Install Graylog API Security

Graylog API Security is Kubernetes-native software that you install from the command line using Helm. This section provides all the installation commands to use for each runtime platform.

Hint: The free and paid versions of Graylog API Security use the same installation instructions.

Prerequisites

  • Kubernetes cluster (cloud or self-managed)

  • kubectl, a Kubernetes command-line tool, to query the cluster

  • Helm, the Kubernetes package manager, to install and configure Kubernetes applications

Install on Kubernetes

When you install Graylog API Security on Kubernetes clusters, including the single-node Kubernetes cluster bundled with Docker Desktop, you need 6 vCPUs and 18 GiB of RAM for each Graylog API Security node deployed.

Hint: To install on Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GPC), IBM Cloud, or MicroK8s, use the specific platform instructions in the sections below.

Use the following Helm command to install Graylog API Security with default options:

Copy
helm repo add resurfaceio https://resurfaceio.github.io/containers; helm repo update; helm install resurface resurfaceio/resurface --create-namespace --namespace resurface

It can take several minutes to download container images and start pods, and the previous command might appear to be complete while installation is still ongoing in the background. Run this script to wait until pods have started:

Copy
kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' service/resurface-kubernetes-ingress -n resurface && kubectl wait --for=condition=Ready pod/resurface-coordinator-0 -n resurface && echo "pod/resurface-coordinator-0 running at http://$(kubectl get svc resurface-kubernetes-ingress --namespace resurface --template '{{ (index .status.loadBalancer.ingress 0).ip }}')/ui/"

Install on AWS

When you install Graylog API Security on an existing Amazon Elastic Kubernetes Service (EKS) cluster on AWS, you need 6 vCPUs and 18 GiB of RAM for each Graylog API Security node deployed. If these requirements cannot be met by your existing EKS cluster, create a new node group using m7g.2xlarge (ARM), m7i.2xlarge (x86), or larger VMs.

In addition, you must enable the Amazon EBS CSI Driver add-on in your cluster to provision persistent volumes. The Amazon EBS CSI plugin requires Identity and Access Management (IAM) permissions to make calls to AWS APIs on your behalf, so be sure to create the corresponding IAM role, or attach the AmazonEBSCSIDriverPolicy to your existing role.

Use the following Helm command to install Graylog API Security, optimized for AWS:

Copy
helm repo add resurfaceio https://resurfaceio.github.io/containers; helm repo update; helm install resurface resurfaceio/resurface --create-namespace --namespace resurface --set provider=aws

It can take several minutes to download container images and start pods, and the previous command might appear to be complete while installation is still ongoing in the background. Run this script to wait until pods have started:

Copy
kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' service/resurface-kubernetes-ingress -n resurface && kubectl wait --for=condition=Ready pod/resurface-coordinator-0 -n resurface && echo "pod/resurface-coordinator-0 running at http://$(kubectl get svc resurface-kubernetes-ingress --namespace resurface --template '{{ (index .status.loadBalancer.ingress 0).ip }}')/ui/"

Install on Azure

When you install Graylog API Security on an existing Azure Kubernetes Service (AKS) cluster on Azure, you need 6 vCPUs and 18 GiB of RAM for each Graylog API Security node deployed. If these requirements cannot be met by your existing AKS cluster, create a new node pool using Standard_D8ps_v5 (ARM), Standard_D8as_v5 (x86), or larger VMs.

Use the following Helm command to install Graylog API Security, optimized for Azure:

Copy
helm repo add resurfaceio https://resurfaceio.github.io/containers; helm repo update; helm install resurface resurfaceio/resurface --create-namespace --namespace resurface --set provider=azure

It can take several minutes to download container images and start pods, and the previous command might appear to be complete while installation is still ongoing in the background. Run this script to wait until pods have started:

Copy
kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' service/resurface-kubernetes-ingress -n resurface && kubectl wait --for=condition=Ready pod/resurface-coordinator-0 -n resurface && echo "pod/resurface-coordinator-0 running at http://$(kubectl get svc resurface-kubernetes-ingress --namespace resurface --template '{{ (index .status.loadBalancer.ingress 0).ip }}')/ui/"

Install on Google Cloud Platform

When you install Graylog API Security on an existing Google Kubernetes Engine (GKE) cluster on GCP, you need 6 vCPUs and 18 GiB of RAM for each Graylog API Security node deployed. If these requirements cannot be met by your existing GKE cluster, create a new node pool using c3d-standard-8 (x86) or larger VMs. We do not recommend deploying on ARM at this time.

Use the following Helm command to install Graylog API Security, optimized for GCP:

Copy
helm repo add resurfaceio https://resurfaceio.github.io/containers; helm repo update; helm install resurface resurfaceio/resurface --create-namespace --namespace resurface --set provider=gcp

It can take several minutes to download container images and start pods, and the previous command might appear to be complete while installation is still ongoing in the background. Run this script to wait until pods have started:

Copy
kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' service/resurface-kubernetes-ingress -n resurface && kubectl wait --for=condition=Ready pod/resurface-coordinator-0 -n resurface && echo "pod/resurface-coordinator-0 running at http://$(kubectl get svc resurface-kubernetes-ingress --namespace resurface --template '{{ (index .status.loadBalancer.ingress 0).ip }}')/ui/"

Install on IBM Cloud

When you install Graylog API Security on a Red Hat OpenShift cluster on IBM Cloud, you need 6 vCPUs and 18 GiB of RAM for each Graylog API Security node deployed. If these requirements cannot be met by your existing OpenShift cluster, create a node pool using bx2-8x32 (x86) or larger VMs. We do not recommend deploying on ARM at this time.

Create an OpenShift project by running the following command:

Copy
oc new-project resurface --description="Graylog API Security discovers and alerts on quality and security signatures in your API traffic" --display-name="Resurface"

Use the following Helm command to install Graylog API Security, optimized for OpenShift:

Copy
helm install resurface resurfaceio/resurface --set provider=ibm-openshift --set ingress.controller.enabled=false --set ingress.tls.host=$(oc -n openshift-ingress-operator get ingresscontrollers.operator.openshift.io default -o jsonpath='{.status.domain}') --namespace resurface

It can take several minutes to download container images and start pods, and the previous command might appear to be complete while installation is still ongoing in the background. Run this script to wait until pods have started:

Copy
echo http://$(oc get route --namespace resurface --template "{{ (index .items 0).spec.host }}")/ui/

Install on MicroK8s

MicroK8s is a lightweight Kubernetes distribution that runs on your own hardware. To start, you'll need a Linux machine or VM with at least 8 vCPUs and 24 GB of memory. Each Graylog API Security node requires 6 vCPUs and 18 GB of RAM, and there needs to be resources left over for MicroK8s, MinIO (if enabled), and the operating system.

MicroK8s requires the snap command, which is enabled by default on many current Ubuntu distributions. For other Linux distributions, enable snap support before installing MicroK8s.

Start by installing MicroK8s:

Copy
sudo snap install microk8s --classic --channel=1.30/stable;
sudo usermod -a -G microk8s $USER;
newgrp microk8s;
alias helm='microk8s helm';
alias kubectl='microk8s kubectl';

Next, disable the MicroK8s daemon-apiserver-kicker:

Copy
echo "--bind-address 0.0.0.0" >> /var/snap/microk8s/current/args/kube-apiserver;
microk8s stop; microk8s start;

Run the following code to configure MicroK8s:

Copy
microk8s enable dns;
microk8s enable hostpath-storage;
microk8s status --wait-ready;

Next, use this command to bind the machine IP address to MicroK8s:

Copy
microk8s enable metallb:X.X.X.X-X.X.X.X;

Use the following Helm commands to install Graylog API Security, optimized for MicroK8s:

Copy
helm repo add resurfaceio https://resurfaceio.github.io/containers;
helm repo update;
helm install resurface resurfaceio/resurface --create-namespace --namespace resurface;

It can take several minutes to download container images and start pods, and the previous command might appear to be complete while installation is still ongoing in the background. Run this script to wait until pods have started:

Copy
kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' service/resurface-kubernetes-ingress -n resurface && kubectl wait --for=condition=Ready pod/resurface-coordinator-0 -n resurface && echo "pod/resurface-coordinator-0 running at http://$(kubectl get svc resurface-kubernetes-ingress --namespace resurface --template '{{ (index .status.loadBalancer.ingress 0).ip }}')/ui/"

Next Steps

After you install Graylog API Security, you need to complete additional configuration before you can begin capturing API calls. See the following topics: