-
To deploy Cloud Active Defense on Kyma you first need either install Kyma on your local machine or use SAP BTP cloud
-
To install Kyma locally follow these instructions:
- Install k3d
- Follow these steps before setting up Kyma: Steps for local Kyma
- Install Kyma with Kyma documentation(Mandatory modules are Istio and API Gateway)
-
To use Kyma in SAP BTP cloud follow these instructions:
- Create an account in SAP cloud (You can skip final steps from step 9)
- Enable Kyma
- Connect to remote cluster
-
-
Install helm to manage kubernetes configuration files
Before installing, you want to change some values in values.yaml The values.yaml file is where all the variables are stored for the install and where you will have to set the missing ones
You will have to set
db_userwith the database user you want, a default one will be set if not changeddb_passwordwith a secure password, a default one will be set if not changed (not recommended)kyma_domainwith the correct kyma domain provided (e.g.c-28e44bf.kyma.ondemand.com)
You will only have to set
deploymentmanager_db_passwordwith a secure password, a default one will be set if not changed (not recommended) Please use the same password set for deployment-manager chart (if already set)
Now that you set all the values, you only have to run this to install everything at once:
helm install controlpanel .You can also install each helm chart separately to have more control over it, but it is not necessary To do that you must set all the values specified before but in it's own helm chart values
Now that you have installed the controlpanel, you could try to protect the demo app provided
First let's install the demo app (myapp):
helm install myapp myappNow to access the controlpanel go to https://controlpanel-front.<KYMA_DOMAIN> (e.g. https://controlpanel-front.c-28e44bf.kyma.ondemand.com)
Warning
You need to fetch the customer ID to continue the demo
For that you must find the database pod name from the kyma dashboard, go to controlpanel namespace -> Workloads -> Pods and copy the pod name (e.g. controlpanel-db-798cfb559b-tsdpr)
And execute that command (change DB_USER according to what you set)
kubectl exec -it -n controlpanel <POD_NAME> -- psql -U<DB_USER> -W -d cadA prompt will ask the password, also use the password you set for the database Execute this inside the psql terminal and copy the ID:
SELECT id FROM customers;When you are on the controlpanel go to System tab and add this in the URL:
?cu_id=<ID_YOU_COPIED>
Once this is done, click on Download setup script button and execute the provided script
After that, click on Upload kubeconfig and use the kubeconfig file that the script just output
From there you can select the desired namespace and turn on the deployment to protect (demo-ns as namespace and myapp as deployment for the demo)
Note
The protect loading can take few seconds
You might want to see if the application is protected by Cloud Active Defense now
Because a new app is protected you should have a new option in the select box at the top-left (demo-ns/myapp for the demo). Select it and go to Decoys and List tab
On the Decoys list tab you have a "default" decoy to test if everything is working properly
Check that decoy to deploy it
Now to access the demo app, go to https://myapp.<KYMA_DOMAIN> (e.g. https://myapp.c-28e44bf.kyma.ondemand.com)
You should be granted by a 'welcome' page. Inspect the network traffic (In Firefox: CTRL+SHIFT+I, visit 'Network', then click on the / request), notice the presence of an HTTP Response Header saying x-cloud-active-defense=ACTIVE
That means your application is protected
To go further you can udapte that decoy or add a new one with a 'detect' section and trigger it in the demo app. By doing this you should have an alert in Logs tab
There are some decoys examples/ideas in the wiki to play with to see the full potential of Cloud Active Defense