A powerful, easily deployable network traffic analysis tool suite for network security monitoring
This document outlines the process of setting up a cluster on Amazon Elastic Kubernetes Service (EKS) using Amazon Web Services in preparation for Deploying Malcolm with Kubernetes.
This is a work-in-progress document that is still a bit rough around the edges. Users will need to replace things such as cluster-name
and us-east-1
with the values that are appliable to the cluster. Any feedback is welcome in the relevant issue on GitHub.
This document assumes good working knowledge of Amazon Web Services (AWS) and Amazon Elastic Kubernetes Service (EKS). Good documentation resources can be found in the AWS documentation, the EKS documentation and the EKS Workshop.
kubernetes.io/role/internal-elb
: 1
kubernetes.io/role/elb
: 1
malcolmeks.yaml
is used in this example)
aws eks update-kubeconfig --region us-east-1 --name cluster-name --kubeconfig malcolmeks.yaml
c4.4xlarge
, t2.2xlarge
, and t3a.2xlarge
seem to be good instance types for Malcolm; or , for arm64 instances, m6gd.2xlarge
, m6g.2xlarge
, m7g.2xlarge
, and t4g.2xlarge
; but users’ needs may vary (see recommended system requirements for Malcolm)metrics-server
kubectl --kubeconfig=malcolmeks.yaml apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
eksctl utils associate-iam-oidc-provider --region=us-east-1 --cluster=cluster-name --approve
kubernetes/99-ingress-aws-alb.yml.example
is an example ingress manifest for Malcolm using the ALB controller for HTTP(S) requests and the NLB controller for TCP connections to Logstash and Filebeattype: LoadBalancer
for the nginx-proxy
service in 98-nginx-proxy.yml
, the filebeat
service in 12-filebeat.yml
and the the logstash
service in 13-logstash.yml
Set up access points, and note the Access point IDs to put in the YAML in the next step
name | mountpoint | access point ID |
---|---|---|
config | /malcolm/config | fsap-… |
opensearch | /malcolm/opensearch | fsap-… |
opensearch-backup | /malcolm/opensearch-backup | fsap-… |
pcap | /malcolm/pcap | fsap-… |
runtime-logs | /malcolm/runtime-logs | fsap-… |
suricata-logs | /malcolm/suricata-logs | fsap-… |
zeek-logs | /malcolm/zeek-logs | fsap-… |
kubernetes/01-volumes-aws-efs.yml.example
is an example manifest to use as a starting point. Copy 01-volumes-aws-efs.yml.example
to 01-volumes.yml
and replace fs-FILESYSTEMID
with the EFS file system and each fsap-…
value with the corresponding access point ID from the previous step.Amazon Web Services, AWS, the Powered by AWS logo, and Amazon Elastic Kubernetes Service (EKS) are trademarks of Amazon.com, Inc. or its affiliates. The information about providers and services contained in this document is for instructional purposes and does not constitute endorsement or recommendation.