This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2023-08-08 04:15 AM

Achieving Secure Remote Access in Kubernetes with Harmony Connect: A Use Case

Dear Colleagues,

I am writing to share a noteworthy use case that exemplifies the seamless integration of secure remote access within Kubernetes environments. This accomplishment was achieved within the context of a dedicated educational laboratory setup. The success of this endeavor was realized through the adept utilization of Harmony Connect, an innovative solution that streamlines secure connectivity and efficient communication among diverse services within Kubernetes frameworks.

The Challenge:

Within the educational laboratory environment, a key challenge emerged: the need to ensure both transparent and secure remote access for users who sought interaction with applications hosted on a Kubernetes infrastructure. The primary goal was to establish a solution that could provide unhindered and safeguarded entry to applications, all while maintaining the highest standards of security.

The Solution:

To overcome this challenge, I harnessed the power of the Harmony Connect platform by deploying it directly within the Kubernetes environment. This strategic deployment served as the foundation for the creation of two distinct access solutions: client-based and clientless.

Client-Based Solution: The client-based approach facilitated direct communication with an AI system that was locally hosted within the Kubernetes environment. This seamless interaction between developers and the AI API infrastructure enabled enhanced collaboration and engagement.

Clientless Solution: Conversely, the clientless solution was meticulously tailored to grant secure access to three crucial applications: Jira, Jenkins, and an AI frontend web server. This design ensured that remote users could effortlessly engage with these applications without necessitating specialized client software.

Implementation Specifics:

The realization of this solution demanded a methodical execution of the following steps:

Deployment of Harmony Connect:

The deployment of Harmony Connect was inaugurated within the designated namespace. This step was pivotal in ensuring flawless communication between the platform's pods and the essential services.

Clientless Integration:

A dedicated site was established within the Harmony Connect interface, exclusively allocated for Tel Aviv. Consequently, critical deployment parameters, encompassing the Docker image, ODO_ENV configuration, and Secret, were extracted and meticulously managed.

For instance, the Docker image found its origin in: adanite/odo_connector:eu_v3 Simultaneously, the ODO_ENV parameter was meticulously configured to align with the European region (eu).

curl --silent https://assets.checkpoint.security/connector-scripts/ConnectorOSValidator.sh | bash -s && docker run -d -e ODO_ENV=eu --cap-add=NET_ADMIN --sysctl net.ipv4.ip_forward=1 --device /dev/net/tun --restart=always --log-opt max-size=1g -e Secret=eyJhbGciOiJFUzM4NCJ9.jgAAAAVjb25uZWN0b3JfaWQAEAAAAAAAAAAAAAAAAAAAAAAAAAAABXNpdGVfaWQAEAAAAAAFayGcnURGMorx2bGEpN9vEGludGVybmFsX3NpdGVfaWQA9hMAAAV0ZW5hbnRfaWQAEAAAAAB2epzjTiFCppAPfh9gJo8uAnNpdGVfbmFtZQADAAAAYWEAAA.9uLqbmmtcLUr-pZDpbtoTvZO4jc_aEjy8zPhmoumzqNZMI8slxImf6CX455hQiyQAzUa5Q3IsmsN7lgt4hCZkzCS1TMh95E2GWDNWUGki5OpZE_-NEsGyW1qm7x5X3NY adanite/odo_connector:eu_v3

Significantly, within the laboratory context, Kubernetes Secrets were judiciously employed for sensitive data management. However, in a production environment, the recommendation is to opt for more robust alternatives such as open-source secret managers or cloud provider secrets managers.

Kubernetes Deployment:

The culminating stage involved the orchestrated deployment of the solution's components through meticulously crafted Kubernetes manifests. This comprehensive process encompassed the definition of namespaces, secrets, and a StatefulSet configuration tailored for Harmony Connect.

The resultant deployment harmoniously synchronized the components, yielding an impeccably orchestrated infrastructure. This framework ensured the seamless operation of secure remote access to applications hosted within the Kubernetes environment.

kubectl apply -f - <<EOF
---
apiVersion: v1
kind: Namespace
metadata:
  name: ns-applications
---
apiVersion: v1
kind: Secret
metadata:
  name: "connectorsecret"
  namespace: ns-applications
type: Opaque
data:
  connectorsecret: ZXlKaGJHY2lPaUpGVXpNNE5DSjkuamdBQUFBVmpiMjV1WldOMGIzSmZhV1FBRUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUJYTnBkR1ZmYVdRQUVBQUFBQUFGYXlHY25VUkdNb3J4MmJHRXBOOXZFR2x1ZEdWeWJtRnNYM05wZEdWZmFXUUE5aE1BQUFWMFpXNWhiblJmYVdRQUVBQUFBQUIyZXB6alRpRkNwcEFQZmg5Z0pvOHVBbk5wZEdWZmJtRnRaUUFEQUFBQVlXRUFBQS45dUxxYm1tdGNMVXItcFpEcGJ0b1R2Wk80amNfYUVqeTh6UGhtb3VtenFOWk1JOHNseEltZjZDWDQ1NWhRaXlRQXpVYTVRM0lzbXNON2xndDRoQ1prekNTMVRNaDk1RTJHV0ROV1VHa2k1T3BaRV8tTkVzR3lXMXFtN3g1WDNOWSA=
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: harmonyconnect-connector
  namespace: ns-applications
  labels:
    app: harmonyconnect
    app_group: applications
spec:
  selector:
    matchLabels:
      app: harmonyconnect-connector
  replicas: 5
  template:
    metadata:
      labels:
        app: harmonyconnect-connector
    spec:
      nodeSelector:  # Specify node selector if required
      affinity:  # Add affinity rules if required
      tolerations:  # Add tolerations if required
      containers:
      - name: harmonyconnect-connector
        image: "adanite/odo_connector:eu_v3"
        imagePullPolicy: Always
        resources: {}
        securityContext:
          capabilities:
            drop:
              - all
            add: ["NET_ADMIN"]
          privileged: false
        volumeMounts:
          - mountPath: /dev/net/tun
            name: devnet
        env:
        - name: Secret
          valueFrom:
            secretKeyRef:
              name: connectorsecret
              key: connectorsecret
        - name: ODO_ENV
          value: eu
      restartPolicy: Always
      volumes:
      - name: devnet
        hostPath:
          path: /dev/net/tun
  volumeClaimTemplates: []  # Add PVC templates if required
EOF

In Conclusion:

In conclusion, this illustrative use case stands as a testament to the prowess of Harmony Connect in facilitating secure and transparent remote access to Kubernetes-hosted applications. By strategically deploying the platform and intricately configuring its components, a robust and secure solution was crafted to meet the rigorous demands of educational settings.

The innate compatibility of client-based and clientless access methods underscores the versatility of Harmony Connect, rendering it an appealing choice for organizations seeking to enhance remote accessibility to their Kubernetes applications.

Labels
0 Kudos
1 Reply
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2023-08-08 09:46 AM

Recent news about Cloudflare tunnels: https://cybersecuritynews.com/hackers-abuse-cloudflare-tunnels/

0 Kudos
Upcoming Events

    CheckMates Events