Kubernetes Challenge

Development / Security

Amazon Web Services EC2

Ubuntu OS /T5.Large 25GiB gp2

App Development Server

Step 1: Launching an AWS EC2 Instance
- Log in to the AWS Management Console and navigate to the EC2 dashboard.
- Click on the "Launch Instance" button and select an Ubuntu Server Amazon Machine Image (AMI).
- Create new key pair for ssh login
- Select t5.Large as the instance type with at least 25GiB of gp2 EBS.
- For cost saving select spot instance pricing (if desired).
- Configure a security group to allow inbound traffic on port 22 for SSH, port 8081 for Netflix, port 9000 for SonarQube, and port 8080 for Jenkins.

Step 2: Connecting to the EC2 Instance
- Once the instance is running, connect to it using SSH. You can use a tool like PuTTY (for Windows) or the terminal (for macOS/Linux) to establish a secure connection.

Step 3: Clone Repository
- The Github repo I used for this project was provided by "N4si" on Github "https://github.com/N4si/DevSecOps-Project"
- while connected via SSH run "git clone https://github.com/N4si/DevSecOps-Project.git"

Step 4: Configure Docker
- Run the following commands in SSH terminal to update Ubuntu, install, and configure Docker
- sudo apt-get update
- sudo apt-get install docker.io -y
- sudo usermod -aG docker $USER # Replace with your system's username, e.g., 'ubuntu'
- newgrp docker
- sudo chmod 777 /var/run/docker.sock

Step 5: TMDB API Key
- Go to https://www.themoviedb.org and create an account
- navigate to https://www.themoviedb.org/settings/api
- Follow the Create App prompt
- Once app is created, under the "Settings" menu on the left select "API"
- Take note of the API Key listed

Step 6: Build Docker Image
- Run the following commands in SSH terminal to build Docker image using TMDB API Key argument
- docker build --build-arg TMDB_V3_API_KEY=YOUR_API_KEY_HERE -t netflix .
- docker run -d -p 8081:80 netflix:latest #Run image as container
- docker ps # This will list running containers, netflix should be visible

Step 7: Install SonarQube and Trivy for Security
- Run the following commands in SSH terminal to install Trivy and SonarQube
- docker run -d --name sonar -p 9000:9000 sonarqube:lts-community
- wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
- echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
- sudo apt-get update
- sudo apt-get install trivy
- trivy image IMAGE_ID # Replace with your image ID to scan

Step 8: Install Jenkins for Automation
- Run the following commands in SSH terminal to install javaJDK and Jenkins
- sudo apt update
- sudo apt install fontconfig openjdk-17-jre
- java -version openjdk version "17.0.8" 2023-07-18 OpenJDK Runtime Environment (build 17.0.8+7-Debian-1deb12u1) OpenJDK 64-Bit Server VM (build 17.0.8+7-Debian-1deb12u1, mixed mode, sharing)
- sudo wget -O /usr/share/keyrings/jenkins-keyring.asc \ https://pkg.jenkins.io/debian-stable/jenkins.io-2023.key
- echo deb [signed-by=/usr/share/keyrings/jenkins-keyring.asc] \ https://pkg.jenkins.io/debian-stable binary/ | sudo tee \ /etc/apt/sources.list.d/jenkins.list > /dev/null
- sudo apt-get update
- sudo apt-get install jenkins
- sudo systemctl start jenkins
- sudo systemctl enable jenkins
- sudo su
- sudo usermod -aG docker jenkins
- sudo systemctl restart jenkins
- Access Jenkins via your browser using your EC2 publicIP:8080 to confirm success

Step 9: Install Jenkins Plugins
- Via the browser go to Jenkins>Plugins>Available Plugins
- Install the below plugins
- Eclipse Temurin Installer (Install without restart)
- SonarQube Scanner (Install without restart)
- NodeJs Plugin (Install Without restart)
- Next configure Java and NodeJS in Tool Configuration
- Goto Manage Jenkins>Tools>Add JDK>Install automatically>from adoptium.net name="jdk17" version 17.0.8.1+1> Click apply and save
- Goto Manage Jenkins>Tools>Add NodeJS>Install automatically>from nodejs.org version(16.2.0) name="node17"> Click apply and save
- It is important to keep the names given above due to a config file call.
- Navigate to SonarQube using EC2 publicIP:9000
- Goto Administration>Security>Tokens
- Generate token named "jenkins"
- Goto Jenkins Dashboard → Manage Jenkins → Credentials → Add Secret Text
- Paste jenkins token and save
- Goto Jenkins Dashboard → Manage Jenkins → Tools → Add SonarQube Scanner Installation
- Name it sonar-scanner and use version 5.0.1.3006 then click apply and save

Step 10: Install OWASP Dependency Checker
- Goto Jenkins>Dashbaord>Manage Jenkins>Plugins>Available Plugins
- Install OWASP Dependency checker without restart
- Goto Jenkins>Dashbaord>Manage Jenkins>Tools>Dependency-Check installations
- Add Dependency-Check
- Name it "DP-Check", automatically install, using version 8.4.0 from github.com click apply and save
- Goto Jenkins>Dashbaord>Manage Jenkins>Plugins>Available Plugins
- Install the following Docker plugins
- Docker, Docker Commons, Docker Pipeline, Docker API, docker-build-step
- Goto Dashboard>Manage Jenkins>Credentials to add DockerHub authentication
- Click System>Global Credentials>Add Credentials (on the left)
- Add username and password from Dockerhub login (create Dockerhub account if you don't have one)

Step 11: Build Ci/CD Pipeline
- Goto your netflix project in Jenkins and click configure
- Paste the following script in the Pipeline section. Make sure to add your TMDB API Key and replace my Dockerhub username with your own.
- pipeline{ agent any tools{ jdk 'jdk17' nodejs 'node16' } environment { SCANNER_HOME=tool 'sonar-scanner' } stages { stage('clean workspace'){ steps{ cleanWs() } } stage('Checkout from Git'){ steps{ git branch: 'main', url: 'https://github.com/N4si/DevSecOps-Project.git' } } stage("Sonarqube Analysis "){ steps{ withSonarQubeEnv('sonar-server') { sh ''' $SCANNER_HOME/bin/sonar-scanner -Dsonar.projectName=Netflix \ -Dsonar.projectKey=Netflix ''' } } } stage("quality gate"){ steps { script { waitForQualityGate abortPipeline: false, credentialsId: 'Sonar-token' } } } stage('Install Dependencies') { steps { sh "npm install" } } stage('OWASP FS SCAN') { steps { dependencyCheck additionalArguments: '--scan ./ --disableYarnAudit --disableNodeAudit', odcInstallation: 'DP-Check' dependencyCheckPublisher pattern: '**/dependency-check-report.xml' } } stage('TRIVY FS SCAN') { steps { sh "trivy fs . > trivyfs.txt" } } stage("Docker Build & Push"){ steps{ script{ withDockerRegistry(credentialsId: 'docker', toolName: 'docker'){ sh "docker build --build-arg TMDB_V3_API_KEY=8028bdd4f2e3488139fe39b65eb4d2d6 -t netflix ." sh "docker tag netflix chhupert91/netflix:latest " sh "docker push chhupert91/netflix:latest " } } } } stage("TRIVY"){ steps{ sh "trivy image chhupert91/netflix:latest > trivyimage.txt" } } stage('Deploy to container'){ steps{ sh 'docker run -d -p 8081:80 chhupert91/netflix:latest' } } } }
- Click Build Now

Monitoring

Amazon Web Services EC2

Ubuntu OS /t2.Medium 25GiB gp2

App Monitoring Server

Step 12: Launching an AWS EC2 Instance
- Log in to the AWS Management Console and navigate to the EC2 dashboard.
- Click on the "Launch Instance" button and select an Ubuntu Server Amazon Machine Image (AMI).
- For best practices, launch this instance in a different subnet from your app development server
- Select t2.Medium as the instance type with at least 25GiB of gp2 EBS.
- For cost saving select spot instance pricing (if desired).
- Configure a new security group to allow inbound traffic on port 22 for SSH, port 9090 for Prometheus, port 9100 for Node Exporter, and port 3000 for Grafana.

Step 13: Connecting to the EC2 Instance
- Once the instance is running, connect to it using SSH. You can use a tool like PuTTY (for Windows) or the terminal (for macOS/Linux) to establish a secure connection.

Step 3: Install Prometheus
- Run the following commands in the SSH terminal
- sudo useradd --system --no-create-home --shell /bin/false prometheus
- wget https://github.com/prometheus/prometheus/releases/download/v2.47.1/prometheus-2.47.1.linux-amd64.tar.gz
- tar -xvf prometheus-2.47.1.linux-amd64.tar.gz
- cd prometheus-2.47.1.linux-amd64/
- sudo mkdir -p /data /etc/prometheus
- sudo mv prometheus promtool /usr/local/bin/
- sudo mv consoles/ console_libraries/ /etc/prometheus/
- sudo mv prometheus.yml /etc/prometheus/prometheus.yml
- sudo chown -R prometheus:prometheus /etc/prometheus/ /data/
- sudo nano /etc/systemd/system/prometheus.service
- # Add the following
- [Unit] Description=Prometheus Wants=network-online.target After=network-online.target StartLimitIntervalSec=500 StartLimitBurst=5 [Service] User=prometheus Group=prometheus Type=simple Restart=on-failure RestartSec=5s ExecStart=/usr/local/bin/prometheus \ --config.file=/etc/prometheus/prometheus.yml \ --storage.tsdb.path=/data \ --web.console.templates=/etc/prometheus/consoles \ --web.console.libraries=/etc/prometheus/console_libraries \ --web.listen-address=0.0.0.0:9090 \ --web.enable-lifecycle [Install] WantedBy=multi-user.target
- sudo systemctl enable prometheus
- sudo systemctl start prometheus
- sudo systemctl status prometheus # Confirm prometheus is runnning
- Access Prometheus via your browser at your ec2 PublicIP:9090

Step 14: Install Node Exporter
- Run the following commands in the SSH terminal
- sudo useradd --system --no-create-home --shell /bin/false node_exporter
- wget https://github.com/prometheus/node_exporter/releases/download/v1.6.1/node_exporter-1.6.1.linux-amd64.tar.gz
- tar -xvf node_exporter-1.6.1.linux-amd64.tar.gz
- sudo mv node_exporter-1.6.1.linux-amd64/node_exporter /usr/local/bin/
- rm -rf node_exporter*
- sudo nano /etc/systemd/system/node_exporter.service
- Add the following and save
- [Unit] Description=Node Exporter Wants=network-online.target After=network-online.target StartLimitIntervalSec=500 StartLimitBurst=5 [Service] User=node_exporter Group=node_exporter Type=simple Restart=on-failure RestartSec=5s ExecStart=/usr/local/bin/node_exporter --collector.logind [Install] WantedBy=multi-user.target
- sudo systemctl enable node_exporter
- sudo systemctl start node_exporter
- sudo systemctl status node_exporter # Confirm node exporter is working

Step 15: Configure Prometheus Plugin
- Run the following commands in the SSH terminal
- cd prometheus-2.47.1.linux-amd64/etc/prometheus/
- sudo nano prometheus.yml
- Add the following to the file, replacing my IP's with the private IP's of your instances.
- use commands ctrl+s and ctrl+x to save and exit the file
- promtool check config /etc/prometheus/prometheus.yml # Checks proper yml syntax
- curl -X POST http://localhost:9090/-/reload
- Access Prometheus via your publicIP:9090

Step 16: Install / Configure Grafana
- Run the following commands in the SSH / PuTTY terminal
- sudo apt-get install -y apt-transport-https software-properties-common
- wget -q -O - https://packages.grafana.com/gpg.key | sudo apt-key add -
- echo "deb https://packages.grafana.com/oss/deb stable main" | sudo tee -a /etc/apt/sources.list.d/grafana.list
- sudo apt-get update
- sudo apt-get -y install grafana
- sudo systemctl enable grafana-server
- sudo systemctl start grafana-server
- sudo systemctl status grafana-server # Confirm Grafana status
- Access Grafana via your publicIP:3000
- When you log in for the first time, Grafana will prompt you to change the default password for security reasons. Follow the prompts to set a new password.
- Click on the gear icon (⚙) in the left sidebar to open the "Configuration" menu.
- Select Data Sources > Add Data Source > Prometheus
- Add http://localhost:9090 to the HTTP input and click Save & Test
- Import a pre-configured dashboard by clicking the "+" (plus) icon in the left sidebar to open the "Create" menu.
- Goto Dashboard > Import > (enter dashboard code from https://grafana.com/grafana/dashboards/)
- Select Prometheus as data source then click import
- You should now have a pre-configured dashboard available
- Once this is complete navigate back to Jenkins in your browser and install the Prometheus plugin

Container Orchestration

Amazon Web Services Elastic Kubernetes Service (EKS)

Ubuntu OS /t3.Medium 25GiB gp2 EBS

EKS Instance Node Group

Step 17: Create Kubernetes Cluster
- In AWS navigate to EKS dashboard and select Add Cluster
- Create an IAM Role with the 'AmazonEKSClusterPolicy' attached
- You may need to remove us-east-1a subnet to deploy cluster (this sn seems to be full frequently)
- Configure a security group to open port 3000 for Grafana, 9100 for Node Exporter, and 30007 for ELB
- Use default add-ons
- Once created, navigate to your EKS cluster, then to the Compute tab
- Click Add Node Group and name it 'nodes'
- Create an IAM role with the following policies attached:
- AmazonEBSCSIDriverPolicy, AmazonEC2ContainerRegistryReadOnly, AmazonEKD_CNI_Policy, AmazonEKSWorkerNodePolicy
- To reduce costs, set minimum and maximum number of nodes to 1
- Remove the two subnets your dev and monitoring servers are deployed in
- Click Create

Step 18: Install Node Exporter using Helm
- Using your local CMD install Helm (if not already installed) and run the following commands
- Note: you may also need to install kubectl
- helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
- kubectl create namespace prometheus-node-exporter
- helm install prometheus-node-exporter prometheus-community/prometheus-node-exporter --namespace prometheus-node-exporter
- restart Prometheus by using your monitoring server's PuTTY / SSH terminal

Step 19: Install ArgoCD
- Using your local CMD run the following commands
- Note: you may need to install aws cli locally
- aws eks update-kubeconfig --name Netflix --region us-east-1
- kubectl get ns #ping
- kubectol get pods #checking no pods exists
- kubectl create namespace argocd
- kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v2.4.7/manifests/install.yaml
- Switch to Powershell
- run > kubectl patch svc argocd-server -n argocd -p '{\"spec\": {\"type\": \"LoadBalancer\"}}'
- Switch back to local CMD
- kubectl get svc -n argocd
- kubectl get svc argocd-server -n argocd -o json | jq --raw-output ".status.loadBalancer.ingress[0].hostname"
- copy output, this is your host endpoint name
- Because Windows does not have Base64 decoder, run the following commands to obtain ArgoCD initial login secret
- kubectl -n argocd get secret argocd-initial-admin-secret -o jsonpath="{.data.password}"
- save output in a text file as 'ARGO_PWD.txt'
- using certutil run the following to decode
- certutil -decode ARGO_PWD.txt DECODED.txt
- Open DECODED.txt and copy to password
- Login to ArgoCD at YOUR_COPIED_ENDPOINT by using username: 'admin' password: (what you copied from decoded.txt)
- Click the gear icon (⚙) on the left hand side, then Repositories >Connect Repo Using HTTPS
- Select type 'git', Project=default, URL='https://github.com/N4si/DevSecOps-Project.git', then click Connect
- Click Manage Apps on the left side of the page, then select New App
- App Name='netflix', Project Name='default', sync Policy='automatic', Repo URL='https://github.com/N4si/DevSecOps-Project.git'
- Path='Kubernetes', Namespace='default'
- Click Sync, then Force

Step 20: Finishing Up
- Navigate back to Grafana in your browser and add a Kubernetes dashboard using the same method as before
- Navigate to your EKS node publiIP:300007
- You have successfully deployed a Netflix clone on Kubernetes in AWS :]

Netflix Application Clone Deployed on Kubernetes

Development / Security

Amazon Web Services EC2

Ubuntu OS /T5.Large 25GiB gp2

App Development Server

Step 1: Launching an AWS EC2 Instance

Step 2: Connecting to the EC2 Instance

Step 3: Clone Repository

Step 4: Configure Docker

Step 5: TMDB API Key

Step 6: Build Docker Image

Step 7: Install SonarQube and Trivy for Security

Step 8: Install Jenkins for Automation

Step 9: Install Jenkins Plugins

Step 10: Install OWASP Dependency Checker

Step 11: Build Ci/CD Pipeline

Monitoring

Amazon Web Services EC2

Ubuntu OS /t2.Medium 25GiB gp2

App Monitoring Server

Step 12: Launching an AWS EC2 Instance

Step 13: Connecting to the EC2 Instance

Step 3: Install Prometheus

Step 14: Install Node Exporter

Step 15: Configure Prometheus Plugin

Step 16: Install / Configure Grafana

Container Orchestration

Amazon Web Services Elastic Kubernetes Service (EKS)

Ubuntu OS /t3.Medium 25GiB gp2 EBS

EKS Instance Node Group

Step 17: Create Kubernetes Cluster

Step 18: Install Node Exporter using Helm

Step 19: Install ArgoCD

Switch to Powershell

Step 20: Finishing Up

Technical Proficiencies Utilized