Configure Split DNS
Split Domain Name System (Split DNS) is a configuration in which two DNS servers (sub-domains) are created for the same domain, one for the internal network and the other for the external, as a means to tighten security. In this setting, internal hosts are directed to an internal domain name server and external hosts are directed to an external domain name server for name resolution.
In environments where Sysdig Platform is available through an Identity Provider (IDP) on two DNS records (split DNS), one set of users may not be able to log in to Sysdig, as the IDP redirects them only to a single DNS. In order to redirect users to the original DNS name they have requested, configure your deployment as given below.
Prerequisites
You have the administrator privileges to configure Split DNS.
Sysdig Platform is installed on-premises.
Sysdig Platform is available on two or more DNS names.
Users are accessing the Sysdig Platform by using two DNS names.
Users are required to be redirected to the original DNS name.
Supported IDP Protocols
SAML
OpenID Connect
Sysdig Platform Configuration
The topic assumes the request flows through the following setup: Browser > Application Load Balancer (optional) > Kubernetes Ingress Controller > Sysdig NGINX > Sysdig API.
Configure the Ingress Controller.
Open the Ingress Controller.
kubectl get ingress -o yaml > ingress.yaml
Edit the
ingress.yaml
file as follows:apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: ingress.kubernetes.io/affinity: cookie ingress.kubernetes.io/session-cookie-name: INGRESSCOOKIEAPI kubernetes.io/ingress.class: haproxy creationTimestamp: "2019-12-23T14:45:07Z" generation: 1 labels: app.kubernetes.io/managed-by: ingress-config app.kubernetes.io/name: ingress-config app.kubernetes.io/part-of: sysdigcloud role: ingress-config tier: infra name: sysdigcloud-api-ingress namespace: sysdigcloud resourceVersion: "156675" selfLink: /apis/extensions/v1beta1/namespaces/sysdigcloud/ingresses/sysdigcloud-api-ingress uid: 891a0a46-ce64-41e0-906b-31627306a844 spec: rules: - host: <REPLACE WITH EXTERNAL DNS FQDN> http: paths: - backend: serviceName: sysdigcloud-api servicePort: 8080 path: / - backend: serviceName: sysdigcloud-scanning-api servicePort: 80 path: /api/scanning - host: <REPLACE WITH INTERNAL DNS FQDN> http: paths: - backend: serviceName: sysdigcloud-api servicePort: 8080 path: / - backend: serviceName: sysdigcloud-scanning-api servicePort: 80 path: /api/scanning tls: - hosts: - <REPLACE WITH EXTERNAL DNS FQDN> - <REPLACE WITH INTERNAL DNS FQDN> secretName: sysdigcloud-ssl-secret status: loadBalancer: ingress: - {}
Apply the changes:
kubectl apply -f ingress.yaml
Configure Nginx in the Kubernetes API pod.
Open the configuration file corresponding to the
sysdig-api
deployment.Add the following snippet to the Nginx environment variables section:
- name: NGINX_NOT_ON_EDGE value: "true"
Apply the changes.
Ensure that the following snippet is added to the Ngnix configuration file at
/etc/nginx/conf.d/api.conf
:proxy_set_header X-Forwarded-Host $host:$server_port; proxy_set_header X-Forwarded-Server $host;
IDP Configuration
Ensure that Single Sign On (SSO) configuration is completed on the Sysdig Platform side.
Retrieve the current SSO settings with the API:
curl -v -X GET -H "Accept: application/json" -H "Content-type: application/json" -H 'Authorization: bearer XXXXXX' https://<API ENDPOINT>/api/admin/auth/settings/{{settingsID}}| jq
In the JSON file obtained with the
authenticationSettings
object , add the following lines:"splitDnsSupport": true, "splitDnsOriginHostHeader": "x-forwarded-server", "splitDnsOriginSchemeHeader": "x-forwarded-proto"
(optional) If you are using OpenID Connect protocol for SSO, include
settings.clientSecret
, because it’s not returned with the API call:"clientSecret": "<Replace with your clientSecret>"
Update the
authenticationSettings
object with a PUT request to the same endpoint with the changes introduced in the previous steps. For example:curl -v -X PUT -H "Accept: application/json" -H "Content-type: application/json" -H 'Authorization: bearer xxxxxxx' https://<API ENDPOINT>/api/admin/auth/settings/1 -d' { "authenticationSettings": { "id": 1, "version": 5, "createdOn": 1577285950000, "modifiedOn": 1577350608000, "type": "openid", "scope": "SYSTEM", "settings": { "createUserOnLogin": true, "forbidPasswordLogin": false, "issuer": "https://<Replace with your issuer>.com", "clientId": "<Replace with your client_id>", "clientSecret": "<Replace with your client_secret>", "metadata": null, "splitDnsSupport": true, "splitDnsOriginHostHeader": "x-forwarded-server", "splitDnsOriginSchemeHeader": "x-forwarded-proto", "metadataDiscovery": true } } }'
Replace <issuer>, <client_id>, and <client_secret> with your own.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.