Kaspersky Next XDR Expert
1.1.9
Deployment of Kaspersky Next XDR Expert  >  Preparation work and deployment  >  Distributed deployment: Preparing the administrator and target hosts

Distributed deployment: Preparing the administrator and target hosts

The administrator host is used to deploy and manage the Kubernetes cluster and Kaspersky Next XDR Expert. The target hosts are included in the Kubernetes cluster and perform the workload of the Kaspersky Next XDR Expert components. Kaspersky Next XDR Expert is deployed on the target hosts by using KDT. KDT runs on the administrator host and connects to target hosts via SSH.

Preparing the administrator host

To prepare the administrator host:

  1. Prepare a device that will act as the administrator host from which KDT will launch.

    The administrator host will not be included in the Kubernetes cluster that is created by KDT during the deployment.

    Make sure that the hardware and software on the administrator host meet the requirements for KDT.

    On the administrator host, allocate at least 10 GB of free space in the temporary files directory (/tmp) for KDT. If you do not have enough free space in this directory, run the following command to specify the path to another directory:

    export TMPDIR=<new_directory>/tmp

  2. Install the package for Docker version 23 or later, and then perform post-installation steps to configure the administration host for proper functioning with Docker.

    Do not install unofficial distributions of Docker packages from the operating system maintainer repositories.

Preparing the target hosts

To prepare the target hosts:

  1. Prepare the physical or virtual machines on which Kaspersky Next XDR Expert will be deployed.

    A minimum cluster configuration for the distributed deployment includes four nodes:

    • One primary node

      The primary node is intended for managing the cluster, storing metadata, and distributing the workload.

    • Three worker nodes

      The worker nodes are intended for performing the workload of the Kaspersky Next XDR Expert components.

      For optimal allocation of computing resources, it is recommended to use nodes with the same resources.

      You can install the DBMS inside the Kubernetes cluster when you perform the demonstration deployment of Kaspersky Next XDR Expert. In this case, allocate the additional worker node for the DBMS installation. KDT will install the DBMS during the Kaspersky Next XDR Expert deployment.

      For the distributed deployment, we recommend installing a DBMS on a separate server outside the cluster.
      After you deploy Kaspersky Next XDR Expert, changing the DBMS installed inside the cluster to a DBMS installed on a separate server is not available. You have to remove all Kaspersky Next XDR Expert components, and then install Kaspersky Next XDR Expert again. In this case, the data will be lost.

    Make sure that the hardware and software on the target hosts meet the requirements for the distributed deployment, and the target hosts are located in the same broadcast domain.

    For proper functioning of Kaspersky Next XDR Expert, the Linux kernel version must be 5.15.0.107 or later on the target hosts with the Ubuntu family operating systems.

    Docker must not be installed on the target hosts. KDT will install all necessary software and dependencies during the deployment.

  2. On each target host, install the sudo package, if this package is not already installed. For Debian family operating systems, install the UFW package on the target hosts.
  3. On each target host, configure the /etc/environment file. If your organization's infrastructure uses the proxy server to access the internet, connect the target hosts to the internet.
  4. On the primary node with the UFW configuration, allow IP forwarding. In the /etc/default/ufw file, set DEFAULT_FORWARD_POLICY to ACCEPT.
  5. Provide access to the package repository. In this repository the following packages required for Kaspersky Next XDR Expert are located:
    • nfs-common
    • tar
    • iscsi-package
    • wireguard
    • wireguard-tools

    KDT will try to install these packages during the deployment from the package repository. You can also install these packages manually.

  6. For the primary node, ensure that the curl package is installed.
  7. For the worker nodes, ensure that the libnfs package version 12 or later is installed.

    The curl and libnfs packages are not installed during the deployment from the package repository by using KDT. You must install these packages manually if they are not already installed.

  8. Reserve static IP addresses for the target hosts, for the Kubernetes cluster gateway and for the DBMS host (if the DBMS is installed inside the cluster).

    The Kubernetes cluster gateway is intended for connecting to the Kaspersky Next XDR Expert components installed inside the Kubernetes cluster.

    If you install the DBMS inside the cluster, the gateway IP address is an IP range (for example, 192.168.0.1—192.168.0.2). If you install the DBMS on a separate server, the gateway IP address is an IP address in CIDR notation that contains the subnet mask /32 (for example, 192.168.0.0/32). The gateway IP address is specified in the configuration file.

    Make sure that the target hosts, the Kubernetes cluster gateway, and the DBMS host are located in the same broadcast domain.

  9. On your DNS server, register the service FQDNs to connect to the Kaspersky Next XDR Expert services.

    By default, the Kaspersky Next XDR Expert services are available at the following addresses:

    • console.<smp_domain>—Access to the OSMP Console interface.
    • admsrv.<smp_domain>—Interaction with Administration Server.
    • kuma.<smp_domain>—Access to the KUMA Console interface.
    • api.<smp_domain>—Access to the Kaspersky Next XDR Expert API.
    • psql.<smp_domain>—Interaction with the DBMS (PostgreSQL).

      Where <smp_domain> is a common part of the service FQDNs that you can specify in the configuration file.

      Register the psql.<smp_domain> service FQDN if you installed the DBMS inside the Kubernetes cluster on the DBMS node and you need to connect to the DBMS.

    Depending on where you want to install the DBMS, the listed service FQDNs must be resolved to the IP address of the Kubernetes cluster as follows:

    • DBMS inside the Kubernetes cluster

      In this case, the gateway IP address is an IP range. The first IP address of the range is the address of the Kaspersky Next XDR Expert services (excluding the DBMS IP address), and the second IP address of the range is the IP address of the DBMS. For example, if the gateway IP range is 192.168.0.1—192.168.0.2, the service FQDNs must be resolved as follows:

      • console.<smp_domain>—192.168.0.1
      • admsrv.<smp_domain>—192.168.0.1
      • kuma.<smp_domain>—192.168.0.1
      • api.<smp_domain>—192.168.0.1
      • psql.<smp_domain>—192.168.0.2
    • DBMS on a separate server

      In this case, you do not need to specify the DBMS service IP address. The gateway IP address is the address of the Kaspersky Next XDR Expert services (excluding the DBMS IP address). For example, if the gateway IP address is 192.168.0.0/32, the service FQDNs must be resolved as follows:

      • console.<smp_domain>—192.168.0.0/32
      • admsrv.<smp_domain>—192.168.0.0/32
      • kuma.<smp_domain>—192.168.0.0/32
      • api.<smp_domain>—192.168.0.0/32
  10. On the target hosts, create the accounts that will be used for the Kaspersky Next XDR Expert deployment.

    These accounts are used for the SSH connection and must be able to elevate privileges (sudo) without entering a password. To do this, add the created user accounts to the /etc/sudoers file.

  11. Configure the SSH connection between the administrator and target hosts:
    1. On the administrator host, generate SSH keys by using the ssh-keygen utility without a passphrase.
    2. Copy the public key to every target host (for example, to the /home/<user_name>/.ssh directory) by using the ssh-copy-id utility.
  12. For proper function of the Kaspersky Next XDR Expert components, provide network access between the target hosts and open the required ports on the firewall of the administrator and target hosts, if necessary.
  13. Configure time synchronization over Network Time Protocol (NTP) on the administrator and target hosts.
  14. If necessary, prepare custom certificates for working with Kaspersky Next XDR Expert public services.

    You can use one intermediate certificate that is issued off the organization's root certificate or leaf certificates for each of the services. The prepared custom certificates will be used instead of self-signed certificates.

Article ID: 249228, Last review: Dec 9, 2024
Page top