System requirements and prerequisites
Before you can install IBM Security Guardium® Insights, ensure that you have the needed hardware, software, and storage. System requirements for IBM Security Guardium Insights are described in here.
- The shared cluster components that you need to install.
- The number of Guardium Insights instances you plan to install on your cluster.
- The services that you plan to install on top of Guardium Insights.
- The types of workloads that you plan to run.
Review the following information to accurately size and configure your cluster:
- Hardware cluster requirements
- Software prerequisites
- Container Application Software for Enterprises (CASE) version support
- Security context constraints (SCC) requirements
- Command line tools
- Data source platform streaming support
- Ticketing support
- Browser support
- Display resolution
- External storage allocation for backups
Software prerequisites
- Red Hat
OpenShift Container Platform
- Guardium Insights Version 3.2.5 and lower: Red Hat OpenShift Container Platform Version 4.8.x and 4.10.x
- Guardium Insights Version 3.2.6 and higher: Red Hat OpenShift Container Platform Version 4.10.x
- Guardium Insights Version 3.2.8 and higher: Red Hat OpenShift Container Platform Version 4.12.x
Note: If you have purchased IBM Security Guardium Insights for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform. See IBM Security Guardium Insights for IBM Cloud Pak for Security software requirements for more information. - IBM Cloud Pak foundational services Version 3.19.x (where x is the latest patch for this version)(
- Data mart support: Guardium
Insights supports these v3 and v4 data marts from Guardium Data
Protection:
- v4 data marts:
- Version 11.0.p370 for Version 11.3
- Version 11.0.p450 for Version 11.4
- Version 11.0.p500 for Version 11.5
- v3 data marts:
- Version 11.0.p360 for Version 11.3
- Version 11.0.p430 for Version 11.4
Note: Mixing Guardium Data Protection versions with v3 and v4 data marts in the same central manager is not recommended. - v4 data marts:
- Prerequisites for connecting Guardium Data Protection for
z/OS® to Guardium
Insights are:
- Guardium STAP for z/OS Version 10.1.3 and above
- If you will connect to Amazon Web Services (AWS) Aurora PostgreSQL, Amazon Kinesis is required.
- If you connect to Azure, Azure Event Hubs is required.
IBM Security Guardium Insights for IBM Cloud Pak for Security software requirements
IBM Security Guardium Insights for IBM Cloud Pak for Security supports IBM Cloud Pak for Security Version 1.10.
oc ibm-pak get ibm-cp-security --version 1.0.7 --skip-verify
The requirements for IBM Security Guardium Insights and IBM Security Guardium Insights for IBM Cloud Pak for Security are the same - however, if you purchase IBM Security Guardium Insights for IBM Cloud Pak for Security, you are automatically entitled to install its OpenShift Container Platform.
Container Application Software for Enterprises (CASE) version support
When installing Guardium
Insights, use the CASE versions that are supported for the version of Guardium
Insights that you are installing. These versions are
outlined in https://github.com/IBM/cloud-pak/blob/master/repo/case/ibm-guardium-insights/index.yaml - where the Version
listed is the CASE version, and the corresponding appVersion
is the version of Guardium
Insights that supports it.
Security context constraints (SCC) requirements
OpenShift provides security construct constraints that control the actions that a pod can perform and what it has the ability to access. Guardium Insights requires SCC to be bound to the target namespace before installation. To meet this requirement, you may need to take actions to prepare your cluster and namespace.
The predefined ibm-restricted-scc
, ibm-privileged-scc
, and restricted
SecurityContextConstraints
have been verified for this chart. If your target
namespace is bound to these SecurityContextConstraints
, you can proceed with chart
installation. This is the custom SecurityContextConstraints
definition:
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
metadata:
annotations:
kubernetes.io/description: "[DEPRECATED] This policy is the most restrictive,
requiring pods to run with a non-root UID, and preventing pods from accessing the host.
The UID and GID will be bound by ranges specified at the Namespace level."
cloudpak.ibm.com/version: "1.2.0"
cloudpak.ibm.com/deprecated: true
name: ibm-restricted-scc
allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegedContainer: false
allowPrivilegeEscalation: false
allowedCapabilities: null
allowedFlexVolumes: null
allowedUnsafeSysctls: null
defaultAddCapabilities: null
defaultAllowPrivilegeEscalation: false
forbiddenSysctls:
- "*"
fsGroup:
type: MustRunAs
ranges:
- max: 65535
min: 1
readOnlyRootFilesystem: false
requiredDropCapabilities:
- ALL
runAsUser:
type: MustRunAsNonRoot
seccompProfiles:
- docker/default
# This can be customized for seLinuxOptions specific to your host machine
seLinuxContext:
type: RunAsAny
# seLinuxOptions:
# level:
# user:
# role:
# type:
supplementalGroups:
type: MustRunAs
ranges:
- max: 65535
min: 1
# This can be customized to host specifics
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret
Command line tools
Tools for command line administration of the cluster and Guardium Insights can be accessed from the Red Hat OpenShift Container Platform and IBM Cloud Pak foundational services web consoles. This table details the tools and versions that are required for Guardium Insights:
Tool | Download | Version |
---|---|---|
oc
|
https://www.okd.io/download.html | 4.4.6 or later |
oc ibm-pak (Required for Guardium Insights 3.2.9 and later) |
https://github.com/IBM/ibm-pak | 1.4.0 or later |
kubectl |
https://kubernetes.io/docs/tasks/tools/install-kubectl/ | 1.16 or later |
cloudctl (Required for Guardium Insights 3.2.8 and earlier) |
https://github.com/IBM/cloud-pak-cli/releases | 3.17.0 or later |
openssl |
https://www.openssl.org/source/ | 1.1.1 |
python with PyYAML installed (must have a symbolic link to
python ) |
3.x or later | |
docker (or podman ) |
https://hub.docker.com/?overlay=onboarding | 17.03 or later |
skopeo (Offline installations only) |
https://github.com/containers/skopeo/blob/master/install.md | 1.0.0 |
|
||
htpasswd (Offline installations only) |
||
Cluster administrator privileges to run the setup scripts. | ||
Your login credentials to cp.icr.io
|
Data source platform streaming support
Guardium Insights allows you to connect to data sources on these platforms:
- Guardium (IBM Security Guardium Data Protection) - these Guardium versions are supported:
- Guardium Data Protection for
z/OS - with these prerequisites:
- Guardium STAP for z/OS Version 10.1.3 and above
- Amazon Web Services (AWS) Aurora PostgreSQL through Amazon Kinesis
- Azure Event Hubs
When connecting to streams of data in the Guardium Insights user interface, choose from one of these sources:
Ticketing support
Guardium Insights allows you to connect to these ticketing services:
- IBM Cloud Pak for Security Cases
- IBM Resilient®
- ServiceNow
Browser support
Guardium Insights is supported on Google Chrome, Mozilla Firefox, and Microsoft Edge.
Display resolution
Guardium Insights is best viewed on-screen display resolutions of 1024x768 pixels or higher.
External storage allocation for backups
Prior to deploying Guardium
Insights and its CR (custom
resource), you must manually create a PersistentVolumeClaim
(PVC) for backup
support. It is recommended that the size of the PersistentVolumeClaim
be 1 terabyte
(TB) - and the space on the NFS server should be set to accommodate roughly 20% of the expected
amount of data that is expected to be ingested each month.
Create the PVC according to this template (but use values that are needed for your deployment):
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: <GI_Backup_PVC>
#name of the PVC
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 500Gi # Update storage size,
minimum size is 500Gi
storageClassName: managed-nfs-storage # Update your StorageClass name and it must be RWX with 777 writable Permissions
When creating the file, name it <GI_Backup_PVC>, where
<GI_Backup_PVC>
is the namespace to which you are installing Guardium
Insights. By default, the Guardium
Insights operator will look for a file by this name.
After creating the PVC, check the PersistentVolumeClaim
list (for example, run
oc get pvc | grep <GI_Backup_PVC>
) and confirm that the status of your PVC is
Bound
:
oc get pvc | grep <GI_Backup_PVC>
NAME STATUS VOLUME
CAPACITY ACCESS MODES STORAGECLASS AGE
<GI_Backup_PVC> Bound
managed-nfs-storage 6s
If your PVC is properly Bound
and then you deploy Guardium
Insights, the status of the deployment will not contain
errors:
oc get guardiuminsights -w
NAME TYPE STATUS REASON MESSAGE
DESIRED_VERSION INSTALLED_VERSION
staging Running True Reconciling Starting
to Reconcile 3.2.8
staging Running True
GuardiumInsightsInstallRunning Secret creation
completed 3.2.8
staging Running True
GuardiumInsightsInstallRunning Instantiated DB2 CR
3.2.8
staging Running True
GuardiumInsightsInstallRunning Instantiated
Postgres Resources 3.2.8
staging Running True
GuardiumInsightsInstallRunning Instantiated Redis
Sentinel CR 3.2.8
staging Running True
GuardiumInsightsInstallRunning Instantiated MongoDB
CR 3.2.8
If your PVC is not properly Bound
, you will receive error messages, depending on
the nature of the problem:
- If you attempt to deploy Guardium
Insights when the PVC
does not exist, the operator will fail with this message:
oc get guardiuminsights -w NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION staging Running True Reconciling Starting to Reconcile 3.2.8 staging Failure True Failed Expecting Manual creation of PVC Name <GI_Backup_PVC>, Go to 'https://www.ibm.com/docs/en/guardium- insights/3.2.x?topic=planning-system-requirements- prerequisites' 3.2.8 staging Running True Running Running reconciliation
- If the name of your PVC file is not GI_Backup_PVC, you will receive the
above error since the Guardium
Insights operator will be
unable to find the PVC file. The same error occurs if the name of the manually-created PVC and the
Guardium
Insights CR
BackupSupport
name do not match. - If backup support is not required, you will receive an error message. In this case, update the
CR to indicate that backup support is not required. For example, include this
setting:
guardiumInsightsGlobal: backupsupport: enabled: "false"
- If you attempt to deploy Guardium
Insights when the PVC
is not in the
Bound
state, the operator will fail with this message:oc get guardiuminsights -w NAME TYPE STATUS REASON MESSAGE DESIRED_VERSION INSTALLED_VERSION staging Running True Reconciling Starting to Reconcile 3.2.8 staging Failure True Failed Required Backup PVC exists but not ‘Bound’ state. 3.2.8 staging Running True Running Running reconciliation
In addition, the Network File System (NFS) needs to be able to communicate with the cluster running GI. The requirements for this are:
- If you are placing backups in a remote destination, a Network File System (NFS) is required.
- The NFS storage class must be installed before installing Guardium Insights.
- A
PersistentVolume
(PV) and aPersistentVolumeClaim
(PVC) need to be created with the NFS storage class before Guardium Insights is installed.
When you are ready to deploy, set the flag for backup support in the installation YAML file for
Guardium
Insights. The backup data is stored on the PV
designated by the storageClassName
:
guardiumInsightsGlobal:
backupsupport:
enabled: "true"
name: <GI_Backup_PVC> # name of the PVC previously created and bound to the external NFS
If the flag for backup support is not set before deployment of Guardium Insights, the backup data is stored internally on the backup POD, and you might run out of internal storage space.