variable:

    read -rs TITANIUM_CLOUD_PASSWORD
  2. Log in to the ReversingLabs container registry:

    echo $TITANIUM_CLOUD_PASSWORD | helm registry login -u "u/example/fie" --password-stdin registry.reversinglabs.com
  3. Install the Helm chart:

    $ helm install fie oci://registry.reversinglabs.com/charts/fie \
    --create-namespace --namespace fie \
    --set settings.cloudPassword="${TITANIUM_CLOUD_PASSWORD}" \
    --values values-deploy-example-gcp.yaml \
    --set-file licenseFileContent=rl-license.enc

    Expected Output:

    Pulled: registry.reversinglabs.com/charts/fie:0.2.1
    Digest: sha256:61ed7f0761912cc5052ceac1d71654f3c1f89f543df0ab6ae3d199070ab02084
    NAME: fie
    LAST DEPLOYED: Tue May 28 11:20:34 2024
    NAMESPACE: fie
    STATUS: deployed
    REVISION: 1
    TEST SUITE: None

Get the application URL

After deployment, obtain the application URL and port by running one of the following commands:

  1. LoadBalancer IP:

    Note: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status by running kubectl get --namespace fie-ag svc -w fie.

    export SERVICE_IP=$(kubectl get svc --namespace fie fie \
    --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")
    echo http://$SERVICE_IP:8000
  2. Verify the deployment

    kubectl -n fie get svc/fie

    Expected output

    NAME   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
    fie LoadBalancer 34.118.234.76 10.128.0.24 8000:32132/TCP 32m

Once you have the service IP and port, you can send a test query to the version endpoint:

$ curl -v http://10.128.0.24:8000/version

Expected output

* processing: http://10.128.0.24:8000/version
* Trying 10.128.0.24:8000...
* Connected to 10.128.0.24 (10.128.0.24) port 8000
> GET /version HTTP/1.1
> Host: 10.128.0.24:8000
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Date: Tue, 21 May 2024 12:35:24 GMT
< Content-Length: 47
<
{"application":"1.0.0-alpha6","threat_data":""}

Alternatively, submit a file for analysis. This only works after the threat data is fully downloaded:

curl -sS -XPOST --upload-file eicar.com http://10.128.0.24:8000/scan | jq '.'

Expected output

{
"classification": "malicious",
"message": ""
}

Monitoring the Threat Data Download

After deployment, the FIE application will begin downloading threat data. This process can take between 30 and 90 minutes, depending on your network speed. You can monitor the download process by running:

kubectl -n fie logs -f deploy/fie

Look for the following message, which indicates that the download process completed successfully:

{"level":"info","component":"threatdata.UpdateManager","time":"2024-09-18T22:32:58.346353125Z","message":"Cloud update run finished"}

Appendix: FIE Helm Chart

Download the Helm Chart

To download the Helm Chart, run the following commands:

$ helm registry login -u "$RL_CLOUD_USERNAME" -p "$RL_CLOUD_PASSWORD" registry.reversinglabs.com

$ helm pull oci://registry.reversinglabs.com/charts/fie

Helm Chart default values

This chart uses default values for 2GB file processing.

# Default values for fie.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

image:
repository: registry.reversinglabs.com/fie/file-inspection-engine
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""

imagePullSecrets: {} # value not used for RL registry

licenseFileContent: "" # FIE license received from ReversingLabs

nameOverride: ""
fullnameOverride: ""

podAnnotations: {}

podSecurityContext: {}

securityContext: {}

storage:
existingPvcName: "" # set name to use existing pvc
size: 32Gi # min. 22Gi atm.
className: gp2
rlTmpInRam: true
tmpfsSize: 20Gi

service:
annotations: {}
# To set an internal load balancer, refer to your cloud service provider documentation.
type: ClusterIP
port: 8000

ingress:
enabled: false
className: "alb"
annotations: {}
# There are different features supported by various Ingress controllers. Please refer to
# documentation on your platform specific Ingress controller to configure it in your environment.
hosts:
- host: fie.local.lan
paths:
- path: /
pathType: Prefix
tls: []
# - secretName: fie-tls
# hosts:
# - fie.local.lan

resources:
requests:
cpu: 8
memory: 32Gi
ephemeral-storage: 100Gi


nodeSelector: {}

tolerations: []

affinity: {}

settings:
# Cloud account password, used only for default registry auth
cloudPassword: ""
# Automatic updates of cloud threat data
cloudUpdates: true
# Desired frequency of cloud threat data updates, between 1 minute and 24 hours. Use m for minutes
# and h for hours, e.g. 45m or 6h.
cloudUpdateInterval: "5m0s"
# Cloud account username, used only for default registry auth
cloudUsername: ""
# The address and port on which the HTTP server will listen.
httpAddress: ":8000"
# The value needs to be between 1 and 5120 MiB. Uploads larger than this will be rejected.
maxUploadFileSize: 2048
# Whether suspicious samples should be classified as malicious
paranoidMode: false
# The host and port of a proxy for outgoing HTTP connections. It can optionally include one of the
# following three schemes: http, https, socks5. Example: socks5://host:port
proxyAddress: ""
# Includes detailed information about malicious samples in the HTTP response
withThreatDetails: false
# This option is available only for alpha6 and above. Possbile values: enabled / disabled / force
addFileType: "disabled"