To learn more about Out-of-the-box Integrations and their benefits, please refer to this article.

In this article, you will find out how to configure your Kubernetes cluster to record and collect DNS data from your cluster network and have it sent to Lumu to be analyzed, improving the monitoring & response capabilities of your organization.

Requirements

• A Kubernetes cluster, versions 1.16 to 1.25
• CoreDNS running in your cluster
• Cluster API access through kubectl
• Enough privileges to create namespaces, services, service accounts, cluster roles and cluster role bindings.
• Enough privileges to modify network policies and system configurations
• Permission to pull container images from the public Docker Hub repository

Add integration

1. Log in to your Lumu account through the Lumu Portal and navigate to the Integrations screen. Locate the Kubernetes integration in the Available Apps area and click add.

2. Familiarize yourself with the integration details available in the app description and click the activate button to create the integration.

3, Once the integration is created you will be able to see your company uuid and your integration uuid.

Kubernetes Deployment

It is strongly recommended that the professional carrying out the following integration procedures be proficient and knowledgeable in the use of Kubernetes as these require a level of expertise. 

The deployment of the integration is divided into several Kubernetes object components defined in several manifests in .yaml format. These files can be downloaded from the following repository. Keep in mind that some values included in these files must be replaced with your company's own data. Please remember that you can always contact us for support should you encounter any difficulties during the customization process.

In the following steps, use the command terminal to run the indicated commands and using the editor of your choice to modify the files' content as needed, replace the example values with your own. The following objects will be created as a result:

• A Lumu namespace
• A service account and a cluster role
• A sender deployment and service, lumu-sender-service
• A receiver deployment and service, lumu-receiver-service

1. Select and/or create the folder where the manifests will be downloaded from the repository.

$ mkdir ~/lumu-k8s-ootb

$ cd ~/lumu-k8s-ootb

2. Clone the Repository

$ git clone https://bitbucket.org/lumuio/kubernetes-feeds.git

Edit the file kubernetes-feeds/manifests/05-lumu-sender-configmap.yaml, and enter the values provided by the Lumu Portal after creating the integration, namely your company uuid and integration uuid.

apiVersion: v1
kind: ConfigMap
metadata:
  name: lumu-sender-configmap
  namespace: lumu
data:
  INPUT_PORT: "7412"
  LUMU_COMPANY_ID: <Company UUID>
  LUMU_INTEGRATION_ID: <Integration UUID>

... < Omitted lines > ...

3. Apply the manifests to the cluster by running the following command.

$ cd kubernetes-feeds/manifests

$ kubectl apply -f ./

• This command will display the following output in the terminal.

namespace/lumu created

serviceaccount/lumu-service-account created

clusterrole.rbac.authorization.k8s.io/lumu-cluster-role created

clusterrolebinding.rbac.authorization.k8s.io/lumu-cluster-role-binding created

configmap/lumu-sender-configmap created

deployment.apps/lumu-sender-deployment created

service/lumu-sender-service created

configmap/lumu-receiver-configmap created

deployment.apps/lumu-receiver-deployment created

service/lumu-receiver-service created

• This will download the images from the public DockerHub repository. This process should take a few seconds to complete; however, this may vary depending on the speed of the cluster's internet connection. You can check the status of the deployment with the following command

$ kubectl -n lumu rollout status deployments

• And the output obtained should be similar to the one shown below

Waiting for deployment "lumu-receiver-deployment" rollout to finish: 0 of 1 updated replicas are available...

deployment "lumu-receiver-deployment" successfully rolled out

deployment "lumu-sender-deployment" successfully rolled out

4. In the lumu-sender-service logs, you should see something similar to this:

[INFO ] 2022-12-19 20:34:16.462 [[upload]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"upload", "pipeline.workers"=>16, "pipeline.batch.size"=>50, "pipeline.batch.delay"=>2000, "pipeline.max_inflight"=>800, "pipeline.sources"=>["/usr/share/logstash/pipeline/upload.cfg"], :thread=>"#<Thread:0x61d71ef5 run>"}

[INFO ] 2022-12-19 20:34:18.155 [[upload]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>1.69}

[INFO ] 2022-12-19 20:34:18.230 [[upload]-pipeline-manager] tcp - Automatically switching from json to json_lines codec {:plugin=>"tcp"}

[INFO ] 2022-12-19 20:34:18.440 [[upload]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"upload"}

[INFO ] 2022-12-19 20:34:18.451 [[upload]<tcp] tcp - Starting tcp input listener {:address=>"0.0.0.0:7412", :ssl_enable=>false}

[INFO ] 2022-12-19 20:34:18.593 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:upload], :non_running_pipelines=>[]}

• In the lumu-receiver-service logs you should see something similar to the following:

2023-01-16T20:41:54,870 INFO [output.py:9] Connection with lumu-sender-service established

5. After your deployment has started correctly, you must configure CoreDNS to forward DNS data to the receiver. 

• First, you must know the IP address of lumu-receiver-service:

kubectl -n lumu get services

NAME                                TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)    AGE
lumu-receiver-service   ClusterIP   10.100.108.8    <none>              6000/TCP   25s
lumu-sender-service     ClusterIP   10.97.214.136   <none>             7412/TCP   25s

• You should set the  IP address of umu-receiver-service in the service definition manifest so that it remains stable.

6. Knowing the IP address of lumu-receiver-service, run the following command:

kubectl -n kube-system edit cm coredns

7. Enter the configuration line seen below using the proper IP address:

apiVersion: v1

data:

  Corefile: |

.:53 {

     dnstap tcp://10.100.108.8:6000 full

     errors

     health {

        lameduck 5s

     }

     ready

Please be careful: your cluster may become unstable if this configuration fails.

8. After editing the configuration, you’ll need to restart the CoreDNS service using the following command:

kubectl -n kube-system rollout restart deployment coredns

• After the restart you should see the following in the lumu-receiver-service logs:

2023-01-16T20:44:07,561 INFO [input.py:18] Data is being received!

Kubernetes Integration Upgrade Procedure

(Before performing any changes, please be sure that you have the necessary tools and permissions to make changes on the cluster)

If the integration has been deployed before May 30, 2023, you must perform the following steps:

1. If you deployed our integration without changing any parameters in the deployment specification, you can apply the changes directly from our public repository.

kubectl apply -f https://bitbucket.org/lumuio/kubernetes-feeds/raw/b51e7cc141665a9b4d1ebc4106586481c5af36a1/manifests/09-lumu-receiver-deployment.yaml

If not, please download the new manifest definition file, make all changes that you need and finally apply.

2. You can see the result of the operation with the command.

kubectl -n lumu rollout status deployment lumu-receiver-deployment

3. Once this new manifest is applied, updates to the latest available stable version will be done with the new update method.

1.  Restart the current deployment

kubectl -n lumu rollout restart deployment lumu-receiver-deployment

2. You can see the result of the operation with the command.

kubectl -n lumu rollout status deployment lumu-receiver-deployment