/
DSPM DRA - K3s Installation

DSPM DRA - K3s Installation

Owned by Space Sync for Confluence
Last updated: Oct 09, 2024
4 min read

This is Step 1 of the DSPM DRA Setup

This is Step 1 of the DSPM DRA Setup

Requirements

We use Kubernetes, an open-source container orchestration system to manage our applications. At the moment the only Kubernetes distribution supported is K3s (click here for the official documentation) by Suse Linux for both on-premise and cloud deployments.

The minimum requirements for the Kubernetes cluster is a single node (1 virtual machine) with the following specs:

 

DSPM

 

DSPM

CPU

20 cores

The CPU must support the instructions SSE4.1, SSE4.2, AVX, AVX2, FMA.

Only x86_64 architecture is supported. Minimum CPU speed is 2.2 GHz

Memory

80GB

Storage

700GB

Min available inodes for ext4: 39M

Storage details

  • only SSD storage is supported

  • SWAP must be disabled

  • / root requires at least 20GB

  • /var requires at least 20GB

  • /var/lib/rancher requires at least 700GB

  1. if neither /var nor /var/lib/rancher is specifically assigned to a partition you must assign the full 700GB to root

  2. if /var is specifically assigned to a partition but /var/lib/rancher is not, then you must assign the 700GB to /var

  3. if /var/lib/rancher is specifically assigned to a partition but /var is not, then you must assign the 700GB to /var/lib/rancher

Operating System

Ubuntu 20.04 LTS Server is recommended, other supported operating systems include:

  • Ubuntu 22.04, 24.04

  • RHEL 9.2 and 9.4

  • CentOS 7.9

  • Suse Linux 15.3

Only Server edition versions are supported. No Desktop Environment installed. No other linux distributions are supported.

Root access to the server is necessary during the deployment process and may also be required for support tickets and troubleshooting. Please ensure that the service user account accessing the server and deploying the K3s installer has sudo privileges to access and run the installer as root.

Firewall

  • Port 443/TCP to be open to allow the clients to access dashboard and API

  • To download application artifacts (Docker images and binaries), updates, and configuration files, the cluster requires a public internet connection with a minimum download speed of 40 Mbps and an upload speed of 8 Mbps. For a faster initial setup, a download speed of 100 Mbps or more is recommended.

K3s version support

1.24, 1.26

Other requirements

  • Domain Name Service (DNS) with public name resolution enabled

  • Network Time Protocol (NTP) service configured

  • Internet access to a network-based repository for software update packages

  • Fixed private IPv4 address

  • Unique static hostname

For hardened systems, see: Deploying Product in CIS hardened OS or K3s

When deploying using RHEL / CentOS / Suse:

When deploying using Ubuntu:

  • disable ufw, systemd-resolved, apparmor

Network settings

Your network should be configured to allow the following public URLs to be accessible over port 443 (HTTPS) and HTTPS traffic is bypassed (NOT intercepted):

https://assets.master.k3s.getvisibility.com (Custom K3s installation files) https://images.master.k3s.getvisibility.com (Private Docker registry) https://charts.master.k3s.getvisibility.com (Private Helm registry) https://prod-eu-west-1-starport-layer-bucket.s3.eu-west-1.amazonaws.com (Docker registry AWS CDN) https://rpm.rancher.io (Rancher RPM repo for configuring SELinux packages on RHEL or CentOS) https://api.master.k3s.getvisibility.com (Private API server) https://rancher.master.k3s.getvisibility.com (Rancher management server) https://rancher.$RESELLER_NAME.k3s.getvisibility.com (Rancher management server, where $RESELLER_NAME is Getvisibility for direct customers) For Forcepoint these are: https://rancher.forcepointus.k3s.getvisibility.com/ https://rancher.forcepointapac.k3s.getvisibility.com/ https://rancher.forcepointemea.k3s.getvisibility.com/

Installation

Argument

Description

Argument

Description

SKIP_PRECHECK=true

to skip all built in checks

SKIP_SYSTEM_CHECKS=true

to skip hardware checks

SKIP_NETWORK_CHECKS=true

to skip connectivity checks

ONLY_PRECHECK=true

will run precheck only and stop after that

image-20241009-120243.png
This is a sample output after running k3s.sh installer - note there is no issues being reported.

Run the kubectl registration command:

Run the kubectl registration command:

The command below is just an example, it will not work during deployment! kubectl apply -f https://....k3s.getvisibility.com/v3/import/dxslsxcf84....yaml

Monitor the progress of the installation:  watch -c "kubectl get deployments -A" 

  • The K3s deployment is complete when elements of all the deployments (coredns, local-path-provisioner, metrics-server, traefik and cattle-cluster-agent) show at least "1" as "AVAILABLE"

  • In case of errors you can inspect the logs of a pod using  kubectl logs , e.g.  kubectl logs cattle-cluster-agent-d96d648d8-wjvl9 -n cattle-system

 

Now, go to the Step 2, which is available via this link – DSPM DRA - Rancher Configuration

Now, go to the Step 2, which is available via this link – DSPM DRA - Rancher Configuration

 

Related content

K3s Installation
K3s Installation
GV-KnowledgeBase
More like this
DSPM DRA - Rancher Configuration
DSPM DRA - Rancher Configuration
GV-KnowledgeBase
More like this
DSPM DRA - Enabling Data Risk & Control Features
DSPM DRA - Enabling Data Risk & Control Features
GV-KnowledgeBase
Read with this
DSPM DRA - Setting up access to the platform
DSPM DRA - Setting up access to the platform
GV-KnowledgeBase
Read with this
DSPM DRA - Data Assets and Data Controls
DSPM DRA - Data Assets and Data Controls
GV-KnowledgeBase
Read with this
Prerequisites for k3s on RHEL/CentOS/Oracle Linux
Prerequisites for k3s on RHEL/CentOS/Oracle Linux
GV-KnowledgeBase
Read with this

Classified as Getvisibility - Partner/Customer Confidential