Versions Compared

Version Old Version 14 New Version Current
Changes made by

Space Sync for Confluence

Space Sync for Confluence

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Make sure you have /usr/local/bin configured in your PATH: export PATH=$PATH:/usr/local/bin).
All the commands must be executed as root user.

Info

The commands have been tested on Ubuntu Server 20.04 LTS, SUSE Linux Enterprise Server 15 SP4 and RHEL 9.2 and 9.4.

Note

For RHEL, K3s needs the following package to be installed: k3s-selinux (repo rancher-k3s-common-stable) and its dependencies container-selinux (repo rhel-8-appstream-rhui-rpms) and policycoreutils-python-utils (repo rhel-8-baseos-rhui-rpms). On systems without access to online repositories, the corresponding *.rpm package for each of the above dependencies should be copied to the server first and installed locally.Also, firewalld nm-cloud-setup.service and nm-cloud-setup.timer must be disabled and the server restarted before the installation.
Click here for more information.

Other SUSE, CentOS, RedHat prerequisites: Prerequisites for k3s on RHEL/CentOS/Oracle Linux

Ubuntu prerequisites: Prerequisites for k3s on Ubuntu Linux

The steps below you guide you through the air-gap installation of K3s, a lightweight Kubernetes distribution created by Rancher Labs:

  1. Extract the downloaded file:

Code Block
tar -xf gv-platform-$VERSION.tar

...

  # (replace$VERSION according to downloaded file)

  1. Prepare K3s for air-gap installation:

Code Block
breakoutModewide
languagebash

...

sudo su -
mkdir -p /var/lib/rancher/k3s/agent/images/

...

gunzip -c assets/k3s-airgap-images-amd64.tar.gz > /var/lib/rancher/k3s/agent/images/airgap-images.tar

...

cp assets/k3s /usr/local/bin && chmod +x /usr/local/bin/k3s

...


tar -xzf assets/helm-v3.8.2-linux-amd64.tar.gz

...

cp linux-amd64/helm /usr/local/bin

  1. Before installation, it’s recommended to run automatic checks (as root; PRODUCT_NAME is either “synergy” (endpoint agent) or “dspm“ (dspm without endpoint agent) or “ultimate“ (dspm + endpoint agent). If unsure use “ultimate“):

    Code Block

...

  1. cat scripts/k3s.sh | PRODUCT_NAME=ultimate ONLY_PRECHECK=true bash -

    Install K3s:

Code Block
languagebash

...

cat scripts/k3s.sh | INSTALL_K3S_SKIP_DOWNLOAD=true K3S_KUBECONFIG_MODE="644" \ 
SKIP_NETWORK_CHECKS=true sh -s - server --node-name=local-01
Info

Few more arguments that can be used to customize the execution of the k3s script:
SKIP_PRECHECK=true to skip the execution of the precheck script while installing k3s service

SKIP_SYSTEM_CHECKS=true to skip the system hardware checking during precheck

SKIP_NETWORK_CHECKS=true to skip the system network connectivity checking during precheck

Example:

cat scripts/k3s.sh | INSTALL_K3S_SKIP_DOWNLOAD=true SKIP_PRECHECK=true K3S_KUBECONFIG_MODE="644" sh -s - server --node-name=local-01

...

  1. Import Docker images locally:

Code Block
breakoutModewide
languagebash

...

mkdir /tmp/import

...

for f in images/*.gz; do IMG=$(basename "${f}" .gz); gunzip -c "${f}" > /tmp/import/"${IMG}"; done

...


for f in /tmp/import/*.tar; do ctr -n=k8s.io images import "${f}"; done

Install Helm charts

The following steps guide you through the installation of the dependencies required by DSPM and Synergy (Endpoint Agent).

Info

Replace $VERSION with the version that is present in the bundle that has been downloaded.
To check all the charts that have been download downloaded run ls charts.

Replace IPADDRESS/DNS/FQDN with IP Adress or FQDN or DNS name for Keycloak in formats like below
https://192.168.10.1 or https://gv.domain.local or https://gv.getvisibility.com
In case you want to enable kibana on airgap cluster add below setting to the Helm command
--set eck-operator.kibanaEnabled=true

  1. Install Getvisibility Essentials and set the daily UTC backup hour (0-23) for performing backups.

    Code Block
    # helm upgrade --install gv-essentials charts/gv-essentials-$VERSION.tgz --wait \
--timeout=10m0s --kubeconfig /etc/rancher/k3s/k3s.yaml \
--set backup.hour=1 \
--set eck-operator.enabled=true \
--set updateclusterid.enabled=false \
--set keycloak.url=https://(IPADDRESS/|DNS/|FQDN)

  2. Install Monitoring CRD:

    Code Block
    # helm upgrade --install rancher-monitoring-crd charts/rancher-monitoring-crd-$VERSION.tgz \
--wait \
--kubeconfig /etc/rancher/k3s/k3s.yaml \
--namespace=cattle-monitoring-system \
--create-namespace

  3. Install Monitoring:

    Code Block
    # helm upgrade --install rancher-monitoring charts/rancher-monitoring-$VERSION.tgz \
--wait \
--kubeconfig /etc/rancher/k3s/k3s.yaml \
--namespace=cattle-monitoring-system \
--set k3sServer.enabled=true \
--set k3sControllerManager.enabled=true \
--set k3sScheduler.enabled=true \
--set k3sProxy.enabled=true \
--set prometheus.retention=5 \
Info

To expose Grafana via an ingress on the path /grafana (allowing access through https://IPADDRESS_or_DNSNAME/grafana), add the following flag to the monitoring installation command:

...

  • $VERSION with the version that is present in the bundle that has been downloaded

  • $RESELLER with the reseller code (either getvisibility or forcepoint)

  • $PRODUCT with the product being installed (synergy, dspm, enterprise or ultimate)

Code Block
# helm upgrade --install gv-platform charts/gv-platform-$VERSION.tgz --wait \
--timeout=10m0s --kubeconfig /etc/rancher/k3s/k3s.yaml \
--set-string clusterLabels.environment=prod \
--set-string clusterLabels.cluster_reseller=$RESELLER \
--set-string clusterLabels.cluster_name=mycluster \
--set-string clusterLabels.product=$PRODUCT
Info

In case if you expirience experience 404 error for accessing to Keycloak or UI and use 1.26 (default) version of K3s ensure that treafik traefik patch is applied

Code Block
# kubectl patch clusterrole traefik-kube-system -n kube-system --type='json' -p='[{"op": "add", "path": "/rules/-1/apiGroups/-", "value": "traefik.io"}]'
#
kubectl apply -f assets/traefik-patch.yaml
# kubectl rollout restart deployment traefik -n kube-system

...

  1. Install Getvisibility Essentials and set the daily UTC backup hour (0-23) for performing backups.

    Code Block
    $ helm upgrade --install gv-essentials charts/gv-essentials-$VERSION.tgz --wait \
--timeout=10m0s --kubeconfig /etc/rancher/k3s/k3s.yaml \
--set global.high_available=true \
--set eck-operator.enabled=true  \
--set minio.replicas=4 \
--set minio.mode=distributed \
--set consul.server.replicas=3 \
--set updateclusterid.enabled=false \
--set backup.hour=1
--set eck-operator.enabled=true

  2. Install Monitoring CRD:

    Code Block
    $ helm upgrade --install rancher-monitoring-crd charts/rancher-monitoring-crd-$VERSION.tgz --wait \
--kubeconfig /etc/rancher/k3s/k3s.yaml \
--namespace=cattle-monitoring-system \
--create-namespace

  3. Install Monitoring:

    Code Block
    $ helm upgrade --install rancher-monitoring charts/rancher-monitoring-$VERSION.tgz --wait \
--kubeconfig /etc/rancher/k3s/k3s.yaml \
--set global.high_available=true \
--namespace=cattle-monitoring-system \
--set loki-stack.loki.replicas=2 \
--set prometheus.prometheusSpec.replicas=2
--set prometheus.retention=5
Info

To expose Grafana via an ingress on the path /grafana (allowing access through https://IPADDRESS_or_DNSNAME/grafana), add the following flag to the monitoring installation command:

...