The quick-start deployment can be used to deploy Aqua Self-Hosted Enterprise on your Kubernetes cluster quickly and easily. It is suited for proofs-of-concept (POCs) and environments intended for instruction, development, and test but not for production environments.
For production usage, enterprise-grade deployments, advanced use cases, and deployment on other Kubernetes platforms, deploy Aqua Enterprise with the required Aqua components (such as server, enforcers, scanner, so on.) on your orchestration platform. For more information, refer to the Product documentation, Deploy Aqua Enterprise.
The quick-start deployment supports the following Kubernetes platforms:
- Kubernetes
- AKS (Microsoft Azure Kubernetes Service)
- EKS (Amazon Elastic Kubernetes Service)
- GKE (Google Kubernetes Engine)
Deployment commands shown in this file uses kubectl cli, however they can easily be replaced with the oc cli commands.
Before you start using the quick-start deployment method documented in this repository, Aqua strongly recommends you to refer the product documentation, Quick-Start Guide for Kubernetes.
- Your Aqua credentials: username and password
- Your Aqua Enterprise License Token
- Access to the target Kubernetes cluster
Through the quick-start deployment method, Aqua Enforcer is deployed to provide runtime security for your Kubernetes workloads. In addition to Aqua Enforcer, KubeEnforcer can also be deployed. If your Kubernetes cluster has shared storage, Aqua can be deployed to use the same. If you use Minikube or your cluster does not have shared storage, Aqua can be deployed using the host path for persistent storage.
The following table shows different manifest yaml files that can be used to deploy Aqua through quick-start method:
| File | Purpose |
|---|---|
| aqua-csp-quick-DaemonSet-hostPath.yaml | Deploy Aqua Enterprise with the Aqua Enforcer only, and use the host-path for storage |
| aqua-csp-quick-DaemonSet-storage.yaml | Deploy Aqua Enterprise with the Aqua Enforcer only, and use default-storage |
| aqua-csp-quick-default-storage.yaml | Deploy Aqua Enterprise with the Aqua Enforcer and KubeEnforcer, and use default-storage |
| aqua-csp-quick-hostpath.yaml | Deploy Aqua Enterprise with the Aqua Enforcer and KubeEnforcer, and use the host-path for storage |
You can skip any step if you have already performed.
Step 1. Create a namespace by name aqua (if not already done).
kubectl create namespace aquaStep 2. Create a docker-registry secret (if not already done).
kubectl create secret docker-registry aqua-registry \
--docker-server=registry.aquasec.com \
--docker-username=<your-name> \
--docker-password=<your-pword> \
-n aquaDeploy Aqua Enterprise using the required yaml file mentioned in the current directory as per your use case. For example:
kubectl apply -f https://raw.githubusercontent.com/aquasecurity/deployments/2022.4/quick_start/kubernetes_and_openshift/manifests/aqua-csp-quick-DaemonSet-hostPath.yamlFor more information on selecting the yaml file that you need, refer to the Configuration of Enforcers and storage section.
Step 1. Get the external IP of the console.
kubectl get svc -n aquaStep 2. Get the external IP of the console, if Aqua Enterprise is deployed on Minikube.
minikube tunnel
kubectl get svc -n aquaStep 3. Access aqua-web service from your browser using the url:
http://<aqua-web service>:<aqua-web port>If you did not define a default load-balancer for your Kubernetes cluster, aqua-web's public service IP status will remain frozen as "pending", after deploying through quick-start method. In this case, you can access Aqua Enterprise using a client-side kubectl tunnel.
If load-balancer is not defined, to access Aqua Enterprise:
Step 1. Use kubectl to get aqua-web’s cluster IP.
kubectl get pods -n aquaStep 2. Use the kubectl port-forward command in a separate window to open the tunnel.
kubectl port-forward -n aqua aqua-web <LOCAL_TUNNEL_PORT>:<AQUA_POD_CLUSTER_IP>Step 3. Access Aqua Enterprise from your browser using the url:
http://localhost:<LOCAL_TUNNEL_PORT>