Configure Split DNS

Split Domain Name System (Split DNS) is a configuration in which two DNS servers (sub-domains) are created for the same domain, one for the internal network and the other for the external, as a means to tighten security. In this setting, internal hosts are directed to an internal domain name server and external hosts are directed to an external domain name server for name resolution.

In environments where Sysdig Platform is available through an Identity Provider (IDP) on two DNS records (split DNS), one set of users may not be able to log in to Sysdig, as the IDP redirects them only to a single DNS. In order to redirect users to the original DNS name they have requested, configure your deployment as given below.

Prerequisites

  • You have the administrator privileges to configure Split DNS.

  • Sysdig Platform is installed on-premises.

  • Sysdig Platform is available on two or more DNS names. 

  • Users are accessing the Sysdig Platform by using two DNS names.

  • Users are required to be redirected to the original DNS name.

Supported IDP Protocols

  • SAML

  • OpenID Connect

Sysdig Platform Configuration

The topic assumes the request flows through the following setup: Browser > Application Load Balancer (optional) > Kubernetes Ingress Controller > Sysdig NGINX > Sysdig API.

  1. Configure the Ingress Controller.

    1. Open the Ingress Controller.

      kubectl get ingress -o yaml > ingress.yaml
      
    2. Edit the ingress.yaml file as follows:

      apiVersion: extensions/v1beta1
      kind: Ingress
      metadata:
      annotations:
      ingress.kubernetes.io/affinity: cookie
      ingress.kubernetes.io/session-cookie-name: INGRESSCOOKIEAPI
      kubernetes.io/ingress.class: haproxy
      creationTimestamp: "2019-12-23T14:45:07Z"
      generation: 1
      labels:
      app.kubernetes.io/managed-by: ingress-config
      app.kubernetes.io/name: ingress-config
      app.kubernetes.io/part-of: sysdigcloud
      role: ingress-config
      tier: infra
      name: sysdigcloud-api-ingress
      namespace: sysdigcloud
      resourceVersion: "156675"
      selfLink: /apis/extensions/v1beta1/namespaces/sysdigcloud/ingresses/sysdigcloud-api-ingress
      uid: 891a0a46-ce64-41e0-906b-31627306a844
      spec:
      rules:
      - host: <REPLACE WITH EXTERNAL DNS FQDN>
      http:
      paths:
      - backend:
      serviceName: sysdigcloud-api
      servicePort: 8080
      path: /
      - backend:
      serviceName: sysdigcloud-scanning-api
      servicePort: 80
      path: /api/scanning
      - host: <REPLACE WITH INTERNAL DNS FQDN>
      http:
      paths:
      - backend:
      serviceName: sysdigcloud-api
      servicePort: 8080
      path: /
      - backend:
      serviceName: sysdigcloud-scanning-api
      servicePort: 80
      path: /api/scanning
      tls:
      - hosts:
      - <REPLACE WITH EXTERNAL DNS FQDN>
      - <REPLACE WITH INTERNAL DNS FQDN>
      secretName: sysdigcloud-ssl-secret
      status:
      loadBalancer:
      ingress:
      - {}
      
    3. Apply the changes:

      kubectl apply -f ingress.yaml
      
  2. Configure Nginx in the Kubernetes API pod.

    1. Open the configuration file corresponding to the sysdig-api deployment.

    2. Add the following snippet to the Nginx environment variables section:

       - name: NGINX_NOT_ON_EDGE
         value: "true"
      
    3. Apply the changes.

    4. Ensure that the following snippet is added to the Ngnix configuration file at /etc/nginx/conf.d/api.conf:

      proxy_set_header X-Forwarded-Host $host:$server_port;
      proxy_set_header X-Forwarded-Server $host;
      

IDP Configuration

  1. Ensure that Single Sign On (SSO) configuration is completed on the Sysdig Platform side.

  2. Retrieve the current SSO settings with the API:

    curl -v  -X GET -H "Accept: application/json" -H "Content-type: application/json" -H 'Authorization: bearer XXXXXX' https://<API ENDPOINT>/api/admin/auth/settings/{{settingsID}}| jq
    
  3. In the JSON file obtained with the authenticationSettings object , add the following lines:

    "splitDnsSupport": true,
    "splitDnsOriginHostHeader": "x-forwarded-server",
    "splitDnsOriginSchemeHeader": "x-forwarded-proto"
    
  4. (optional) If you are using OpenID Connect protocol for SSO, include settings.clientSecret , because it’s not returned with the API call:

    "clientSecret": "<Replace with your clientSecret>"
    
  5. Update the authenticationSettings object with a PUT request to the same endpoint with the changes introduced in the previous steps. For example:

    curl -v -X PUT -H "Accept: application/json" -H "Content-type: application/json" -H 'Authorization: bearer xxxxxxx' https://<API ENDPOINT>/api/admin/auth/settings/1 -d'
    {
      "authenticationSettings": {
        "id": 1,
        "version": 5,
        "createdOn": 1577285950000,
        "modifiedOn": 1577350608000,
        "type": "openid",
        "scope": "SYSTEM",
        "settings": {
          "createUserOnLogin": true,
          "forbidPasswordLogin": false,
          "issuer": "https://<Replace with your issuer>.com",
          "clientId": "<Replace with your client_id>",
          "clientSecret": "<Replace with your client_secret>",
          "metadata": null,
          "splitDnsSupport": true,
          "splitDnsOriginHostHeader": "x-forwarded-server",
          "splitDnsOriginSchemeHeader": "x-forwarded-proto",
          "metadataDiscovery": true
        }
      }
    }'
    

    Replace <issuer>, <client_id>, and <client_secret> with your own.