Kubernetes Integration

Kubernetes is an open source container orchestration engine for automating deployment, scaling, and management of containerized applications.

The Kubernetes cloud provider plug-in lets you easily integrate with public or private cloud ecosystems that can be accessed through the Kubernetes API (for example AWS, Azure, or Google Cloud).

A Kubernetes cloud provider profile lets you specify a list of images that will be selectable for Kubernetes-based virtual execution servers. When assigning such an execution server to a Silk Central execution, a new Kubernetes pod (based on the selected image) is deployed, running the execution, and then removed again.

Required proxy in Kubernetes

As a precondition, you need to start an HTTP proxy that supports the method HTTP CONNECT (SSL tunneling) within the Kubernetes cloud environment. This proxy ensures that there is only one public port to expose at the remote cloud service to be connectable from Silk Central to tunnel the encrypted traffic between Silk Central and the execution servers that are running within Kubernetes. Make sure to configure the proxy as Location Proxy (preferred) or System Proxy in Silk Central. For more information, see Configuring a System Proxy and Editing Locations. It is suggested to specify a location proxy and to create the Kubernetes-based virtual execution servers in this location.

Note: In contrast to physical execution servers, it is not necessary to change the execution server port configuration for the image. When you build the image using the Docker Image Package, the secure port is still 19125. Silk Central creates a Kubernetes service of type ClusterIP for each execution server that listens to port 443 and forwards the traffic to port 19125.

Starting a sample proxy in Kubernetes

Silk Central comes with a batch file that lets you start a sample proxy in Kubernetes.

To use the batch file, download the Docker Image Package from the Tools menu in Silk Central Extract the package and double-click kubernetesStartTinyProxy.cmd. The batch file deploys a pod named tinyproxy with a tinyproxy image. For more information, refer to https://tinyproxy.github.io/.

Note: This is just a sample proxy. The actually used proxy is not part of the Silk Central Kubernetes integration. You can use any proxy that supports HTTP CONNECT. For demonstration purposes, the sample does not restrict access to the proxy. Make sure to thoroughly configure the used proxy for your security requirements, for example by restricting client IP addresses and by only allowing connections to port 443.

The sample batch file also applies tinyproxy-service.yaml to create a Kubernetes service named tinyproxyservice of type NodePort. The service creates a public port 30888 on this node that forwards to the actual proxy port 8888. This means that you need to specify port 30888 in Silk Central to access the proxy. You may need to adjust the service to a different type depending on your Kubernetes infrastructure.

Building a secure execution server Docker image

To build a Docker image, download the Docker Image Package from the Tools menu in Silk Central and extract it. Open a command prompt, navigate to the package directory, and enter the following command:

docker build -t silkcentral-execserver:21.0

This command builds the Docker image silkcentral-execserver:21.0 for Linux (using the default Dockerfile) in the local Docker repository. To build an image for a Windows container, use the file Dockerfile-Windows.