PingIntelligence Kubernetes PoC - PingIntelligence for APIs - 5.0

PingIntelligence

bundle
pingintelligence-50
ft:publication_title
PingIntelligence
Product_Version_ce
PingIntelligence for APIs 5.0
category
APISecurity
AdvancedAPICybersecurity
Capability
Environment
OS
Product
apisecurity
capability
linux
pi-50
pingintelligence
private
ContentType_ce
Page created: 12 May 2021 |
Page updated: 1 Nov 2021
| 1 min read

5.0 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

This document discusses the steps for installing PingIntelligence for APIs in Kubernetes cluster.

PingIntelligence ships an example yml file with its Docker toolkit package. You can use this example yml file to deploy PingIntelligence for APIs in a Kubernetes cluster.

The example yml file creates the following resources in the Kubernetes cluster:

  • 4 statefulsets with one container each for MongoDB, ABS AI engine, ASE, and PingIntelligence Dashboard.
  • 3 external services (LoadBalancer type) - One each for ABS AI engine, ASE, and PingIntelligence Dashboard.
  • 3 internal services (clusterIP type) - One each for MongoDB, ABS AI engine and ASE
PingIntelligence supports RHEL 7.9 and Ubuntu 18.04 LTS.
Note: This deployment of PingIntelligence on a Kubernetes cluster node is suitable for PoC environments only. It is not suitable for production environments or for security testing environments.
The Kubernetes cluster can be configured on Azure Kubernetes Service(AKS) or on Amazon Elastic Kubernetes Service(EKS).

Deploying PingIntelligence PoC using Amazon EKS

Page created: 12 May 2021 |
Page updated: 1 Nov 2021
| 1 min read

5.0 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

This section discusses installing PingIntelligence PoC on Kubernetes cluster node using Amazon EKS.

Deploying PingIntelligence PoC using AKS

Page created: 18 Jun 2021 |
Page updated: 1 Nov 2021
| 1 min read

5.0 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

This section discusses installing PingIntelligence PoC on Kubernetes cluster node using Azure Kubernetes Service(AKS).

Deploying PingIntelligence in Kubernetes cluster

Page created: 12 May 2021 |
Page updated: 1 Nov 2021
| 2 min read

5.0 Capability API Security Advanced API Cybersecurity Linux On-Premises Operating System Hosting Environment PingIntelligence for APIs Product

Complete the following steps to deploy PingIntelligence in a Kubernetes cluster:

  1. Download PingIntelligence Docker toolkit from the download site.
  2. Untar the docker toolkit by entering the following command.
    tar -zxf <PingIntelligence Docker toolkit>
  3. Build the PingIntelligence docker images by completing the steps mentioned in Build the PingIntelligence Docker images topic.
  4. Navigate to pingidentity/docker-toolkit/examples/kubernetes directory to edit the pi4api-k8s-cloud file.
  5. Edit the environment variable in pi4api-k8s-cloud file to configure the ASE deployment mode. The values can be inline or sideband. Following is a snippet of the file showing the environment variable.
    
    apiVersion: apps/v1
    kind: StatefulSet
    metadata:
      name: ase
      labels:
        app: ase
    spec:
      serviceName: ase-internal-service
      replicas: 1
      selector:
        matchLabels:
          app: ase
      template:
        metadata:
          labels:
            app: ase
        spec:
          terminationGracePeriodSeconds: 60
          securityContext:
            runAsUser: 10001
            fsGroup: 0
          containers:
            - name: ase
              image: pingidentity/ase:5.0
              imagePullPolicy: Always
              ports:
                - containerPort: 8080
                  name: management
              command:
                - "/bin/bash"
                - "-c"
                - "/opt/pingidentity/ase/entrypoint.sh"
              env:
                - name: TZ
                  value: "Etc/UTC"
                - name: MODE
    
                 value: "inline"
    
                - name: ENABLE_CLUSTER
                  value: "true"
                - name: ENABLE_ABS
                  value: "true"
                - name: ABS_ENDPOINT
                  value: "abs-internal-service:8080"
                - name: ABS_ACCESS_KEY
                  value: "abs_ak"
                - name: ABS_SECRET_KEY
                  value: "abs_sk"
                - name: ENABLE_SIDEBAND_KEEPALIVE
                  value: "false"
                - name: ENABLE_ASE_HEALTH
                  value: "false"
    
    
  6. Add PingIntelligence license in the ConfigMaps section of the pi4api-k8s-cloud file.
    PingIntelligence.lic: |
        ID=
        Organization=
        Product=
        Version
        IssueDate=
        EnforcementType=
        ExpirationDate=
        MaxTransactionsPerMonth=
        Tier=
        SignCode=
        Signature=
    
  7. Create a namespace.
    $ sudo su
    # kubectl create namespace pingidentity
    
  8. Apply the edited pi4api-k8s-cloud.yml file to deploy the resources on the Kubernetes cluster.
    # kubectl apply -f pi4api-k8s-cloud.yml -n pingidentity
    
    daemonset.apps/startup-script created
    statefulset.apps/mongo created
    statefulset.apps/abs created
    statefulset.apps/ase created
    statefulset.apps/dashboard created
    service/abs-external-service created
    service/ase-external-service created
    service/dashboard-external-service created
    service/mongo-internal-service created
    service/abs-internal-service created
    service/ase-internal-service created
    
Verify that the deployment is successful by entering the following command.
# kubectl get pod -n pingidentity
NAME                   READY   STATUS    RESTARTS   AGE
abs-0                  1/1     Running   0          139m
ase-0                  1/1     Running   0          25m
mongo-0                1/1     Running   1          139m
startup-script-5d5d6   1/1     Running   0          119m
dashboard-0            1/1     Running   1          139m
Fetch the IP addresses of ASE, ABS, and Dashboard by entering the following command.
# kubectl get svc -n pingidentity
NAME                         TYPE           CLUSTER-IP    EXTERNAL-IP      PORT(S)                      AGE
abs-external-service         LoadBalancer   10.0.64.46    52.151.201.34    8080:31202/TCP               18h
abs-internal-service         ClusterIP      None          <none>           8080/TCP                     18h
ase-external-service         LoadBalancer   10.0.27.211   52.151.203.229   80:30677/TCP,443:30396/TCP   18h
ase-internal-service         ClusterIP      None          <none>           8020/TCP,8010/TCP            18h
dashboard-external-service   LoadBalancer   10.0.121.85   52.151.204.1     443:31328/TCP                18h
mongo-internal-service       ClusterIP      None          <none>           27017/TCP                    18h

If you are deploying in the sideband mode, take the NodePort IP address of ASE to use in API gateway integration.