To protect the KUMA network infrastructure using Kaspersky Endpoint Security for Linux, first install KUMA in a Kubernetes cluster and then deploy Kaspersky Endpoint Security for Linux.
When you install a fault-tolerant configuration of KUMA, the following requirements must be met:
The hosts that are planned to be used for Kubernetes cluster nodes do not use IP addresses from the following Kubernetes blocks:
serviceCIDR: 10.96.0.0/12
podCIDR: 10.244.0.0/16
The traffic to the proxy servers is also excluded for the addresses of these blocks.
The nginx load balancer is installed and configured (more details about configuring nginx). For example, you can use the following command for installation:
sudo yum install nginx
If you want nginx to be configured automatically during the KUMA installation, install nginx and provide access to it via SSH in the same way as for the Kubernetes cluster hosts.
The installer creates the /etc/nginx/kuma_nginx_lb.conf configuration file. An example of the file contents is shown below. The upstream sections are generated dynamically and contain the IP addresses of the Kubernetes cluster controllers (in the example, 10.0.0.2-4 in the upstream kubeAPI_backend, upstream konnectivity_backend, controllerJoinAPI_backend sections) and the IP addresses of the worker nodes (in the example 10.0.1.2-3), for which the inventory file contains the "kaspersky.com/kuma-ingress=true" value for the extra_args variable.
The "include /etc/nginx/kuma_nginx_lb.conf;" line is added to the end of the /etc/nginx/nginx.conf file to apply the generated configuration file.
Configuration file example:
# Ansible managed
#
# LB KUMA cluster
#
stream {
server {
listen 6443;
proxy_pass kubeAPI_backend;
}
server {
listen 8132;
proxy_pass konnectivity_backend;
}
server {
listen 9443;
proxy_pass controllerJoinAPI_backend;
}
server {
listen 7209;
proxy_pass kuma-core-hierarchy_backend;
proxy_timeout 86400s;
}
server {
listen 7210;
proxy_pass kuma-core-services_backend;
proxy_timeout 86400s;
}
server {
listen 7220;
proxy_pass kuma-core-ui_backend;
proxy_timeout 86400s;
}
server {
listen 7222;
proxy_pass kuma-core-cybertrace_backend;
proxy_timeout 86400s;
}
server {
listen 7223;
proxy_pass kuma-core-rest_backend;
proxy_timeout 86400s;
}
upstream kubeAPI_backend {
server 10.0.0.2:6443;
server 10.0.0.3:6443;
server 10.0.0.4:6443;
}
upstream konnectivity_backend {
server 10.0.0.2:8132;
server 10.0.0.3:8132;
server 10.0.0.4:8132;
}
upstream controllerJoinAPI_backend {
server 10.0.0.2:9443;
server 10.0.0.3:9443;
server 10.0.0.4:9443;
}
upstream kuma-core-hierarchy_backend {
server 10.0.1.2:7209;
server 10.0.1.3:7209;
}
upstream kuma-core-services_backend {
server 10.0.1.2:7210;
server 10.0.1.3:7210;
}
upstream kuma-core-ui_backend {
server 10.0.1.2:7220;
server 10.0.1.3:7220;
}
upstream kuma-core-cybertrace_backend {
server 10.0.1.2:7222;
server 10.0.1.3:7222;
}
upstream kuma-core-rest_backend {
server 10.0.1.2:7223;
server 10.0.1.3:7223;
}
}
An access key from the device on which KUMA is installed is added to the load balancer server.
The SELinux module is NOT enabled on the balancer server in the operating system.
The tar, systemctl, setfacl packages are installed on the hosts.
During KUMA installation, the hosts are automatically checked to meet the following hardware requirements. If these conditions are not met, the installation is terminated.
For demonstration purposes, you can disable the check of these conditions during installation by specifying the low_resources: true variable in the inventory file.
Number of CPU cores (threads) – 12 or more.
RAM – 22,528 MB or more.
Available disk space in the /opt/ section – 1,000 GB or more.
For initial installation, the /var/lib/ section must have at least 32 GB of available space. If the cluster is already installed on this node, the size of the required available space is reduced by the size of the /var/lib/k0s directory.
Additional requirements for the application installation in the Astra Linux Special Edition operating system
Installing a fault-tolerant configuration of KUMA is supported for the Astra Linux Special Edition RUSB.10015-01 operating system (2022-1011SE17MD, update 1.7.2.UU.1). Core version 5.15.0.33 or higher is required.
The following packages are installed on the machines intended for deploying a Kubernetes cluster:
open-iscsi
wireguard
wireguard-tools
The packages can be installed using the following command: