Skip to content

Install MicroK8s

The SC4S deployment model with Microk8s uses specific features of this distribution of k8s. While this may be reproducable with other distributions such an undertaking requires more advanced awareness and responsibility for the administrator.

  • (metalLB) ensure source IP is preserved
  • Bring any operating system (window/centos/rhel/ubuntu/debian)

This configuration requires as least 2 IP addressed one for host and one for the internal load balancer. We suggest allocation of 3 ip addresses for the host and 5-10 addresses for later use

FAQ

Question: How is this deployment model supported? Answer: Similar to other deployment methods, Splunk supports the container itself and the procedural guidance for implementation but does not directly support or otherwise provide resolutions for issues within the runtime environment.

Question: Why is this “load balancer” ok but others are not? Answer: While we are using a load balancer with one instance per host, the traffic is restricted to the entry node and one instance of sc4s will run per node. This limits the function of MetalLB to the same function as a Cluster Manager.

Question: Is this a recommended deployment model? Answer: Yes, the single-server microk8s model is a recommended option. The use of clustering does have additional tradeoffs and should be carefully considered on a deployment-specific basis.

#we need to have a normal install of kubectl because of operator scripts
sudo snap install kubectl --classic 
# Basic setup of k8s
sudo usermod -a -G microk8s $USER
sudo chown -f -R $USER ~/.kube

su - $USER
microk8s status --wait-ready
#Note when installing metallb you will be prompted for one or more IPs to used as entry points
#Into the cluster if your plan to enable clustering this IP should not be assigned to the host (floats)
#If you do not plan to cluster then this IP may be the same IP as the host
#Note2: a single IP in cidr format is x.x.x.x/32 use CIDR or range syntax
microk8s enable dns metallb rbac storage openebs helm3
microk8s status --wait-ready
#

Add SC4S Helm repo

microk8s helm3 repo add splunk-connect-for-syslog https://splunk.github.io/splunk-connect-for-syslog
microk8s helm3 repo update

Create a config file

#values.yaml
splunk:
    hec_url: "https://10.202.32.101:8088/services/collector/event"
    hec_token: "00000000-0000-0000-0000-000000000000"
    hec_verify_tls: "yes"

Install SC4S

microk8s helm3 install sc4s splunk-connect-for-syslog/splunk-connect-for-syslog -f values.yaml

Upgrade SC4S

microk8s helm3 upgrade sc4s splunk-connect-for-syslog/splunk-connect-for-syslog -f values.yaml

Setup for HA with multiple nodes

See https://microk8s.io/docs/high-availability

Note: Three identically-sized nodes are required for HA

#values.yaml
replicaCount: 6 #2x node count
splunk:
    hec_url: "https://10.202.32.101:8088/services/collector/event"
    hec_token: "00000000-0000-0000-0000-000000000000"
    hec_verify_tls: "yes"

Upgrade sc4s to apply the new config

Advanced Configuration

Using helm based deployment precludes direct configuration of environment variables and context files but most configuration can be set via the values.yaml

sc4s: 
  # Certificate as a k8s Secret with tls.key and tls.crt fields
  # Ideally produced and managed by cert-manager.io
  existingCert: example-com-tls
  #
  vendor_product:
    - name: checkpoint
      ports:
        tcp: [9000] #Same as SC4S_LISTEN_CHECKPOINT_TCP_PORT=9000
        udp: [9000]
      options:
        listen:
          old_host_rules: "yes" #Same as SC4S_LISTEN_CHECKPOINT_OLD_HOST_RULES=yes

    - name: infoblox
      ports:
        tcp: [9001, 9002]
        tls: [9003]
    - name: fortinet
      ports:
        ietf_udp:
          - 9100
          - 9101
  context_files:
    splunk_metadata.csv: |-
      cisco_meraki,index,foo
    host.csv: |-
      192.168.1.1,foo
      192.168.1.2,moon

Resource Management

Generally two instances will be provisioned per node adjust requests and limits to allow each instance to use about 40% of each node presuming no other workload is present

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi