Additional requirements for deploying KUMA Core in Kubernetes

To protect the KUMA network infrastructure using Kaspersky Endpoint Security for Linux, first install KUMA in a Kubernetes cluster and then deploy Kaspersky Endpoint Security for Linux.

When you install a high availability configuration of KUMA, the following requirements must be met:

• General application installation requirements.
• The hosts that are planned to be used for Kubernetes cluster nodes do not use IP addresses from the following Kubernetes blocks:
  • serviceCIDR: 10.96.0.0/12
  • podCIDR: 10.244.0.0/16

  The traffic to the proxy servers is also excluded for the addresses of these blocks.

• The nginx load balancer is installed and configured (more details about configuring nginx). For example, you can use the following command for installation:

  sudo yum install nginx

  If you want nginx to be configured automatically during the KUMA installation, install nginx and provide access to it via SSH in the same way as for the Kubernetes cluster hosts.

  Example of an automatically created nginx configuration

  The installer creates the /etc/nginx/kuma_nginx_lb.conf configuration file. An example of the file contents is shown below. The upstream sections are generated dynamically and contain the IP addresses of the Kubernetes cluster controllers (in the example, 10.0.0.2-4 in the upstream kubeAPI_backend, upstream konnectivity_backend, controllerJoinAPI_backend sections) and the IP addresses of the worker nodes (in the example 10.0.1.2-3), for which the inventory file contains the "kaspersky.com/kuma-ingress=true" value for the extra_args variable.

  The "include /etc/nginx/kuma_nginx_lb.conf;" line is added to the end of the /etc/nginx/nginx.conf file to apply the generated configuration file.

  Configuration file example:

  # Ansible managed # # LB KUMA cluster #   stream {     server {         listen          6443;         proxy_pass      kubeAPI_backend;     }     server {         listen          8132;         proxy_pass      konnectivity_backend;     }     server {         listen          9443;         proxy_pass      controllerJoinAPI_backend;     }     server {         listen          7209;         proxy_pass      kuma-core-hierarchy_backend;         proxy_timeout   86400s;     }     server {         listen          7210;         proxy_pass      kuma-core-services_backend;         proxy_timeout   86400s;     }     server {         listen          7220;         proxy_pass      kuma-core-ui_backend;         proxy_timeout   86400s;     }     server {         listen          7222;         proxy_pass      kuma-core-cybertrace_backend;         proxy_timeout   86400s;     }     server {         listen          7223;         proxy_pass      kuma-core-rest_backend;         proxy_timeout   86400s;     }     upstream kubeAPI_backend {         server 10.0.0.2:6443;         server 10.0.0.3:6443;         server 10.0.0.4:6443;     }     upstream konnectivity_backend {         server 10.0.0.2:8132;         server 10.0.0.3:8132;         server 10.0.0.4:8132;     }     upstream controllerJoinAPI_backend {         server 10.0.0.2:9443;         server 10.0.0.3:9443;         server 10.0.0.4:9443;     }     upstream kuma-core-hierarchy_backend {         server 10.0.1.2:7209;         server 10.0.1.3:7209;     }     upstream kuma-core-services_backend {         server 10.0.1.2:7210;         server 10.0.1.3:7210;     }     upstream kuma-core-ui_backend {         server 10.0.1.2:7220;         server 10.0.1.3:7220;     }     upstream kuma-core-cybertrace_backend {         server 10.0.1.2:7222;         server 10.0.1.3:7222;     }     upstream kuma-core-rest_backend {         server 10.0.1.2:7223;         server 10.0.1.3:7223;     } }

• An access key from the device on which KUMA is installed is added to the load balancer server.
• The SELinux module is NOT enabled on the balancer server in the operating system.
• The tar, systemctl, setfacl packages are installed on the hosts.

During KUMA installation, the hosts are automatically checked to meet the following hardware requirements. If these conditions are not met, the installation is terminated.

For demonstration purposes, you can disable the check of these conditions during installation by specifying the low_resources: true variable in the inventory file.

• Number of CPU cores (threads) – 12 or more.
• RAM – 22,528 MB or more.
• Available disk space in the /opt/ section – 1,000 GB or more.
• For initial installation, the /var/lib/ section must have at least 32 GB of available space. If the cluster is already installed on this node, the size of the required available space is reduced by the size of the /var/lib/k0s directory.

Additional requirements for the application installation in the Astra Linux Special Edition operating system

• Installing a high availability configuration of KUMA is supported for the Astra Linux Special Edition RUSB.10015-01 operating system (2022-1011SE17MD, update 1.7.2.UU.1). Core version 5.15.0.33 or higher is required.
• The following packages are installed on the machines intended for deploying a Kubernetes cluster:
  • open-iscsi
  • wireguard
  • wireguard-tools

  The packages can be installed using the following command:

  sudo apt install open-iscsi wireguard wireguard-tools

Additional requirements for the application installation in the Oracle Linux operating system

The following packages are installed on the machines intended for deploying a Kubernetes cluster:

• iscsi-initiator-utils
• wireguard-tools

Before installing packages, you must add the EPEL repository as a source:

• sudo yum install oracle-epel-release-el8 for Oracle Linux 8.
• sudo yum install oracle-epel-release-el9 for Oracle Linux 9.

The packages can be installed using the following command:

sudo yum install iscsi-initiator-utils wireguard-tools