Prerequisites for deploying Deepfactor portal in Kubernetes Cluster

Software Requirements

Installing the Deepfactor portal requires a Kubernetes (k8s) 1.19 or later cluster. 

If you do not have a K8s cluster, you can deploy Deepfactor using the OVA or AMI service providers documentation to bring up a K8s cluster:

You will also need Helm3 and kubectl installed on your local machine from which you intend to install Deepfactor Portal:

You will also need kube-config for your K8s cluster installed on your local machine.

 

Hardware Requirements

The table below can be used to estimate the K8s CPU and memory requirements, based on the expected number of applications being observed. As K8s clusters comprise a number of nodes, each with their own complement of CPU and memory resources, the table below reflects the total requirement, spread across all nodes where the Deepfactor portal is deployed. 

 

Portal Size Number of active containers (applications) Number of inactive containers (applications) CPU Requirement Memory Requirement
XS 150 150 10 CPU 11GB
S 320 320 12 CPU 11GB

 

Note: For less then 150 applications you may chose to install Deepfactor portal using OVA or AMI.

Legend:

  • Number of active containers: The number of actively running containers that are sending telemetry to the Deepfactor portal
  • Number of inactive containers: The number of containers that have run in the past, and have their telemetry being stored/analyzed in the Deepfactor portal
  • CPU Requirement: Number of CPUs recommended by Deepfactor for this configuration. This amount refers to the total number of CPUs recommended across all K8s nodes where the Deepfactor portal is deployed, not a single node. For example, a recommendation of 11 CPUs can be satisfied with three nodes with 4 CPUs each, or 2 nodes with 8 CPUs each. All nodes used for the Deepfactor portal should have a minimum of 4 CPUs.
  • Memory Requirement: Total amount of memory recommended across all nodes where the Deepfactor portal is deployed. All nodes used for the Deepfactor portal should have a minimum of 4GB available.

The table above reflects the steady-state requirements for the Deepfactor portal and does not include any additional resources required for DAST scans. For DAST scans, add 2 CPUs and 8GB ram for each concurrent scan being run.

 

For portal configurations requiring more than 640 active containers, contact Deepfactor.

 

 

SSL/Certificate Requirements

An SSL certificate is used to encrypt the telemetry traffic being sent to the Deepfactor portal. By default, a self-signed certificate is used, but a customer-provided certificate can also be used. If you wish to use a customer-provided certificate, you should generate that certificate before portal deployment (using whatever process is in place to generate such certificates). This certificate should be issued for the FQDN you want to assign to the Deepfactor portal. For example, deepfactor.mycompany.com.

 

If you want to use a self-signed certificate, we provide helper scripts. You can use the following commands to generate a self-signed certificate for the domain name of your choice.

wget https://static.deepfactor.io/helm-charts/cert-gen/generate-cert.sh 
wget https://static.deepfactor.io/helm-charts/cert-gen/openssl-portal.cnf
wget https://static.deepfactor.io/helm-charts/cert-gen/openssl-portalca.cnf

Run the script generate-cert.sh by providing the hostname you want to assign to your Deepfactor Portal:

chmod +x generate-cert.sh 
sudo ./generate-cert.sh <deepfactor_portal_hostname>

Generate Kubernetes secrets using the following command:

wget https://static.deepfactor.io/helm-charts/prerequisite/df-certs.yaml.tpl 
wget https://static.deepfactor.io/helm-charts/prerequisite/prerequisite.sh

Run prerequisite.sh to create the deepfactor namespace and k8s secrets required by Deepfactor portal.

chmod +x prerequisite.sh
  ./prerequisite.sh portalkeypath="./portal.key" \
  portalcrtpath="./portal.crt" \
  portalcakeypath="./portalca.key" \
  portalcacrtpath="./portalca.crt" \
  pempath="./01.pem"

portalkeypath, portalcrtpath, portalcakeypath, poatalcacrtpath and pempath are the paths for the respective cert files. If you used generate-cert.sh, these files will be present in the same directory where the script was run.

 

Network connections used by the Deepfactor portal

 

Inbound connections:

  • TCP/443 - Telemetry data from observed applications
  • TCP/13443 - DAST scan results

Outbound internet connections made by the Deepfactor portal:

Deepfactor connections:

https://resolute.deepfactor.io
https://portalintegrations.deepfactor.io
https://static.deepfactor.io

 

Package dependency database updates:


https://search.maven.org
https://repo.maven.apache.org
https://nvd.nist.gov
https://registry.npmjs.org

Note: If the connections above are blocked after product installation, the Deepfactor portal will still function but will not receive updates to the package dependency database.

 

CVE database updates:

https://cve.mitre.org
https://nvc.nist.gov
https://secdb.alpinelinux.org
https://repo.us-west-2.amazonaws.com
https://alas.aws.amazon.com
https://cdn.amazonlinux.com
https://security-tracker.debian.org
https://linux.oracle.com
https://www.redhat.com
https://git.launchpad.net
https://people.ubuntu.com

Note: If the connections above are blocked after product installation, the Deepfactor portal will still function but will not receive updates to the CVE vulnerability database.

 

Deepfactor License Management

To use the Deepfactor Portal, you will need an active Deepfactor On-Premise license. 

Please find the details of the Deepfactor licensing cost below:
https://www.deepfactor.io/pricing

Please reach out to us by clicking the contact us button to obtain a license.

Notes

  • Endpoints sending Deepfactor telemetry data must be able to route to the inbound connections and cannot use a proxy.
  • A self-signed certificate is generated during the initialization of the Deepfactor portal and will require a resolvable FQDN name to the IP address of the Deepfactor portal.
  • Link to supported applications & operating systems.
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.