Version: File Inspection Engine 1.1.0

Kubernetes / GKE Deployment

Introduction

A typical File Inspection Engine (FIE) installation is performed on Kubernetes using Helm. Throughout this document, we'll be using Google Kubernetes Engine (GKE) as an example.

For managed Kubernetes solutions, you may also need to use vendor-specific tools to interact with the cluster. In our example, this will be gcloud. To install gcloud, follow these steps.

Deploying FIE Helm Chart to GKE

Here is an overview of deploying the FIE Helm chart to a GKE cluster:

Prerequisites

A GKE cluster is available.
kubectl is configured to work with your cluster.
Helm is installed.

Example: Configuring `kubectl` for a Specific Cluster

List Available GKE Clusters:

gcloud container clusters list

Example Output:

NAME                   LOCATION  MASTER_VERSION      MASTER_IP      MACHINE_TYPE  NODE_VERSION        NUM_NODES  STATUS
gke-autopilot-ado-dev  us-east4  1.28.8-gke.1095000  35.199.55.139  e2-small      1.28.8-gke.1095000  2          RUNNING

Get Cluster Credentials:

Run the following command to fetch cluster endpoint and authentication data:

gcloud container clusters get-credentials gke-autopilot-ado-dev --region us-east4

Output:

Fetching cluster endpoint and auth data.
kubeconfig entry generated for gke-autopilot-ado-dev.

The FIE Helm chart requires valid TitaniumCloud credentials, which will be provided by ReversingLabs.

Install FIE Using Helm

The examples provided use a placeholder account (u/example/fie). Be sure to replace this with your actual credentials wherever applicable.

Customize the Installation with a Values File

Below is an example of a custom values file:

$ cat values-deploy-example-gcp.yaml
# Use default storage class
storage:
  className: standard-rwo

# Expose the Service using an internal load balancer
service:
  annotations:
    networking.gke.io/load-balancer-type: "Internal"
  type: LoadBalancer

settings:
  # Cloud account username, used only for default registry auth
  cloudUsername: "u/example/fie"
  # Run FIE with "--add-file-type enabled" parameter
  addFileType: "enabled"

You can modify values such as ingress or storage class according to your needs. This example exposes the application internally using a load balancer service.

Set the password and install the Helm Chart

Store the password in a variable:
```
read -rs TITANIUM_CLOUD_PASSWORD
```

echo $TITANIUM_CLOUD_PASSWORD | helm registry login -u "u/example/fie" --password-stdin registry.reversinglabs.com

Install the Helm chart:

$ helm install fie oci://registry.reversinglabs.com/charts/fie \
  --create-namespace --namespace fie \
  --set settings.cloudPassword="${TITANIUM_CLOUD_PASSWORD}" \
  --values values-deploy-example-gcp.yaml \
  --set-file licenseFileContent=rl-license.enc

Expected Output:

Pulled: registry.reversinglabs.com/charts/fie:0.2.1
Digest: sha256:61ed7f0761912cc5052ceac1d71654f3c1f89f543df0ab6ae3d199070ab02084
NAME: fie
LAST DEPLOYED: Tue May 28 11:20:34 2024
NAMESPACE: fie
STATUS: deployed
REVISION: 1
TEST SUITE: None

Get the application URL

After deployment, obtain the application URL and port by running one of the following commands:

LoadBalancer IP:

Note: It may take a few minutes for the LoadBalancer IP to be available. You can watch the status by running kubectl get --namespace fie-ag svc -w fie.

export SERVICE_IP=$(kubectl get svc --namespace fie fie \
  --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")
echo http://$SERVICE_IP:8000

Verify the deployment

kubectl -n fie get svc/fie

Expected output

NAME   TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)          AGE
fie    LoadBalancer   34.118.234.76   10.128.0.24   8000:32132/TCP   32m

Once you have the service IP and port, you can send a test query to the /status endpoint.

$ curl -v http://10.128.0.24:8000/status

Alternatively, submit a file for analysis. This only works after the threat data is fully downloaded:

curl -sS -XPOST --upload-file eicar.com http://10.128.0.24:8000/scan | jq '.'

Expected output

{
"classification": "malicious",
"message": ""
}

Monitoring the Threat Data Download

After deployment, the FIE application will begin downloading threat data. This process can take between 30 and 90 minutes, depending on your network speed. You can monitor the download process by running:

kubectl -n fie logs -f deploy/fie

Look for the following message, which indicates that the download process completed successfully:

{"level":"info","component":"threatdata.UpdateManager","time":"2024-09-18T22:32:58.346353125Z","message":"Cloud update run finished"}

Appendix: FIE Helm Chart

Download the Helm Chart

To download the Helm Chart, run the following commands:

$ helm registry login -u "$RL_CLOUD_USERNAME" -p "$RL_CLOUD_PASSWORD" registry.reversinglabs.com

$ helm pull oci://registry.reversinglabs.com/charts/fie

Introduction​

Deploying FIE Helm Chart to GKE​

Prerequisites​

Example: Configuring kubectl for a Specific Cluster​

Install FIE Using Helm​

Customize the Installation with a Values File​

Set the password and install the Helm Chart​

Get the application URL​

Monitoring the Threat Data Download​

Appendix: FIE Helm Chart​

Download the Helm Chart​