Verdict-as-a-Service

Verdict-as-a-Service Logo Online Dokumentation

On-Premises Configuration

Specific customization for hosting Verdict-as-a-Service, in your company.
Scale to your use-case.

More throughput

Every CPU core can scan on average 10 MB/s. This varies strongly with the type of files you scan (executables, archives or documents).
To add run on more nodes, add more replicas. Add this to your values.yaml:

gateway:
  replicaCount: 4
gdscan:
  replicaCount: 4

Bigger files

Verdict-as-a-Service can handle files of arbitrary size. In practice typical scan durations for large files are:

Latency:

File Size inMB Duration MB/s

Fedora-Workstation-Live-x86_64-37-1.7.iso

1943

6:25

5.05

Fedora-Workstation-Live-x86_64-38-1.6.iso

2003

6:48

4.91

Fedora-Workstation-Live-x86_64-39-1.5.iso

2032

6:37

5.12

ubuntu-16.04.7-server-amd64.iso

881

2:00

7.34

ubuntu-18.04.6-live-server-amd64.iso

970

1:57

8.29

ubuntu-20.04.6-live-server-amd64.iso

1419

3:03

7.75

ubuntu-22.04.4-live-server-amd64.iso

2007

3:12

10.45

ubuntu-23.10-live-server-amd64.iso

2539

3:09

13.43

This varies with your setup.

Most likely you also have to configure your ingress to allow bigger files. Here is an example for nginx:

gateway:
  ingress:
    annotations:
      nginx.ingress.kubernetes.io/proxy-body-size: 4G
      nginx.ingress.kubernetes.io/proxy-request-buffering: 'off'

Set the proxy-body-size to your maximum allowed file size. Request buffering (proxy-request-buffering) must be off.

Configure the volume size for the gdscan component

For small files we recommend the default settings which is set to non persistance storage meaning the files will be stored in memory while scanning.

For bigger files, configure a persistent volume like in this example:

gdscan:
  persistence:
    enabled: true
    size: 5Gi

To determine the size of the volume you can use the following formula:

"Storage per node: (# of parallel requests) * (size of largest file to analyse)"

Adjust the maximum analysis duration

The default timeout for analysis is 30 seconds. If you have bigger files, you might want to increase this value. Add this to your values.yaml:

gateway:
  terminationGracePeriodSeconds: 60
gdscan:
  terminationGracePeriodSeconds: 60

Examples of the duration of the analysis can be found in the latency table.

Netzwerkzugang schützen

By default, Gateway has access to the Internet (http, https), which is needed for scanning URLs and requesting the cloud instance for the hashlookup.

If you want to prevent Verdict-as-a-Service from accessing the internet, we recommend to disable the default NetworkPolicy.

gateway:
  networkPolicy:
    enabled: false

These are the minimal policies required to run Verdict-as-a-Service:

  policyTypes:
  - Ingress
  - Egress
  ingress:
    - from:
      ports:
        - port: 8080 # Http
        - port: 9090 # Websocket
  egress:
    - to:
      ports:
        - port: 6379 # Redis
        - port: 8080 # GdScan
        - port: 9090 # Gateway

Verdict-as-a-Service extract the CLIENT_SECRET

First, you have to extract the client secret from the Mini-Identity-Provider:

export CLIENT_SECRET=$(kubectl get secret -n vaas vaas-client-secret -o jsonpath="{.data.secret}" | base64 -d)

Environment Variables to test Verdict-as-a-Service

You also have to set these environment variables for your instance:

export CLIENT_ID=vaas
export VAAS_URL=wss://<your-vaas-host>/ws
export TOKEN_URL=https://<your-vaas-host>/auth/protocol/openid-connect/token