Multi-node deployment: Preparing the administrator and target hosts
Preparing for a multi-node deployment includes configuring the administrator and target hosts. After preparing hosts and specifying the configuration file, you will be able to deploy Kaspersky Next XDR Expert on target hosts by using KDT.
Preparing the administrator host
You first need to prepare a device that will act as the administrator host from which KDT will launch. This host can be either included in the Kubernetes cluster that is created by KDT during the deployment or not. If the administrator host is not included in the cluster, it will be used only to deploy and manage the Kubernetes cluster and Kaspersky Next XDR Expert. If the administrator host is included in the cluster, it will also act as a target host that is used for operation of Kaspersky Next XDR Expert components.
To prepare the administrator host:
- Make sure that the hardware and software on the administrator host meet the requirements for KDT.
- Allocate at least 10 GB of free space in the temporary files directory (/
tmp) for KDT. If you do not have enough free space in this directory, run the following command to specify the path to another directory:export TMPDIR=<new_directory>/tmp - Install the package for Docker version 23 or later, and then perform the post-installation steps to configure the administration host for proper functioning with Docker.
Do not install unofficial distributions of Docker packages from the operating system maintainer repositories.
- For the administrator host that will be included in the cluster, perform additional preparatory steps:
- Since the device will act as the administrator and target host, make sure that it meets the requirements for the multi-node deployment..
- Make sure that the cgroup v2 technology is supported on the administrator host.
The cgroup v2 technology is supported for the Linux kernel version 2.6.24 or later.
Preparing the target hosts
The target hosts are physical or virtual machines that are used to deploy Kaspersky Next XDR Expert and included in the Kubernetes cluster. Kaspersky Next XDR Expert components work on these hosts.
One of the target hosts can be used as administrator host. In this case, you must prepare this host as the administrator host, as described in the previous procedure, and then perform the preparing for the target host.
A minimum cluster configuration for the multi-node deployment includes four nodes:
- One primary node
The primary node is intended for managing the cluster, storing metadata, and distributing the workload.
- Three worker nodes
The worker nodes are intended for performing the workload of the Kaspersky Next XDR Expert components.
For optimal workload distribution between nodes, it is recommended to use nodes with approximately the same performance.
To prepare the target hosts:
- Make sure that the hardware and software on the target hosts meet the requirements for the multi-node deployment, and the target hosts are located in the same broadcast domain.
For proper functioning of Kaspersky Next XDR Expert, the Linux kernel version must be 5.15.0.107 or later on the target hosts with the Ubuntu family operating systems.
Docker must not be installed on the target hosts, except the target host that will be used as the administrator host. KDT will install all necessary software and dependencies during the deployment.
- On each target host, install the sudo package, if this package is not already installed. For Debian family operating systems, install the UFW package on the target hosts.
- On each target host, configure the /etc/environment file. If your organization's infrastructure uses a proxy server to access the internet, configure the internet access by using the proxy server on the target hosts.
- On the primary node with the UFW configuration, allow IP forwarding. In the
/etc/default/ufwfile, setDEFAULT_FORWARD_POLICYtoACCEPT. - Provide access to the package repository that stores the following packages required for Kaspersky Next XDR Expert:
- nfs-common
- tar
- iscsi-package
- wireguard
- wireguard-tools
KDT will try to install these packages during the deployment from the package repository. You can also install these packages manually.
- For the primary node, ensure that the curl package is installed.
- For the worker nodes, ensure that the libnfs package version 12 or later is installed.
The curl and libnfs packages are not installed during the deployment from the package repository by using KDT. You must install these packages manually, if they are not already installed.
- Reserve static IP addresses for the target hosts and the Kubernetes cluster gateway.
The Kubernetes cluster gateway is intended for connecting to the Kaspersky Next XDR Expert components installed inside the Kubernetes cluster. The gateway IP address is an IPv4 address (for example, 10.80.23.182). It is specified in the configuration file (the
ingress_ipparameter).Make sure that the target hosts, the Kubernetes cluster gateway, and the DBMS host are located in the same broadcast domain.
- On your DNS server, register the service FQDNs to connect to the Kaspersky Next XDR Expert services.
By default, the Kaspersky Next XDR Expert services are available at the following addresses:
- <console_host>.<smp_domain>—Access to the OSMP Console interface.
- <admsrv_host>.<smp_domain>—Interaction with Administration Server.
- <kuma_host>.<smp_domain>—Access to the KUMA Console interface.
- <api_host>.<smp_domain>—Access to the Kaspersky Next XDR Expert API.
- <monitoring_host>.<smp_domain>—Access to OSMP metrics.
Where <console_host>, <admsrv_host>, <kuma_host>, <api_host>, and <monitoring_host> are service host names, <smp_domain> is a service domain name. These parameters are parts of the service FQDNs, which you can specify in the configuration file. If you do not specify custom values of service host names, the default values are used:
console_host—"console",admsrv_host—"admsrv",kuma_host—"kuma",api_host—"api",monitoring_host—"monitoring".
The listed service FQDNs must be resolved to the IP address of the Kubernetes cluster as follows:
- <console_host>.<smp_domain>—10.80.23.182
- <admsrv_host>.<smp_domain>—10.80.23.182
- <kuma_host>.<smp_domain>—10.80.23.182
- <api_host>.<smp_domain>—10.80.23.182
- <monitoring_host>.<smp_domain>—10.80.23.182
- On the target hosts, create the accounts that will be used for the Kaspersky Next XDR Expert deployment.
These accounts are used for the SSH connection and must be able to elevate privileges (sudo) without entering a password. To do this, add the created user accounts to the
/etc/sudoersfile. - Configure the SSH connection between the administrator and target hosts:
- On the administrator host, generate SSH keys by using the ssh-keygen utility without a passphrase.
- Copy the public key to every target host (for example, to the
/home/<user_name>/.sshdirectory) by using the ssh-copy-id utility.If you use a target host as the administrator host, you must copy the public key to it, too.
- For proper function of the Kaspersky Next XDR Expert components, provide network access between the target hosts and open the required ports on the firewall of the administrator and target hosts, if necessary.
- Configure time synchronization over Network Time Protocol (NTP) on the administrator and target hosts.
- If necessary, prepare custom certificates for working with Kaspersky Next XDR Expert public services.
You can use one intermediate certificate that is issued off the organization's root certificate or leaf certificates for each of the services. The prepared custom certificates will be used instead of self-signed certificates.