DocumentationAPI Reference

Deploy using Helm

Suggest Edits

Follow the steps below to deploy the Cisco Panoptica controller on a Kubernetes cluster using Helm charts. The procedure varies slightly if you are installing in Kubernetes or OpenShift.

Prepare to deploy

Before deploying the Panoptica controller to your Kubernetes cluster, you first need to set up your cluster in the Panoptica platform, and retrieve some parameters. This is done using API calls, either via the command line interface (CLI) or the API reference in Swagger.

📘

Panoptica REST API

See REST API Quick Start Guide for help running APIs on the Panoptica server.

  1. Submit a POST request with the name and orchestrationType of the cluster to:
    https://appsecurity.cisco.com/api/kubernetesClusters
  2. Grab the clusterID from the response and hold onto it. You'll need it for both installation and removal.
  3. Use the clusterID to submit a GET request to
    https://appsecurity.cisco.com/api/getControllerData/{clusterID}
    Retrieve the agentId and sharedKey from the response. You will need these values to deploy the controller.

Next, there are a few options you need to consider regarding how Panoptica is deployed in your Kubernetes cluster.

  • Do you need connection control? And is Istio service mesh already installed in your cluster?
  • Do you need token injection, for securely managing API tokens?
  • Are you using OpenShift?

These choices will determine how Panoptica is installed.

Installation in Kubernetes

📘

For OpenShift installation, see below

  1. If connection control is needed and Istio is not running on the cluster, install the Panoptica Istio charts, as follows:
helm upgrade -i panoptica oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-istio --create-namespace -n istio-system
  1. If token injection is needed, install the Panoptica Vault charts, as follows:
helm upgrade -i panoptica oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-vault --create-namespace -n securecn-vault
  1. Now you're ready to install the Panoptica charts, substituting the agentId and sharedKey that you retrieved above. Set all values according to the functionality you require. See Setting Values below for details.
helm upgrade -i panoptica oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica --create-namespace -n portshift --set portshiftAgent.secret.sharedSecret=XXXX --set portshiftAgent.agentID=XXXX

Installation in OpenShift

  1. If connection control is needed and Istio is not running on the cluster, install the Panoptica Istio charts for OpenShift, as follows:
oc adm policy add-scc-to-group anyuid system:serviceaccounts:istio-system
helm upgrade -i panoptica oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-istio --create-namespace -n istio-system
  1. If token injection is needed, install the Panoptica Vault charts for OpenShift, as follows:
helm upgrade -i panoptica oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-vault --create-namespace -n securecn-vault
  1. Now you're ready to install the Panoptica charts for OpenShift, substituting the agentId and sharedKey that you retrieved above. Set all values according to the functionality you require. See Setting Values below for details.
    Make sure to include the OpenShift value: —set global.isOpenShift=true
oc adm policy add-scc-to-group anyuid system:serviceaccounts:portshift
oc adm policy add-scc-to-user hostmount-anyuid system:serviceaccounts:portshift:seccomp-installer
helm upgrade -i panoptica oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica --create-namespace -n portshift --set portshiftAgent.secret.sharedSecret=XXXX --set portshiftAgent.agentID=XXXX

Setting Values

To override values in a chart, save the default values to a yaml file, update the required values, then call it in the helm install/upgrade command using --values.

You will find here a selection of the key values required to successfully deploy Panoptica in your environment.

If Kubernetes security is needed—set global.isContainerSecurityEnabled=true
If API security is needed—set global.isAPISecurityEnabled=true
If connection enforcement is needed—set global.isConnectionEnforcementEnabled=true
If Istio is already installed—set istio.global.alreadyInstalled=true
If token injection is needed—set global.tokenInjectionEnabled=true
If installing on OpenShift—set global.isOpenShift=true

To retrieve the full Values file of each chart, use the following commands:

helm show values oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica
helm show values oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-istio
helm show values oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-vault

To retrieve the full Readme file of each chart, use the following commands:

helm show readme oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica
helm show readme oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-istio
helm show readme oci://us-docker.pkg.dev/eticloud/panoptica-public-registry/panoptica-vault

Once installed, your cluster will appear on the CLUSTER CONTROLLERS tab of the Deployments page in the Panoptica Console. Note that controllers that were deployed with Helm will be labeled as such in the Cluster Controller Name. Also, the Edit Cluster Controller option in the rightmost column is replaced with View Cluster Controller, since a cluster installed with Helm charts cannot be edited in the Panoptica console UI.

Uninstall Panoptica in Kubernetes

📘

To uninstall an OpenShift setup, see below

To uninstall Panoptica from a Kubernetes cluster, first delete the cluster from the Panoptica platform using API calls, then uninstall the Panoptica controller from your cluster. Here you will find all the required commands. Only run those that are relevant to your setup.

  • To remove your cluster from the Panoptica platform, submit a DELETE request with the clusterID to:
    https://appsecurity.cisco.com/api/kubernetesClusters/{kubernetesClusterId}
    If you do not have the clusterID, you can also remove the cluster using the Console UI

  • If you installed Istio in your cluster, run these commands to remove it:

helm uninstall panoptica -n istio-system
kubectl delete ns istio-system
  • If you installed the Panoptica vault for token injection, run these commands to remove it:
helm uninstall panoptica -n securecn-vault
kubectl delete ns securecn-vault
  • Then run these commands to remove the Panoptica controller:
helm uninstall panoptica -n portshift
kubectl delete ns portshift

Uninstall Panoptica in OpenShift

To uninstall Panoptica from an OpenShift cluster, first delete the cluster from the Panoptica platform using API calls, then uninstall the Panoptica controller from your cluster. Here you will find all the required commands. Only run those that are relevant to your setup.

  • To remove your cluster from the Panoptica platform, submit a DELETE request with the clusterID to:
    https://appsecurity.cisco.com/api/kubernetesClusters/{kubernetesClusterId}
    If you do not have the clusterID, you can also remove the cluster using the Console UI

  • If you installed Istio in your OpenShift cluster, run these commands to remove it:

helm uninstall panoptica -n istio-system
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:istio-system
  • If you installed the Panoptica vault for token injection, run this command to remove it:
    helm uninstall panoptica -n securecn-vault
  • Then run these commands to remove the Panoptica controller from your OpenShift cluster:
helm uninstall panoptica -n portshift
oc adm policy remove-scc-from-group anyuid system:serviceaccounts:portshift
oc adm policy remove-scc-from-user hostmount-anyuid system:serviceaccounts:portshift:seccomp-installer

Updated 2 days ago