Recommended Kubernetes Architecture

[Amin]

Dear community

We have tested Wazuh in a monolithic version and want to set it up for our systems in the data center. However, we would like to run Wazuh in Kubernetes.

We are talking about 100-300 servers that need to be monitored. Based on your experience, how would you recommend the Kubernetes architecture?

We were considering the following pods (in their own namespace):

1x master, 2x workers (stateful sets), 2-3x indexers (stateful), 1x dashboard (deployment), 1x NGINX ingress controller

Does this make sense based on your experience? And as I understand it, the workers are connected to the master, the indexers are connected to the workers, and the agents communicate with the load balancer, which in turn communicates with the indexers. Is that correct?

Thanks a lot!

Best regards

[Javier Medeot]

Hi Amin.

Your proposed architecture sounds right for your environment. Running Wazuh on Kubernetes makes sense to simplify things here.

• A dedicated namespace allow better management and security.
• StatefulSet will allow persistence and unique IDs for the pods.
• 1x master node for the Wazuh server is key for agent registration and cluster coordination.
• 2x worker nodes for the Wazuh server sounds reasonable for your ~300 servers. Monitor the performance to learn if there's a need to scale horizontally by adding more worker pods.
• 3x indexer nodes is ideal for high availability and data replication for your stored data. Complement this design with a data retention policy.
• 1x dashboard deployment (stateless) is about right.
• 1x NGINX ingress controller is highly recommended to have a stable entry point. Check this load balancers configuration guide for distributing agents among the server worker nodes.

The data flow goes like this: The ~300 Wazuh agents first enroll to the Wazuh server master node through port 1515 then continuously send security events (via port 1514 by default) to the cluster nodes (not directly to the indexer) through the NGINX ingress controller. The Wazuh server analysis module decodes data in these logs and creates alerts when data matches threat detection rules. The forwarder Filebeat ships these alerts to the Wazuh indexer cluster (port 9200 by default) for storage. The wazuh dashboard queries the indexer's REST API for data visualization and also the Wazuh server API (port 55000) for data such as the status of the components and configuration information. The NGINX ingress load balancer acts here as well at the dashboard level for user input.

Make sure you allocate enough CPU, memory, and storage resources to each component and that you use SSL certificates to ensure communication security. Update default passwords after deployment. Check documentation on deploying using Kubernetes here:

• https://documentation.wazuh.com/current/deployment-options/deploying-with-kubernetes/index.html