Trend Micro Cloud One Admission Controller uses the helm
package manager for Kubernetes.
We recommend using Helm 3 (version 3.0.1 or later) to install the Trend Micro Cloud One Admission Controller if this is possible for you.
There is a handy guide that will help you get started. In most cases installing Helm 3 involves running a single command.
If you have already installed the Trend Micro Cloud One Admission Controller using Helm 2, you will need to migrate your install. The Helm folks have a helpful blog post that details this process.
If you have to use Helm 2, you will need helm
version v2.14.1
or later. Expand this section for details.
There's a handy quickstart that will help you get started, or if you like living dangerously:
curl -L https://git.io/get_helm.sh | bash
Helm has a cluster-side component called tiller
that needs to be installed as well.
Make sure that your kubectl
context is set correctly to point to your cluster:
kubectl config current-context
If your kubectl
context is not pointing to your cluster, use kubectl config get-contexts
and kubectl config use-context
to set it, or if you are using Google Cloud Platform follow the instructions in the Connect to the cluster dialog available by clicking the Connect button beside your cluster information in the console.
Configure a service account for tiller
and install:
kubectl create serviceaccount \
--namespace kube-system \
tiller
kubectl create clusterrolebinding tiller-cluster-role \
--clusterrole=cluster-admin \
--serviceaccount=kube-system:tiller
helm init --service-account tiller
Use helm version
to confirm that you have at least version v2.14.1
of the client and server installed.
Note: the commands above will give tiller
full cluster administrator privileges. Review Securing your Helm Installation for help on what to consider when setting up Helm in your cluster.
To use the Admission Controller with your Kubernetes cluster an API key is required to be able to communicate with Trend Micro Cloud One Container Security.
To obtain an API key:
-
Navigate to the Trend Micro Cloud One Container Security console using https://cloudone.trendmicro.com.
-
Proceed to the clusters page.
-
Add a cluster giving it a unique name which can identify your Kubernetes cluster for which the Admission Controller will be used. Upon registering the cluster, an API key will be provided for use in the installation process.
-
Create a file called overrides.yaml that will contain your cluster-specific settings.
cloudOne: ## API key to be used with Trend Micro Cloud One Container Security apiKey: YOUR-API-KEY-HERE
-
Use
helm
to install Trend Micro Cloud One Admission Controller with your cluster-specific settings:helm install \ --values overrides.yaml \ trendmicro \ https://github.com/trendmicro/cloudone-admission-controller-helm/archive/master.tar.gz
To upgrade an existing installation of Cloud One Admission Controller in the default Kubernetes namespace to the latest version:
helm upgrade \
--values overrides.yaml \
trendmicro \
https://github.com/trendmicro/cloudone-admission-controller-helm/archive/master.tar.gz
You can delete all of the resources created for the Admission Controller by running helm delete
:
helm delete trendmicro
Use the helm list
command to list installed releases.
helm delete
is a destructive command and will delete all of the associated resources. Use with care.
If you want to install a specific version of the Admission Controller, you can use the archive link for the tagged release. For example, to install Trend Micro Cloud One Admission Controller 0.0.1, you can run:
helm install \
--values overrides.yaml \
trendmicro \
https://github.com/trendmicro/cloudone-admission-controller-helm/archive/0.0.1.tar.gz
To install the Admission Controller into an existing Kubernetes namespace that's different from the current namespace, use the --namespace
parameter in the helm install
command:
helm install \
--namespace {namespace} \
--values overrides.yaml \
trendmicro \
https://github.com/trendmicro/cloudone-admission-controller-helm/archive/master.tar.gz
Helm uses a file called values.yaml
to set configuration defaults. You can find detailed documentation for each of the configuration options in this file.
As described above, you can override the defaults in this file by creating an overrides.yaml
file and providing the location of this file on the command line:
helm install \
--values overrides.yaml \
trendmicro \
https://github.com/trendmicro/cloudone-admission-controller-helm/archive/master.tar.gz
If you create a file to override the values, make sure to copy the structure from the chart's values.yaml
file. You only need to provide the values that you are overriding.
Most issues can be investigated using the Admission Controller logs. The Admission Controller logs can be accessed using Kubectl with the following command:
kubectl logs deployment/trendmicro-admission-controller