Runecast has launched on 19th of November a new version of their product. In this Runecast Analyzer v4.7.4 for NSX-T Kubernetes and vCloud Director review, I will go through all the new features and how Runecast can work and protect your NSX-T, Kubernetes infrastructures, and also vCloud Director (still in a kind of beta version).
Since my latest review of this product, Runecast added some more features and products that you can use to scan for any issues and check Best Practices. Like NSX-T, Kubernetes, AWS (GDPR), vCloud Director, etc.
Let’s have a look at what did change since the last review:
-
Runecast Analyzer 4.7.2.0 Released November 19, 2020
-
- Added initial VMware Cloud Director support (Early Access)
- Knowledge definition updates
-
Runecast Analyzer 4.7.0.0 Released November 19, 2020
-
- Audits against VMware’s Security Configuration Guide (SCG) for NSX-T
- Insights for Edge Nodes, Host Nodes, and Management Nodes
- Checks against VMware Knowledge Base articles covering NSX-T
- Validation against NSX-T best practices
-
Runecast Analyzer 4.6.0.0 Released November 11, 2020
-
- Added ISO 27001 compliance profiles supporting VMware and AWS
- Added STIG Viewer export
- Added VMware Security Configuration Guide 7.0 support
-
Runecast Analyzer 4.5.4.0 Released October 27, 2020
-
- Fix added to allow vCenters with vSAN 7.0 U1 (to be correctly analyzed)
- Knowledge definition updates
-
Runecast Analyzer 4.5.0.0 Released September 30, 2020
-
- Custom Profiles Support.
- Adding Kubernetes (CIS and Best Practices).
-
Runecast Analyzer 4.4.4.0 Released September 11, 2020
-
- Added GDPR compliance profile for AWS.
- Latest knowledge definition updates.
As we can see in the list above, Runecast continues to provide updates very regularly. They continue to improve their product and more features and systems to analyze, like now NSX-T.
Since we have some NSX-V and NSX-T implementations in our labs, it is a good place to run Runecast Analyzer and show how we can analyze an NSX-T implementation and check if there are any issues or any Best Practices that are not being followed and need to be changed.
-
How to add your NSX-T to Runecast Analyzer
I will scan 3 NSX-T that we have in production, with versions 3.0, 2.5.1, and 2.5.2. So this is a real productions systems that I am scanning for this blog post and not any test lab.
Above are the NSX-T tested with this new Runecast Analyzer v4.7.4.
To add your NSX-T to Runecast Analyzer in the dashboard, click Settings.
Then in the Settings and the Connections tab, scroll down to the NSX-T connection settings section and click Add NSX-T.
Just add your NSX-T IP or DNS(NSX-T Manager or Cluster Virtual IP) name and credentials.
Note: For connection to NSX-T, a user with Auditor (minimum) privileges is NSX-T Manager is needed.
After I have my three NSX-T added to Runecast Analyzer.
Now we will scan NSX-T and check any issues that we may have in our systems.
Note: In this Runecast Analyzer, we also have a couple of NSX-V added from previous tests.
As we can see in the next images, our NSX-T is almost green regarding Best Practices. We have one warning regarding the number of Edges we should have(8).
If we want to drill down the issue, we click on the fail result, and we get more details about these Best Practices.
In this case, the Edge number and the number of paths we can achieve with Edges on a tier-0 LR.
Next, we will check the Issues found on NSX-T and also in NSX-V.
Go to the All Issues View tab, and you will see some of the issues that need attention.
Note: Do not forget to filter the view to only the NSX products.
If we go to the Issues Inventory view found on these NSX-T’s, we can also check some found and need attention issues.
Again we can see minor things that we need to improve, but nothing serious.
With these last images, we finish the NSX-T section.
As we can notice above, we can scan our NSX-T for all VMware Best Practices and any Issues with security that need attention and changes.
-
How to add your Kubernetes to Runecast Analyzer
For this section, I would like to test some of our Kubernetes implementations that we have in production but could not have teams create the user create in time to use it in this blog post. So I decide to use the Runecast Demo to provide the proper information and show the type of issues that we can scan with Runecast Analyzer.
If, meanwhile, I get access to our production Kubernetes, I will update this post with real examples.
To add your Kubernetes to Runecast Analyzer, you need to go to Settings and in the Connections tab, scroll down to the Kubernetes section, and click Add Kubernetes.
Note: To add Kubernetes to Runecast Analyzer, you need to add Kubernetes cluster API address, port, and service account token.
-
- How to create user and Token in Kubernetes?
Use the following commands to create a service account and output the account token.
1 – Set the namespace where the service account will be created
1 2 3 |
export NAMESPACE="kube-system" |
2 – Create the service account
1 2 3 |
kubectl create serviceaccount runecast-analyzer -n ${NAMESPACE} |
3 – Create clusterrole
1 2 3 |
kubectl create clusterrole runecast-analyzer --verb=get,list,watch --resource=namespaces,pods,replicationcontrollers,serviceaccounts,services,daemonsets.apps,deployments.apps,replicasets.apps,statefulsets.apps,cronjobs.batch,jobs.batch,networkpolicies.networking.k8s.io,podsecuritypolicies.policy,clusterrolebindings.rbac.authorization.k8s.io,clusterroles.rbac.authorization.k8s.io,rolebindings.rbac.authorization.k8s.io,roles.rbac.authorization.k8s.io |
4 – Bind the clusterrole
1 2 3 |
kubectl create clusterrolebinding runecast-analyzer --clusterrole=runecast-analyzer --serviceaccount=${NAMESPACE}:runecast-analyzer |
5 – Output the service account token
1 2 3 |
kubectl get serviceaccounts runecast-analyzer -n ${NAMESPACE} -o jsonpath='{.secrets[].name}' | xargs kubectl get secret -n ${NAMESPACE} -o jsonpath='{.data.token}' | base64 -d | awk '{print "copy the service account token:\n"$1"\n"}' |
After you create your user account and token, add to Runecast Analyzer.
Then you have Kubernetes connected(the next example is from the Online Runecaste Demo).
This is the Kubernetes Main Dashboard.
Note: If you want to view only the Kubernetes or other products (like NSX-T or vCD), always select in the product list.
As we can check in the example, a lot of Best Practices need to be fixed. You will have the list of the Best Practices to be fixed, but you will also know the Best Practices for Kubernetes just with one Runecast Analyzer scan.
Note: Again, this is from Online Runecast Demo.
Again, we can click on a Best Practices issue and get the details for that fail issue.
-
How to add your vCloud Director to Runecast Analyzer
vCloud Director(vCD) Runecast Analyzer support is still in Early Access. Meaning that it is still in development and is the first version. Runecast Analyzer for vCD is only supported for vCD v10 and above.
If you try to add a vCD v9.x, you will get some errors and cannot add the vCD. I don’t know if Runecast is planing to add earlier versions in the next versions, but since those use Flash and v10.x uses HTML5, I don’t this it will be supported.
Unfortunately, in production, I only have vCD 9.x (upgrade is already planned for Q1 2021), so I cannot test this new feature in a real production environment. So I will use some examples from my lab vCD and some from the Online Runecast Analyzer Demo.
To connect your Runecast Analyzer to vCD, it needs a minimum user role with View only permissions privileges on the vCD provider.
As we have seen in the other connections, to add vCD, you need to go to Settings and in the Connections tab, scroll down to the vCD section, and click Add VMware Cloud Director.
Again, after adding the Product to your Runecast Analyzer, scan and let Runecast Analyzer search for any Best Practices and Issues in your vCD.
Here we can see an example of my lab vCD v10.1 with some Best Practices not implemented.
Click in one example of Certificates Best Practices that are not implemented.
Some examples of the Online Runecaste Analyzer Demo from Runecast.
In this example, we notice more properly configured issues, but also that patches are available and are not installed.
Clicking in the patches issues to get the details and seeing the patches’ information are missed.
Note: When I upgrade my production vCD, I will update this post with real examples.
Resuming:
I have said this many times when it comes to saying something about Runecast Analyzer, which is the best and unique tool that I know that has all these features and supported VMware Products to scan for Best Practices, Issues, and Hardware incompatibilities or any security miss configurations that we may have in our implementations.
Runecast now adds these three new products, NSX-T, Kubernetes, and vCD, which is again a huge improvement on the tool, and also Runecast team is on top of the new and most important VMware Products (and not forget Pure Storage) because those are the ones that customers use on their daily work.
As an example of the great work and how useful this tool is, we receive last month a new Pure Storage system, so after everything is in place, I run the Runecast on it to check if everything was configured properly and that Best Practices were all implemented when used with VMware (vCenter, ESXi hosts and VMs).
As we can notice, some changes need to be done to the ESXi hosts iSCSI adapters. It is also very important to change the VMs virtual controller to Paravirtual to have better performance.
I think this is a tool that all IT departments/companies should have and use to help them to have a safe Virtual Infrastructure with all the Security Compliance. like VMware Guidelines, ISA STIG, PCI DSS, HIPAA, BSI IT-Grundschutz, CIS, NIST, GDPR, ISO 27001.
Have an infrastructure fully configured with the Best Practices for the different VMware products, but also have the proper compatible Hardware that VMware recommends in their HCL List.
I hope this blog post, Runecast Analyzer v4.7.4 for NSX-T Kubernetes and vCloud Director review, helped show the new features in this new Runecast Anaylzyer v4.7.4 and the type of issues that we can discover in these new supported VMware products.
Useful links:
You can try Runecast Analyzer with Analyzer-online-demo.
Runecast is scheduling many VMUGs online meetings and Webinars HERE, check them out.
Download and register for Runecast Analyzer v4.7.4 trial HERE.
Here you can check most of the information I have shown in this blog post. Particular the user configuration and permissions needed, Runecast User Guide
Share this article if you think it is worth sharing. If you have any questions or comments, comment here, or contact me on Twitter.
Leave A Comment
You must be logged in to post a comment.