KOP Airgap - Requirements
There are three core set of resources that organizations need to make available for a successful deployment and ongoing operations of the air-gap controller.
- Infrastructure
- DNS Records
- x.509 Certificate (optional)
- Email Addresses
- Logo (Optional)
- External LB setup (Optional)
Infrastructure¶
Environments¶
Environment | Requirements |
---|---|
Bare Metal/VM | Click Here |
AWS EC2 | Click Here |
Amazon EKS | Coming Soon |
Azure AKS | Click Here |
Google GKE | N/A |
Production Deployment¶
The Highly Available (HA) option is the only recommended option for production deployments.
This table captures the minimum infrastructure requirements to provision and operate both the Kubernetes and the Controller application tech stack.
Requirement | Description |
---|---|
Operating System | CentOS 7, RHEL 8.2 |
Number of Instances | FOUR (4) |
CPU/Memory | MINIMUM 16 CPUs, 64 GB Memory |
Root Disk | 100 GB |
Data Disk | 500 GB formatted, attached as data volume |
Open Inbound Ports | 443/tcp |
Inter Node Networking | All nodes should be able to communicate via any tcp/udp port |
Note
Data storage requirements can vary based on scale of deployments that need to be supported and required data retention periods.
Non Production Deployment¶
This option is not recommended for production deployments. It may be used for a quick test drive to get a view of what the installation process looks like.
This table captures the minimum infrastructure requirements to provision and operate both the Kubernetes and the Controller application tech stack.
Requirement | Description |
---|---|
Operating System | CentOS 7, RHEL 8.2 |
Number of Instances | ONE |
CPU/Memory | MINIMUM 16 CPUs, 64 GB Memory |
Root Disk | Min 100 GB |
Data Disk | Min 500 GB formatted, attached as data volume |
Open Inbound Ports | 443/tcp |
DNS Requirements¶
The installation of the controller requires "wildcard records". The DNS records for the wildcard FQDN should point to the controller's node IP address.
Example: "*.controller.example.com"
Underneath the covers, the controller exposes a number of unique and distinct endpoints backed by specific services. This microservices architecture allows the controller to scale specific components up and down as required in the deployment.
Note
Contact the support team if you would like us to host the DNS domain for you.
x509 Certificates¶
All the endpoints exposed by the controller require the use of TLS for secure communications. A Certificate Authority (CA) signed wildcard certificate for the target DNS (e.g. *.controller.example.com) is necessary for production deployments.
If the wildcard certificate is not available, the controller will automatically generate "self-signed" certificates by setting the "generate-self-signed-certs" key to "True" in the config.yaml file during installation.
Note
The self signed certificate option is not recommended if the controller needs to be deployed and operated on a public network.
Email Addresses¶
The installation also requires below email addresses.
- An email address for the controller administration user
- An email address for receiving support emails from the controller
- An email address for receiving alerts and notifications (Optional)
Company Logo (Optional)¶
A company logo (size 150 x 100 pixels, ~200KB) in PNG format can be provided for a white labeled experience on the controller's web console.
External LB Setup (Optional)¶
AWS Classic LB with NLB can be used to offload UI domains SSL certificates and also redirect traffic to hosts. This can be enabled in config.yaml by setting the "override-config.global.external_lb" key to "True".
Below are the additional requirements for installation:
- CA signed wildcard certificate for DNS *.
- Ports 443/TCP inbound to Load Balancer from user machine
- Ports 30326, 30426, 30526 & 30726 TCP inbound in controller instance