-
Notifications
You must be signed in to change notification settings - Fork 354
Kubearmor Operator with Open Horizon cluster agent
- Install the open horizon all-in-one cluster agent
- Install and deploy the cluster anax agent on your Kubernetes cluster
NOTE: The cluster agent and the all-in-one agent should be on different hosts, but they can also be on the same host, configure your IP according to that.
- If you have not already done so, complete the steps in this section: Preconditions for Using the Operator Example Edge Service
NOTE: from Step 2, the following commands are to be done on a separate machine that is connected to the horizon exchange server, but if it's done under one single machine, then simply use a different alias for the hzn cli of the agent pod, here, we will be using hznpod
so that host hzn cli is used, which was previously aliased in the precondition step.
- Create a new working directory for a new horizon project:
hzn dev service new -V 1.0.0 -s kubearmor-operator -c cluster
- Making the Operator file:
- Kubearmor Operator helm template:
helm repo add kubearmor https://kubearmor.github.io/charts
helm repo update kubearmor
helm template kubearmor/kubearmor-operator -n openhorizon-agent >> kubearmor-operator.yaml
Compress this yaml file using the command tar -cvzf
command. Assuming the name of the file is operator.tar.gz
- Kubearmor Operator config:
kubectl apply -f https://raw.githubusercontent.com/kubearmor/KubeArmor/main/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml
- Edit the horizon/service.definition.json file to point to the operator's yaml archive created in the previous step. Assuming it is in the my-operator/ directory, you can make it the following:
"operatorYamlArchive": "../operator.tar.gz"
- Publish your operator service:
hzn exchange service publish -f horizon/service.definition.json
6.Create a deployment.policy.json file to deploy your operator service to an edge cluster:
cat << 'EOF' > horizon/deployment.policy.json
{
"label": "$SERVICE_NAME Deployment Policy",
"description": "A super-simple sample Horizon Deployment Policy",
"service": {
"name": "$SERVICE_NAME",
"org": "$HZN_ORG_ID",
"arch": "*",
"serviceVersions": [
{
"version": "$SERVICE_VERSION",
"priority":{}
}
]
},
"properties": [
],
"constraints": [
"example == kubearmor-operator"
],
"userInput": [
]
}
EOF
Notice we have given this deployment policy the following constraint: "example == my-operator"
- Publish your deployment policy:
hzn exchange deployment addpolicy -f horizon/deployment.policy.json kubearmor-operator
Now we go back to our cluster host (or if on the same host, alias hzn back as in the Precondition step )
- Back on your cluster host, create a node.policy.json file:
cat << 'EOF' > node.policy.json
{
"properties": [
{ "name": "example", "value": "kubearmor-operator" }
]
}
EOF
- Register your edge cluster with your new node policy:
hznpod register -u $HZN_EXCHANGE_USER_AUTH
cat node.policy.json | hznpod policy update -f-
hznpod policy list
- Check to see the agreement has been created (this can take approximately 15 seconds):
hznpod agreement list
- Check if the operator is up in the cluster:
kubectl get pods -n openhorizon-agent
Kubearmor-Operator has now been successfully deployed. Now apply this policy to deploy all the components of Kubearmor which is done by the operator:
wget https://raw.githubusercontent.com/kubearmor/KubeArmor/main/pkg/KubeArmorOperator/config/samples/sample-config.yml
# Change the namespace to openhorizon-agent
This sample config can be modified according to the config you want.