Install Deepfactor K8s webhook on EKS Fargate

Table of Contents

Introduction #

This document is a guide for installing the Deepfactor admission webhook in your AWS EKS cluster running on AWS Fargate via helm charts.

A Fargate EKS cluster can be created either by using CLI, UI, or eksctl command line tool as follows.

eksctl create cluster --name my-cluster --region AWS_REGION --fargate

 

Create Fargate Profile For Deepfactor webhook #

Please create a Fargat Profile for the namespace in which the Deepfactor webhook will be deployed.

You may create the Fargate profile using the command below.

eksctl create fargateprofile \
      --cluster my-cluster \
      --name my-fargate-profile-name \
      --namespace df-webhook \
      --region CLUSTER_NAME \
      --labels key=value

 

Install Deepfactor Mutating Webhook #

The Deepfactor webhook requires a certificate to communicate with the kube api server.

Add Deepfactor Helm Repository #

Add Deepfactor Helm Repository using the commands below. If you do not have helm installed, please click here.

helm repo add deepfactor https://static.deepfactor.io/helm-charts
  helm repo update

 

Customize webhook-override.yaml #

Store the default webhook config in a file named webhook-override.yaml

helm show values deepfactor/webhook \
  | grep -A999 -e 'webhookconfig:' | tee webhook-override.yaml

 

Update the override.yaml with the dfRunToken value under the webhookconfig section with the run token fetched from the Deepfactor portal UI

For more details about the various webhook configuration parameters please refer to the following article.

Configure Deepfactor Mutating Webhook

 

Manually generate a certificate for the webhook #

Deepfactor Mutating Webhook supports only self-signed certificates when deployed in the AWS Fargate EKS cluster. You can use the following set of commands to accomplish this.

rm -rf webhook-certs
  export HELM_RELEASE_NAME=df-webhook-stable
  export HELM_RELEASE_NAMESPACE=df-webhook
  bash -c "$(curl -L https://static.deepfactor.io/scripts/public/df-webhook/cert-gen/certgen.sh)"

 

On successful completion, you will find the following three files under the certs directory.

  • ca.crt
  • tls.crte
  • tls.keye

Pass the generated certificates in the helm install command as shown below. Now the webhook will be installed and will use the manually generated certificates.

helm upgrade --install $HELM_RELEASE_NAME -n $HELM_RELEASE_NAMESPACE deepfactor/webhook \
      --set-file=webhook.ca.crt=webhook-certs/ca.crt \
      --set-file=webhook.tls.crt=webhook-certs/tls.crt \
      --set-file=webhook.tls.key=webhook-certs/tls.key \
      --create-namespace -f webhook-override.yaml \
      --set webhook.resources.requests.cpu=125m \
      --set webhook.resources.requests.memory=250Mi \
      --set webhook.resources.limits.cpu=250m \
      --set webhook.resources.limits.memory=500Mi \
      --set clusterName=CLUSTER_NAME_OF_YOUR_CHOICE \

 

Update Deepfactor Webhook #

helm upgrade --install df-webhook-stable -n df-webhook deepfactor/webhook -f webhook-override.yaml

 

Uninstall Deepfactor Webhook #

helm uninstall df-webhook-stable -n df-webhook
Was this article helpful?

Powered by BetterDocs

Deepfactor Icon

Deepfactor is a developer security platform that enables engineering teams to quickly discover and resolve security vulnerabilities, supply chain risks, and compliance violations early in development and testing.

Product Pricing Resources Company Documentation Login Demo

SUBSCRIBE TO OUR NEWSLETTER!

© 2023 Deepfactor, Inc. All Rights Reserved.

Privacy Policy | Terms of Service | Open Source Disclosure