How does it work?
The SDP Kubernetes Injector allows headless Clients to be injected on-demand into pods as sidecars.
Headless Clients run without a UI in the background. They enable un-attended systems such as servers or container instances to connect to the Appgate SDP system. Stand alone headless Clients are available for Windows, macOS and Linux; these are also embedded by AppGate into the Windows SSO Client, always-on Clients, Kubernetes Injector and Connector.
Once a profile and credentials have been applied to the headless Client, on boot-up the Client will immediately try to sign in to the Controller(s) (and continue to retry if it fails). For this reason it is STRONGLY ADVISED to always have a valid Policy for headless Clients, otherwise the retries will effectively become a DoS attack on the Controllers and consume large amounts of disk space with log warning messages.
Once signed-in, the headless Client will get its own (based on its Policy) to access any permitted resources protected by Appgate SDP and will automatically (try to) establish secure connections with the Gateways. If the headless Client has been installed on a remote server then the Entitlements might include down rules so that users of the Appgate SDP system could access it.
The injected Client works in much the same way as other Appgate SDP headless Clients, capturing specific traffic within each pod and routing it to the appropriate Site(s). It is designed for EGRESS traffic from specific Kubernetes workloads; for INGRESS traffic to specific Kubernetes workloads, you should use the URL access feature (HTTP up action type).
Background information
The injector
An SDP Kubernetes injector installation is done at the Kubernetes cluster level. You can connect multiple Kubernetes clusters to a single Collective. Make sure that clusterID set is unique to avoid any potential collision of resources created by the Injector. Each Cluster can have multiple namespaces, these in turn have multiple workloads, each comprising one or more pods.
For any given injector installation:
you will have to create a unique clusterID.
there will be just one Profile link created for the Cluster
each workload will have a unique user/password assigned in the the service IdP
each injected Client (sidecar) will have a unique deviceID
The injector handles everything to do with the injected headless Clients. There is no need to set up any credentials, Client profiles etc - all this is done automagically in the background via the API calls to the Controller. Because of this, the injector needs to be able to access port 8443 on the Controller; for instance, to add a new user identity as headless Clients are is injected into each pod.
meta-client
In many cases the Controller's admin port is not exposed to the internet (or access is white-listed); in line with the system security best practice. For this situation where the injector cannot access the Controller there is an embedded meta-Client that runs within the injector itself. Once enabled and configured, traffic from the injector will be captured and tunneled to the admin API port 8443 on the Controller via a suitably located Gateway. This is quite separate from the sidecar Clients and will require manual configuration.
The Client
How to install
The SDP Kubernetes injector is installed per workload using Helm charts. Browse the latest versions in the AppGate GitHub Container Registry.
This admin guide only covers the aspects that relate to Appgate SDP itself. For details of the entire set-up process please refer to the read-me published in GIthub.
How to configure
To use the SDP Kubernetes injector you need to have configured a number of things in the Appgate SDP system:
API User with required privileges
An injector API user should be created (username, password, IdP) and assigned an admin Policy that includes the admin role with the Service User Management privileges (use the preset in the Admin UI).
IP pools
An IP pool needs to be created - one IP address will be assigned from the IP pool for every pod in each Kubernetes workload.
Service IdP
The IP Pool(s) need to be assigned to the service Identity Provider.
NOTE
Ten inactive service users are created at the initialization of the Identity Service. These get converted into active users as Clients are started at which point another inactive user is created so there are always 10 available.
Service User License
A service user License should be obtained and applied. One license is consumed per Kubernetes workload (e.g. Deployment). Effectively, like the normal Client, one user can have any number of devices.
Policy and Entitlements for the injected Client
Create an access Policy for each specific Kubernetes Workload referencing suitable Entitlements.
Namespace annotations and labels are injected with each Client instance, which then appear as device Claims, which can be used for making Policy assignment decisions. Even though these might be considered as device claims (which are normally considered as untrusted); in this specific case they appear as user claims and can be treated as trusted. The following can be used in the Policy assignment criteria:
Identity Provider is service
user.labels.namespace (namespace === "whatever")
user.labels.name (name === "whatever")
NOTE
Javascript syntax is required as the format of the labels returned is not defined.
Meta-Client (optional)
The standard credentials for a Client to connect (username, password, profile link) are required, which might be the same as above.
Policy and Entitlements for the meta-Client (optional)
Create an access Policy for the meta-Client with Entitlements that allow access to port 8443 on the Controller (and DNS server access) .
Using the Client
The Client will be used for as long as the pod exists. When the pod is destroyed the the Client is also destroyed.
Updating the Client
The injector uses a fixed version of the Client (which was the latest version when the injector was released). If you want to use a newer/older version then you can specify the version you require by adding/editing a line in the deployment yaml file:
k8s.appgate.com/sdp-injector.client-version: 6.0.3
Log files
Logs for the meta-Client and the injected headless client can be viewed by downloading from the active session page in the admin UI.