Aporeto provides a close integration with Kubernetes and OpenShift to make it easy to control and monitor your clusters. It includes an Aporeto Operator component and extends the Kubernetes API with custom resource definitions (CRDs). It maps Kubernetes namespaces, network policies, and services into Aporeto.
You can use any of the following methods to install Aporeto on Kubernetes and OpenShift.
Installing the Aporeto enforcer as a DaemonSet uses Helm and Tiller for a very fast and easy deployment. As long as you are comfortable with the elevated privileges that Tiller requires and don't run services under different user accounts, this is the way to go.
Installing the Aporeto enforcer as a
systemdservice takes more time, but provides increased security. It does not use Tiller to install the enforcer component. In addition, you'll be able to manage services that run under different user accounts.
Installing the Aporeto enforcer for multi-tenancy (beta) allows you to deploy multiple Aporeto Operators to watch different namespaces.
After following any of the installation guides above, you are now able to protect your first applications and pods with Aporeto.
However, you might run into difficulties creating certain policies - especially around
livenessProbe health checks - or you generally want to protect more than just your Kubernetes pods on a host.
It is therefore highly recommended to take the protection of your installation one step further and enable host protection on all hosts as well.
Continue to Enable host protection on Kubernetes/OpenShift hosts to take your security stance one step further.