Skip to content
/ smartcheck-on-openshift Public
forked from mawinkler/c1-cs-smartcheck-on-openshift

Instructions on how to deploy Trend Micro Smart Check on OpenShift

License

GPL-3.0 license
0 stars 7 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

SecurityForCloudBuilders/smartcheck-on-openshift

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Deploying Trend Micro Smart Check on OpenShift

Scanning your images in Smart Check on OpenShift.

Getting the Smart Check AC https://www.trendmicro.com/product_trials/download/index/us/168

Getting Started

  1. Create Overrides. Change the service type to LoadBalancer if you have a Load Balancer

    cat <<EOF > overrides.yml
activationCode: 'HULA'
auth:
  secretSeed: 'just_anything-really_anything'
  userName: 'admin'
  password: 'trendmicro'
persistence:
  enabled: true
service:
  type: NodePort
db:
  host: postgresql
  port: 5432
  user: dssc
  password: dssc
  tls:
    mode: disable
EOF

  2. Create a project for Smart Check. For simplicity, we're going to deploy the database into the same project later on.

    oc new-project smartcheck

  3. Create new Security Context Constraints for Smart Check. The defined one is a copy from the default restricted with a changed priority and runAsUser value. Assign the scc to the default service user within the project.

    cat <<EOF | oc apply -f -
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: smartcheck
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAs
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
EOF

oc adm policy add-scc-to-user smartcheck -z default

  4. Next, setup a PostgreSQL

    oc process -n openshift postgresql-persistent -o yaml \
  -p POSTGRESQL_USER=dssc \
  -p POSTGRESQL_PASSWORD=dssc \
  -p POSTGRESQL_DATABASE=dssc \
  | oc create -f -

  5. The created user within the postgresql does not have the required permissions create database and create role which we need to grant to the user dssc. Connect to the database with

    oc rsh $(oc get pods -o json | jq -r '.items[].metadata | select(.name | startswith("postgres")) | .name' | grep -v deploy)

    Within the new shell...

    psql
    alter role dssc with createdb createrole;

  6. Install Smart Check

    helm install -n smartcheck --values overrides.yml smartcheck https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz

Result

If everything worked correctly you should have a running Smart Check deployment on your cluster.

In case you're using CodeReady Containers do the following to enable access to Smart Check:

oc create route passthrough --service proxy --hostname smartcheck.testing

Finally, add smartcheck.testing to the line with some other .testing names. Example:

192.168.64.2 smartcheck.testing api.crc.testing console-openshift-console.apps-crc.testing default-route-openshift-image-registry.apps-crc.testing oauth-openshift.apps-crc.testing

Access Smart Check with your broswer with https://smartcheck.testing.

About

Instructions on how to deploy Trend Micro Smart Check on OpenShift

Resources

Readme

License

GPL-3.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published