Securing Cassandra

Use these instructions to enable authentication and TLS on Cassandra.

Tip

This feature is available for Sysdig on-prem v2.3.0 or later.

Prerequisite

Install the Sysdig Platform following the Kubernetes installation steps, version 2.3.0 or later, OR upgrade to version 2.3.0 or later.Install on Kubernetes 1.9+

Warning

If your Sysdig installation is in production, enabling Cassandra authentication and SSL will require downtime. Be sure to schedule a maintenance window in advance.

Enable Authentication and TLS

Step 1: Create a local copy of the current sysdigcloud-config configmap

Write the current configmap configuration to a local file so you can edit it and subsequently apply the changes (step 4).

NAMESPACE=sysdigcloud
kubectl -n $NAMESPACE get configmap sysdigcloud-config -o yaml > sysdigcloud-configmap.yaml

Step 2: Set authentication and SSL parameters to true

In sysdigcloud-configmap.yaml, set BOTH cassandra.secure and cassandra.ssl.enabled to true . The default values are false.(For this release, setting either to false will not enable auth or SSL).

cassandra.secure: "true"
cassandra.ssl.enabled: "true"

Step 3: Provide authentication credentials

In sysdigcloud-configmap .yaml, provide BOTH cassandra.user and cassandra.password.

cassandra.user: <username>
cassandra.password: <password>

Step 4: Apply the configuration changes

kubectl -n $NAMESPACE apply -f sysdigcloud-configmap.yaml

Step 5: Restart components

Restart Cassandra, API, collector, and worker pods:

kubectl -n $NAMESPACE delete pod -l role=cassandra
kubectl -n $NAMESPACE delete pod -l role=collector
kubectl -n $NAMESPACE delete pod -l role=api
kubectl -n $NAMESPACE delete pod -l role=worker