Aporeto provides a close integration with Kubernetes and OpenShift to make it easy to control and monitor clusters composed of Linux hosts. It includes an operator, extends the Kubernetes API with custom resource definitions (CRDs), and maps Kubernetes namespaces, network policies, and services into Aporeto.
This procedure deploys Aporeto to a cluster in approximately five minutes. It requires
The Aporeto web interface offers a quickstart that does not require
apoctl. Click on the rocket symbol in the top navigation and select Secure a Kubernetes Cluster.
- Kubernetes or OpenShift cluster that meets the system requirements
ocinstalled and configured
apoctlinstalled and configured
- Logged into
By default, the
kubectl installed by GKE does not have the
container.clusterRoleBindings.create permission, which is required. Refer to the Google documentation for more information.
One way around this is to create a cluster using the
gcloud container clusters describe <cluster-name> and look for the
kubectl config set-credentials cluster-admin --user=admin --password=<password-value> to set the password in your configuration file.
kubectl config set-context --current --user=cluster-admin to configure your current context to use this user account.
1. Create a namespace in Aporeto
You will need an Aporeto namespace to contain your cluster resources.
CLUSTER environment variable to the name you’d like to use.
The command below sets it to
Create the namespace in Aporeto.
apoctl api create namespace -k name $CLUSTER
2. Deploy Aporeto
To protect the Kubernetes or OpenShift cluster targeted by your current context with Aporeto, use the following command.
apoctl protect k8s --mimic-k8s-policy \ --set enforcerd:enableCompressedTags=1 \ --namespace $APOCTL_NAMESPACE/$CLUSTER
apoctl will target the cluster that your current context points to.
To target a different context, use the
You can learn more about the options for the
k8s subcommand in the
apoctl reference section.
3. Verify the deployment
To confirm your deployment, issue the following command.
watch kubectl get pods --all-namespaces
Wait until all of the pods in the
aporeto-operator namespace have a status of
The above command uses watch, which is not installed by default on macOS.
While we recommend installing it, you can also omit the
watch portion of the command and repeatedly issue the command until the Aporeto pods achieve the necessary status.
Press CTRL+C to exit the
Issue the following
apoctl command to check the enforcers.
apoctl api list enforcers --namespace $APOCTL_NAMESPACE/$CLUSTER \ -o table \ -c ID \ -c name \ -c namespace \ -c operationalStatus
apoctl should return a list of the enforcers deployed.
You should see an enforcer instance on each node.
An example for a two-node cluster follows.
ID | name | namespace | operationalStatus +--------------------------+--------------------+------------+-------------------+ 5c8196250ec7be0001fc9257 | host-4fc5e760-0k81 | /aporeto | Connected 5c819625cedd610001c072e3 | host-4fc5e760-v35c | /aporeto | Connected
All enforcer instances should have an
You can also check the status of the enforcers from the Aporeto web interface.
Great job! Aporeto now recognizes the pods in your cluster as processing units, allowing you to control and monitor their traffic. If you have pods running, open the Aporeto web interface, navigate to the namespace of your cluster, and select Platform. The pods and their traffic should appear.
Configure an identity provider: if you haven’t already, you should configure an identity provider to allow other users in your organization to access the Aporeto control plane.
Enable host protection: to allow
livenessProbehealth checks, you must enable host protection. After enabling host protection you can control communications to and from any process on the host, not just pods.
Define network policies: Aporeto currently allows all traffic to and from your pods. You can view this traffic in the Platform pane of the Aporeto web interface as dashed green lines. Your goal is to make each dashed line either solid green (explicitly allowed) or solid red (disallowed). Once you have completed this, you can remove the temporary allow all, ensuring that traffic not explicitly allowed gets denied.