This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

    Configure Split DNS

    Split Domain Name System (Split DNS) is a configuration in which two DNS servers (sub-domains) are created for the same domain, one for the internal network and the other for the external, as a means to tighten the security. In this setting, internal hosts are directed to an internal domain name server and external hosts are directed to an external domain name server for name resolution.

    In environments where Sysdig Platform is available through an Identity Provider (IDP) on two DNS records (split DNS), one set of users may not be able to log in to Sysdig, as the IDP redirects them only to a single DNS. In order to redirect users to the original DNS name they have requested, configure your deployment as given below.

    Prerequisites

    • You have the administrator privileges to configure Split DNS.

    • Sysdig Platform is installed on-premises.

    • Sysdig Platform is available on two or more DNS names. 

    • Users are accessing the Sysdig Platform by using two DNS names.

    • Users are required to be redirected to the original DNS name.

    Supported IDP Protocols

    • SAML

    • OpenID Connect

    Sysdig Platform Configuration

    The topic assumes the request flows through the following setup: Browser > Application Load Balancer (optional) > Kubernetes Ingress Controller > Sysdig NGINX > Sysdig API.

    1. Configure the Ingress Controller.

      1. Open the Ingress Controller.

        kubectl get ingress -o yaml > ingress.yaml
        
      2. Edit the ingress.yaml file as follows:

        apiVersion: extensions/v1beta1
        kind: Ingress
        metadata:
        annotations:
        ingress.kubernetes.io/affinity: cookie
        ingress.kubernetes.io/session-cookie-name: INGRESSCOOKIEAPI
        kubernetes.io/ingress.class: haproxy
        creationTimestamp: "2019-12-23T14:45:07Z"
        generation: 1
        labels:
        app.kubernetes.io/managed-by: ingress-config
        app.kubernetes.io/name: ingress-config
        app.kubernetes.io/part-of: sysdigcloud
        role: ingress-config
        tier: infra
        name: sysdigcloud-api-ingress
        namespace: sysdigcloud
        resourceVersion: "156675"
        selfLink: /apis/extensions/v1beta1/namespaces/sysdigcloud/ingresses/sysdigcloud-api-ingress
        uid: 891a0a46-ce64-41e0-906b-31627306a844
        spec:
        rules:
        - host: <REPLACE WITH EXTERNAL DNS FQDN>
        http:
        paths:
        - backend:
        serviceName: sysdigcloud-api
        servicePort: 8080
        path: /
        - backend:
        serviceName: sysdigcloud-scanning-api
        servicePort: 80
        path: /api/scanning
        - host: <REPLACE WITH INTERNAL DNS FQDN>
        http:
        paths:
        - backend:
        serviceName: sysdigcloud-api
        servicePort: 8080
        path: /
        - backend:
        serviceName: sysdigcloud-scanning-api
        servicePort: 80
        path: /api/scanning
        tls:
        - hosts:
        - <REPLACE WITH EXTERNAL DNS FQDN>
        - <REPLACE WITH INTERNAL DNS FQDN>
        secretName: sysdigcloud-ssl-secret
        status:
        loadBalancer:
        ingress:
        - {}
        
      3. Apply the changes:

        kubectl apply -f ingress.yaml
        
    2. Configure Nginx in the Kubernetes API pod.

      1. Open the configuration file corresponding to the sysdig-api deployment.

      2. Add the following snippet to the Nginx environment variables section:

         - name: NGINX_NOT_ON_EDGE
           value: "true"
        
      3. Apply the changes.

      4. Ensure that the following snippet is added to the Ngnix configuration file at /etc/nginx/conf.d/api.conf:

        proxy_set_header X-Forwarded-Host $host:$server_port;
        proxy_set_header X-Forwarded-Server $host;
        

    IDP Configuration

    1. Ensure that Single Sign On (SSO) configuration is completed on the Sysdig Platform side.

    2. Retrieve the current SSO settings with the API:

      curl -v  -X GET -H "Accept: application/json" -H "Content-type: application/json" -H 'Authorization: bearer XXXXXX' https://<API ENDPOINT>/api/admin/auth/settings/{{settingsID}}| jq
      
    3. In the JSON file obtained with the authenticationSettings object , add the following lines:

      "splitDnsSupport": true,
      "splitDnsOriginHostHeader": "x-forwarded-server",
      "splitDnsOriginSchemeHeader": "x-forwarded-proto"
      
    4. (optional) If you are using OpenID Connect protocol for SSO, include settings.clientSecret , because it’s not returned with the API call:

      "clientSecret": "<Replace with your clientSecret>"
      
    5. Update the authenticationSettings object with a PUT request to the same endpoint with the changes introduced in the previous steps. For example:

      curl -v -X PUT -H "Accept: application/json" -H "Content-type: application/json" -H 'Authorization: bearer xxxxxxx' https://<API ENDPOINT>/api/admin/auth/settings/1 -d'
      {
        "authenticationSettings": {
          "id": 1,
          "version": 5,
          "createdOn": 1577285950000,
          "modifiedOn": 1577350608000,
          "type": "openid",
          "scope": "SYSTEM",
          "settings": {
            "createUserOnLogin": true,
            "forbidPasswordLogin": false,
            "issuer": "https://<Replace with your issuer>.com",
            "clientId": "<Replace with your client_id>",
            "clientSecret": "<Replace with your client_secret>",
            "metadata": null,
            "splitDnsSupport": true,
            "splitDnsOriginHostHeader": "x-forwarded-server",
            "splitDnsOriginSchemeHeader": "x-forwarded-proto",
            "metadataDiscovery": true
          }
        }
      }'
      

      Replace <issuer>, <client_id>, and <client_secret> with your own.