Skip to main content

GuardRails - Google Kubernetes Engine (GKE) - Installation Requirements

This page lists the recommended hardware and software requirements for the installation of GuardRails on Google Kubernetes Service (GKE).

Pre-requisites

Knowledge requirements

  • Kubernetes and its components including Ingress Controller, Storage Class
  • Google Kubernetes Engine (GKE)
  • CLI tools: gcloud, kubectl
  • Cloud SQL for PostgreSQL

Google Cloud CLI and kubectl Configuration

To complete this installation, you will need to install Google Cloud CLI and kubectl to manage your cluster. First, you will need to install the Google Cloud CLI. Follow the instructions here to install the CLI.

Second, you will also need to install kubectl using the following command. 

gcloud components install kubectl

Then you can use the following command to log in to your Google Cloud account.

gcloud auth login

Afterwards you will need to run the following command to be able to point kubectl at your specific cluster in GKE.

gcloud container clusters get-credentials <cluster name> --zone <cluster zone> --project <project name>

Example:

gcloud container clusters get-credentials cluster-1 --zone us-central1-c --project flask-oauthtutorial

After this, kubectl should have access to your cluster and you can run kubectl kots install guardrails-enterprise to install GuardRails onto your cluster.

GKE Requirements

  • GKE Versions Supported: 1.19,1.20,1.21,1.22,1.23,1.24
  • Storage Class:
    • Standard-rwo
  • Firewall: Allow port 80,443 to access from the internet
  • Scan Performance Improvements:
    • We recommend using two separate node pools, one for the worker, and one for other deployments. To improve scan performance, the worker node pool should use local SSD/NVME disk storage, please have a look at this link. Applying node pool Autoscaling is recommended.
  • Node Pool Specification:
    • As for Worker Node Pool, the CPU core numbers should be set to 8 and Memory set to 16GB at least. We recommend at least the N1 Machine Series for the worker machine type.
    • The other node pool should be set to n1-standard-2 (2 vCPU, 7.5 GB memory) at least and the number of nodes in the node pool should be > 3.

alt_text

alt_text

alt_text

  • Ingress controllers:

    • If you are using a custom ingress controller (nginx), you do not need to care about healthcheck configuration.

    • From the GuardRails Admin Console, you will need to enable the “Set ingress path to /*” option for use with GCP. alt_text

    • If you are using GKE Ingress Controller please make sure the health checks of Loadbalancer are correct. If not, the LB will fail to health check and cannot forward requests to our services. For example: alt_text

      GuardRails ComponentAPI Endpoint
      API/healthcheck
      Dashboard/
      Minio/
      Probot/healthcheck
      SCAOracleAgent/api/ping
  • Databases:
    • If you want to use CloudSQL (PostgreSQL), PostgreSQL 11, 12 are supported
Last updated on by emchamp