Kubernetes consists of many components and moving parts to accommodate the requires that user may have for it. For the purpose of this page, the information will be kept as simple and straightforward as possible.
The AWS EKS user guide can be found at the following URL
For the administration of SIEMonster, the following items need to be understood.
Stateful Sets (STS)
Persistent volume claim (PVC)
Kubernetes nodes are the base vm’s or ec2 instances that the kubernetes services rest upon. Broken down to its most basic description, a Kubernetes node is an OS with the Kubernetes services deployed on top of it. How to do such a deployment is beyond the scope of this guide but it is important to understand that a node or a collection of nodes make up the cluster on which the services will run. Any resources allocated to the vm or ec2 can thus be consumed for pods to run services.
Pods are containers or groups of containers that run on top of the Kubernetes nodes. The pods are assigned resources from the nodes they run on. If you have multiple containers inside a pod they share the resources allocated to the pod, similar to resource groups.
Namespaces are used to organise groups of pods into “virtual clusters”. Controls can be applied to namespaces to keep them isolated from each other, making it ideal for running in MSSP environments where shared resources need to be tightly controlled to be cost effective but allow tenants' to remain apart. Each tenant in SIEMonster is allocated a namespace within the Kubernetes cluster. There are additional namespaces for consolidated services and of course Kubernetes core services.
Stateful sets (STS)
STS’s are for storing the configurations for each of the services. They contain a multitude of information from resource allocation to container image versions to use. In official Kubernetes terminology, STS’s are described as “workload API object used to manage stateful applications. Statefulsets are used when startup sequences of multiple related pods become important.
Deployments have similar options to that of STS’s. They are more frequently used for pods that don’t require specific startup sequences and allows for easy scaling as needed.
🔖 NOTE: One important difference between STS’s and deployments are the names pods receive. STS based pods will always end in a single number which shows how many of that specific is running starting at 0 e.g. siemonster-wazuh-0, first or only pod, or siemonster-wazuh-2, 3rd pod.
Persistent volume claim (PVC)
Persistent volume claims are storage requests being passed from the pod to the control plane and subsequently the storage provider in Kubernetes.
Secrets are used to store sensitive information required for the operation of a pod, like api key’s, hashes etc. Other configuration items can also be stored here from time to time for use inside a pod.
SIEMonster has been adapted to automatically scale storage and nodes from version 5. This will automatically adjust the environment where resources are constrained due to the unexpected load increase or natural growth.