Kubernetes / GKE Deployment
Introduction
A typical File Inspection Engine (FIE) installation is performed on Kubernetes using Helm. Throughout this document, we'll be using Google Kubernetes Engine (GKE) as an example.
For managed Kubernetes solutions, you may also need to use vendor-specific tools to interact with the cluster. In our example, this will be gcloud
. To install gcloud
, follow these steps.
Deploying FIE Helm Chart to GKE
Here is an overview of deploying the FIE Helm chart to a GKE cluster:
Prerequisites
- A GKE cluster is available.
kubectl
is configured to work with your cluster.- Helm is installed.
Example: Configuring kubectl
for a Specific Cluster
-
List Available GKE Clusters:
gcloud container clusters list
Example Output:
NAME LOCATION MASTER_VERSION MASTER_IP MACHINE_TYPE NODE_VERSION NUM_NODES STATUS
gke-autopilot-ado-dev us-east4 1.28.8-gke.1095000 35.199.55.139 e2-small 1.28.8-gke.1095000 2 RUNNING -
Get Cluster Credentials:
Run the following command to fetch cluster endpoint and authentication data:
gcloud container clusters get-credentials gke-autopilot-ado-dev --region us-east4
Output:
Fetching cluster endpoint and auth data.
kubeconfig entry generated for gke-autopilot-ado-dev.
The FIE Helm chart requires valid TitaniumCloud credentials, which will be provided by ReversingLabs.
Install FIE Using Helm
The examples provided use a placeholder account (u/example/fie
). Be sure to replace this with your actual credentials wherever applicable.
Customize the Installation with a Values File
Below is an example of a custom values file:
$ cat values-deploy-example-gcp.yaml
# Use default storage class
storage:
className: standard-rwo
# Expose the Service using an internal load balancer
service:
annotations:
networking.gke.io/load-balancer-type: "Internal"
type: LoadBalancer
settings:
# Cloud account username, used only for default registry auth
cloudUsername: "u/example/fie"
# Run FIE with "--add-file-type enabled" parameter
addFileType: "enabled"
You can modify values such as ingress or storage class according to your needs. This example exposes the application internally using a load balancer service. The default values file is included here.
Set the password and install the Helm Chart
-
Store the password in a variable:
read -rs TITANIUM_CLOUD_PASSWORD
-
Log in to the ReversingLabs container registry:
echo $TITANIUM_CLOUD_PASSWORD | helm registry login -u "u/example/fie" --password-stdin registry.reversinglabs.com
-
Install the Helm chart:
$ helm install fie oci://registry.reversinglabs.com/charts/fie \
--create-namespace --namespace fie \
--set settings.cloudPassword="${TITANIUM_CLOUD_PASSWORD}" \
--values values-deploy-example-gcp.yaml \
--set-file licenseFileContent=rl-license.encExpected Output:
Pulled: registry.reversinglabs.com/charts/fie:0.2.1
Digest: sha256:61ed7f0761912cc5052ceac1d71654f3c1f89f543df0ab6ae3d199070ab02084
NAME: fie
LAST DEPLOYED: Tue May 28 11:20:34 2024
NAMESPACE: fie
STATUS: deployed
REVISION: 1
TEST SUITE: None
Get the application URL
After deployment, obtain the application URL and port by running one of the following commands:
-
LoadBalancer IP:
Note: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status by running
kubectl get --namespace fie-ag svc -w fie
.export SERVICE_IP=$(kubectl get svc --namespace fie fie \
--template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")
echo http://$SERVICE_IP:8000 -
Verify the deployment
kubectl -n fie get svc/fie
Expected output
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
fie LoadBalancer 34.118.234.76 10.128.0.24 8000:32132/TCP 32m
Once you have the service IP and port, you can send a test query to the version endpoint:
$ curl -v http://10.128.0.24:8000/version
Expected output
* processing: http://10.128.0.24:8000/version
* Trying 10.128.0.24:8000...
* Connected to 10.128.0.24 (10.128.0.24) port 8000
> GET /version HTTP/1.1
> Host: 10.128.0.24:8000
> User-Agent: curl/8.2.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Type: application/json; charset=utf-8
< Date: Tue, 21 May 2024 12:35:24 GMT
< Content-Length: 47
<
{"application":"1.0.2","threat_data":""}
Alternatively, submit a file for analysis. This only works after the threat data is fully downloaded:
curl -sS -XPOST --upload-file eicar.com http://10.128.0.24:8000/scan | jq '.'
Expected output
{
"classification": "malicious",
"message": ""
}
Monitoring the Threat Data Download
After deployment, the FIE application will begin downloading threat data. This process can take between 30 and 90 minutes, depending on your network speed. You can monitor the download process by running:
kubectl -n fie logs -f deploy/fie
Look for the following message, which indicates that the download process completed successfully:
{"level":"info","component":"threatdata.UpdateManager","time":"2024-09-18T22:32:58.346353125Z","message":"Cloud update run finished"}
Appendix: FIE Helm Chart
Download the Helm Chart
To download the Helm Chart, run the following commands:
$ helm registry login -u "$RL_CLOUD_USERNAME" -p "$RL_CLOUD_PASSWORD" registry.reversinglabs.com
$ helm pull oci://registry.reversinglabs.com/charts/fie
Helm Chart default values
This chart uses default values for 2GB file processing.
# Default values for fie.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
repository: registry.reversinglabs.com/fie/file-inspection-engine
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
imagePullSecrets: {} # value not used for RL registry
licenseFileContent: "" # FIE license received from ReversingLabs
nameOverride: ""
fullnameOverride: ""
podAnnotations: {}
podSecurityContext: {}
securityContext: {}
storage:
existingPvcName: "" # set name to use existing pvc
size: 32Gi # min. 22Gi atm.
className: gp2
rlTmpInRam: true
tmpfsSize: 20Gi
service:
annotations: {}
# To set an internal load balancer, refer to your cloud service provider documentation.
type: ClusterIP
port: 8000
ingress:
enabled: false
className: "alb"
annotations: {}
# There are different features supported by various Ingress controllers. Please refer to
# documentation on your platform specific Ingress controller to configure it in your environment.
hosts:
- host: fie.local.lan
paths:
- path: /
pathType: Prefix
tls: []
# - secretName: fie-tls
# hosts:
# - fie.local.lan
resources:
requests:
cpu: 8
memory: 32Gi
ephemeral-storage: 100Gi
nodeSelector: {}
tolerations: []
affinity: {}
settings:
# Cloud account password, used only for default registry auth
cloudPassword: ""
# Automatic updates of cloud threat data
cloudUpdates: true
# Desired frequency of cloud threat data updates, between 1 minute and 24 hours. Use m for minutes
# and h for hours, e.g. 45m or 6h.
cloudUpdateInterval: "5m0s"
# Cloud account username, used only for default registry auth
cloudUsername: ""
# The address and port on which the HTTP server will listen.
httpAddress: ":8000"
# The value needs to be between 1 and 5120 MiB. Uploads larger than this will be rejected.
maxUploadFileSize: 2048
# Whether suspicious samples should be classified as malicious
paranoidMode: false
# The host and port of a proxy for outgoing HTTP connections. It can optionally include one of the
# following three schemes: http, https, socks5. Example: socks5://host:port
proxyAddress: ""
# Includes detailed information about malicious samples in the HTTP response
withThreatDetails: false
# This option is available only for alpha6 and above. Possbile values: enabled / disabled / force
addFileType: "disabled"