Deploying Trend Micro Smart Check on OpenShift

• Deploying Trend Micro Smart Check on OpenShift
  • Getting Started
  • Create a Project
  • Permissions and SecurityContextConstraints
  • Create a Database
  • Deploy Smart Check
  • Result
  • Support
  • Contribute

Get started running Smart Check on OpenShift.

Tested on CodeReadyContainers 4.10.

Getting Started

Create a Project

Create a project for Smart Check. For simplicity, we're going to deploy the database into the same project later on.

oc new-project smartcheck

Permissions and SecurityContextConstraints

Create new Security Context Constraints for Smart Check and PostgreSQL. The defined one is a copy from the default restricted with a changed priority and runAsUser value. Assign the scc to the default service user within the project.

cat <<EOF | oc apply -f -
kind: SecurityContextConstraints
apiVersion: security.openshift.io/v1
metadata:
  name: smartcheck
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: RunAsAny
groups:
- system:authenticated
priority: 10
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: RunAsAny
seLinuxContext:
  type: RunAsAny
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
EOF

oc adm policy add-scc-to-user smartcheck -z default

A template for a PostgreSQL Database is available under the postgresql name in the Registry used by CRC. We will use it to deploy our database shortly, but if using it as it is, you will run into an issue with mkdir: can't create directory '/var/lib/postgresql/data/pgdata': Permission denied. To solve this, we give the postgresql some more privileges ;-)

oc adm policy add-scc-to-user privileged -z postgres

In production environments one would typically use something like AWS RDS or similar.

Create a Database

Next, setup a PostgreSQL. Therefore, you can create a new PostgreSQL application as follows:

oc process -n openshift postgresql-persistent -o yaml \
  -p POSTGRESQL_USER=dssc \
  -p POSTGRESQL_PASSWORD=dssc \
  -p POSTGRESQL_DATABASE=dssc \
  > postgresql.yaml

modify the postgresql.yaml

- apiVersion: apps.openshift.io/v1
  kind: DeploymentConfig
  ...
  spec:
    replicas: 1
    selector:
      name: postgresql
    strategy:
      type: Recreate
    template:
      metadata:
        labels:
          name: postgresql
      spec:
        containers:
        ...
          securityContext:
            capabilities: {}
            privileged: false
          # add service account
          serviceAccount: postgres
          serviceAccountName: postgres
          terminationMessagePath: /dev/termination-log
        ...

Create the database with

oc create -f postgresql.yaml

The created user within the postgresql does not have the required permissions create database and create role which we need to grant to the user dssc. Connect to the database with

oc rsh $(oc get pods -o json | jq -r '.items[].metadata | select(.name | startswith("postgres")) | .name' | grep -v deploy)

Within the new shell...

psql
\du

                                   List of roles
 Role name |                         Attributes                         | Member of 
-----------+------------------------------------------------------------+-----------
 dssc      |                                                            | {}
 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

alter role dssc with createdb createrole;

\du
                                   List of roles
 Role name |                         Attributes                         | Member of 
-----------+------------------------------------------------------------+-----------
 dssc      | Create role, Create DB                                     | {}
 postgres  | Superuser, Create role, Create DB, Replication, Bypass RLS | {}

Alternatively, you could drop the DB and the role and recreated it:

drop database dssc;
drop role dssc;
create role "dssc" with password 'dssc' login createdb createrole;
create database "dssc" with owner "dssc";

You can test the connectivity by running

kubectl run -it --image=ubuntu ushell --restart=Never --rm -- /bin/bash

root@kshell:/ apt update ; apt install -y postgresql-client
root@kshell:/ psql -h postgresql dssc dssc

Password is dssc.

Password for user dssc:
psql (12.9 (Ubuntu 12.9-0ubuntu0.20.04.1), server 10.17)
Type "help" for help.

dssc=> \l
                                List of databases
  Name    |  Owner   | Encoding |  Collate   |   Ctype    |   Access privileges
-----------+----------+----------+------------+------------+-----------------------
dssc      | dssc     | UTF8     | en_US.utf8 | en_US.utf8 |
postgres  | postgres | UTF8     | en_US.utf8 | en_US.utf8 |
template0 | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
          |          |          |            |            | postgres=CTc/postgres
template1 | postgres | UTF8     | en_US.utf8 | en_US.utf8 | =c/postgres          +
          |          |          |            |            | postgres=CTc/postgres
(4 rows)

Deploy Smart Check

Create Overrides. Change the service type to LoadBalancer if you have a Load Balancer

cat <<EOF > overrides-smartcheck.yml
auth:
  secretSeed: 'just_anything-really_anything'
  userName: 'admin'
  password: 'trendmicro'
persistence:
  enabled: true
service:
  type: NodePort
db:
  host: postgresql
  port: 5432
  user: dssc
  password: dssc
  tls:
    mode: disable
EOF

Install Smart Check

helm install -n smartcheck --values overrides-smartcheck.yml smartcheck https://github.com/deep-security/smartcheck-helm/archive/master.tar.gz

Note: As of Openshift 4.10 there is an issue with NetworkPolicies and Egress. To fix that after the helm install run the following:

Links:

• Bugzilla
• Errata
• Release Notes
• Assigning Egress IPs

#!/bin/bash
cat <<EOF > networkpolicy-patch.yaml
spec:
  egress:
    - {}
EOF

POLS=$(oc get networkpolicy -o json|jq -r '.items[].metadata.name')
for pol in $POLS; do kubectl patch networkpolicy $pol --patch-file networkpolicy-patch.yaml ;done;

Result

If everything worked correctly you should have a running Smart Check deployment on your cluster.

In case you're using CodeReady Containers do the following to enable access to Smart Check:

oc create route passthrough --service proxy --hostname smartcheck.testing

Finally, add smartcheck.testing to the line with some other .testing names. Example:

192.168.64.2 smartcheck.testing api.crc.testing console-openshift-console.apps-crc.testing default-route-openshift-image-registry.apps-crc.testing oauth-openshift.apps-crc.testing

Access Smart Check with your browser with https://smartcheck.testing.

Support

This is an Open Source community project. Project contributors may be able to help, depending on their time and availability. Please be specific about what you're trying to do, your system, and steps to reproduce the problem.

For bug reports or feature requests, please open an issue. You are welcome to contribute.

Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.

Contribute

I do accept contributions from the community. To submit changes:

1. Fork this repository.
2. Create a new feature branch.
3. Make your changes.
4. Submit a pull request with an explanation of your changes or additions.

I will review and work with you to release the code.