IBM Guardium

IBM Guardium

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  apply "external-stap" window get fail

    Posted Mon January 25, 2021 09:41 AM
      |   view attached
    Hi Expert ,

    Implement Guardium external stap with k8s under under "Guardim UI--> add "external S-TAP Control " 

     

    Always get below error msg after click "apply" button ..

     


    describe My env : 1. K8S (not AWS)  & Guardium Collect  (v 11.2.0) in local linux , 
                                  2.  AWS RDS for MSSQL
                                  3. Don't create "cli> create csr external_stap" at Guardium collector
                                  4. I don't type any information of " Certificate " + "Advance"  botton 
                                  4. click "apply" to get error msg
                                   <<
                               1. Deployment failed due to kubernetes client error
                                2. k8s + operation [create] for kind: deployment with name :[null] in namespace:[default] failed
                                3.why it's always show "deployment with name :[null]" even I had typing deployment name,
                                   >>

     



    ------------------------------
    jennifer lai
    ------------------------------

    Attachment(s)

    docx
    apply_external_stap_fail.docx   1.01 MB 1 version


  • 2.  RE: apply "external-stap" window get fail

    Posted Mon January 25, 2021 09:47 AM

    The GUI deployment requires port 443 open  on collector --> K8S,  can you check  if you can:

         telnet  <k8s master url>  443



    ------------------------------
    JENNIFER Peng
    ------------------------------

    Original Message


  • 3.  RE: apply "external-stap" window get fail

    Posted Wed January 27, 2021 09:05 AM

    Hi Jennifer ,

     

              Tks yu for response ...CASE 1 (apply button get k8 client fail ) for yu need information ,

    So I create & ftp "template" (deployment.yaml & service.yaml) to apply in k8 env. Still get error (CrashLoopBackOff). I provide detail information  as end of this mail , call CASE 2 (apply –f xxx)

     

    We need yu help to fix this kind of error ..

     

    CASE 1 (apply get k8 client fail ) è

    1.      My k8 env to get Master URL  : https://10.107.9.241:6443

     

    << 

    [root@k8s-master01 STAP]#  kubectl cluster-info

    Kubernetes control plane is running at https://10.107.9.241:6443

    KubeDNS is running at https://10.107.9.241:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

     

    >> 

     

    2.      My Guardium Collector to do telnet result as below ::

     

    login as: cli

     

    IBM Guardium, Command Line Interface (CLI)

    LaiGuardium11.syspower.com.tw> support show port open 10.107.9.241 6443

    Ncat: Version 7.50 ( https://nmap.org/ncat )

    Ncat: Connected to 10.107.9.241:6443.

    Ncat: 0 bytes sent, 0 bytes received in 0.01 seconds.

    ok

    LaiGuardium11.syspower.com.tw> support show port open 10.107.9.241 443

    Ncat: Version 7.50 ( https://nmap.org/ncat )

    Ncat: Connection refused.

    ok

    >> 

    CASE 2 (apply –f xxx) -> I create & ftp "template" (deployment_aws.yaml & service_aws.yaml) to apply in k8 env. Still get error

     

    1.      [root@k8s-master01 STAP]# kubectl get pod

    NAME                         READY   STATUS             RESTARTS   AGE

    command-demo                 0/1     Completed          0          7d3h

    my-depaws-7c7bb49478-8mvgt   0/1     CrashLoopBackOff   21         54m

    my-depaws-7c7bb49478-rjh96   1/1     Running            20         54m

    nginx-6799fc88d8-mc2x8       1/1     Running            0          6d17h

     

    2.      kubectl describe pod my-depaws-7c7bb49478-8mvgt  >> pod_live_0126.log (attached)

    << 

    Events:

      Type     Reason     Age                   From               Message

      ----     ------     ----                  ----               -------

      Normal   Scheduled  11m                   default-scheduler  Successfully assigned default/my-depaws-7c7bb49478-8mvgt to k8s-node01.poc.k8s.lab

      Normal   Pulled     11m                   kubelet            Successfully pulled image "store/ibmcorp/guardium_external_s-tap:v11.2.0" in 7.915060729s

      Warning  Unhealthy  11m                   kubelet            Liveness probe failed: System fails liveness check at 21-01-26_071147: No established connections and listen port 1433 is not open 

     

     

     

     

     

    Normal   Pulled     10m                   kubelet            Successfully pulled image "store/ibmcorp/guardium_external_s-tap:v11.2.0" in 8.154943097s

      Warning  Unhealthy  10m (x3 over 11m)     kubelet            Readiness probe errored: rpc error: code = Unknown desc = container is not created or running

      Warning  Unhealthy  10m                   kubelet            Liveness probe failed: System fails liveness check at 21-01-26_071307: No established connections and listen port 1433 is not open

      Warning  Unhealthy  9m52s                 kubelet            Liveness probe failed: System fails liveness check at 21-01-26_071317: No established connections and listen port 1433 is not open

      Warning  BackOff    84s (x28 over 8m30s)  kubelet            Back-off restarting failed container

    >>

     

     




    Attachment(s)

    yaml
    service_aws.yaml   272 B 1 version
    yaml
    deployment_aws.yaml   1 KB 1 version
    Original Message


  • 4.  RE: apply "external-stap" window get fail

    Posted Fri January 29, 2021 06:07 PM
    CASE 1 (apply get k8 client fail )

    --->LaiGuardium11.syspower.com.tw> support show port open 10.107.9.241 443

    Ncat: Version 7.50 ( https://nmap.org/ncat )

    Ncat: Connection refused.

       which means you may need to open port 443 on guardium appliance

    CASE 2 (apply –f xxx) -> I create & ftp "template" (deployment_aws.yaml & service_aws.yaml) to apply in k8 env. Still get error


          Your k8 env  also may have firewall blocking access to docker hub,   or container in docker hub can not be used directly  .
         You can try to  :   1. find another free repository that you can use  ( such as registry.redhat.io).   Download  the container and upload to new repository
                                       ( docker pull /docker push) , Notes every cloud provider also provides registry server for containers

                                      2.  You can setup local repository.



    ------------------------------
    JENNIFER Peng
    ------------------------------

    Original Message


  • 5.  RE: apply "external-stap" window get fail

    Posted Mon March 08, 2021 08:49 AM
      |   view attached
    If the network (VPC) not allow public IP  for load balancer,  use internal loadbalancer instead.  The yaml for internal load balancer as attached

    ------------------------------
    JENNIFER Peng
    ------------------------------

    Attachment(s)

    yaml
    service.yaml   381 B 1 version
    Original Message


  • 6.  RE: apply "external-stap" window get fail

    Posted Tue August 30, 2022 08:56 AM
    Hello,

    I have the same problem as you, did you find a solution?

    regards,
    Entus Suhendar

    ------------------------------
    entus suhendar
    ------------------------------

    Original Message


Related Content