Air-Gapped Kubernetes Deployment
If the network topology of a Kubernetes cluster prevents access to the ReversingLabs registry and APIs, several objects must be manually transferred and uploaded to the cluster. It is crucial to have Kubernetes API access available since kubectl
will be used throughout this process.
Steps:
- Download the threat data manually: Use a FIE instance with internet access to download threat data.
- Deploy FIE in production: Deploy the production FIE application with cloud updates disabled
- Transfer threat data: Copy the downloaded threat data to the air-gapped FIE instance.
To complete this process, you will need:
- The FIE Helm Chart
- The FIE container image pulled from the ReversingLabs registry, which must be made available to the Kubernetes cluster via a client-provided registry.
- A valid license (provided by ReversingLabs).
Manually download the threat data
The detailed process for downloading threat data is available here.
Deploy the FIE application
After the threat data downloads, deploy FIE using the Helm chart.
Making the container image available to Kubernetes
To make the FIE container image available to the Kubernetes cluster, you need to pull it from the ReversingLabs registry and push it to your own registry.
Follow these steps:
- Load the image
$ podman image load -i file-inspection-engine-1.0.2.tar.gz
- Tag the image
$ podman image tag localhost/file-inspection-engine:1.0.2 your-repo.local/fie-gapped/file-inspection-engine:1.0.2
- Push the image to your registry
$ podman image push your-repo.local/fie-gapped/file-inspection-engine:1.0.2
Podman is used in this example, but the syntax should be similar if using Docker.
Installing FIE Using HELM
Prepare a custom values file to configure the deployment using the FIE Helm Chart. Consult with your Kubernetes administrator to decide how to expose the FIE service (e.g., LoadBalancer, Ingress).
In this example, we use a LoadBalancer service to expose FIE, and we override the default image repository and tag with the settings from the previous step.
Example Configuration (configuration.yaml):
# Use image from your own repository
image:
# Replace with your repository address from previous steps
repository: your-repo.local/fie-gapped/file-inspection-engine:1.0.2
tag: 1.0.2
# Exposes the Service using an internal load balancer
service:
annotations:
networking.gke.io/load-balancer-type: "Internal"
type: LoadBalancer
# Ephemeral storage limit for Autopilot cluster - skip for Standard clusters
resources:
requests:
ephemeral-storage: 10Gi
settings:
# No RL API access
cloudUpdates: false
# Run FIE with the "--add-file-type enabled" parameter
addFileType: "enabled"
Once you have prepared the values file, you can proceed to install the Helm chart. The Helm chart can be pushed to a chart repository, an OCI repository, or used directly as shown below:
Example Helm installation command
helm install fie ./fie-0.2.1.tgz --create-namespace --namespace fie-gapped \
--set settings.cloudPassword="$RL_CLOUD_PASSWORD" \
--values configuration.yaml --set-file licenseFileContent=RL-license.enc
NAME: fie
LAST DEPLOYED: Mon Aug 26 11:57:56 2024
NAMESPACE: fie-ag
STATUS: deployed
REVISION: 1
TEST SUITE: None
Copy the threat data
There are multiple ways to transfer the threat data to the air-gapped environment. Below is one example workflow:
-
Download the tar package
We will store the threat data into a .tar file. This requires the
tar
package to be installed in the FIE pod.Since this is an air-gapped environment, the
tar
package must be downloaded externally and then transferred to the pod:curl -O https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi8/8/x86_64/baseos/os/Packages/t/tar-1.30-9.el8.x86_64.rpm
This is an example command, make sure to check that you're downloading the latest available version.
-
Upload the tar package to FIE and install it
cat tar-1.30-9.el8.x86_64.rpm | kubectl -n fie-gapped exec -it deploy/fie -- cp /dev/stdin /tar-1.30-9.el8.x86_64.rpm
kubectl -n fie-gapped exec -it deploy/fie -- rpm -ihv /tar-1.30-9.el8.x86_64.rpm
-
Store and transfer threat data
Once
tar
installs, threat data can be stored into a .tar archive and moved over to the pod:$ cd /external/dir
$ tar cvf - * | kubectl -n fie-gapped exec -i deploy/fie -- tar xf - -C /rl/threat-data --no-same-owner -
Restart the pod
After everything is installed and copied over, restart the pod:
kubectl -n fie-gapped rollout restart deploy/fie
Contact ReversingLabs Support for more information and guidance.
Get the application URL
To confirm that the File Inspection Engine is up and running, retrieve the application URL and perform a test file submission. You can follow the steps provided in the Kubernetes Deployment guide.