Skip to main content

On-Prem Deployment

Note: On-Prem Deployments are only available on an Enterprise plan

Pre-Installation Preparation​

Before beginning the installation of Overmind, ensure the following prerequisites are met:

  1. Provision a Separate AWS Account or VPC:

    • Separate AWS Account or VPC: It is recommended that you provision either a separate AWS account or a separate Virtual Private Cloud (VPC) within your existing account to install Overmind. Overmind doesn't require any direct network access to your provisioned infrastructure and therefore isolating Overmind in this manner helps mitigate any additional security risks by containing the application within a controlled environment.

  2. Required Permissions:

    • Resource Creation: Ensure that you have the necessary permissions to create resources within the designated AWS account or VPC. This includes permissions to create and manage EC2 instances, IAM roles and policies, S3 buckets, among other necessary AWS resources.
    • Terraform Execution: You must also have the ability to run Terraform with these permissions, as the Terraform module provided by Overmind will automate the creation and configuration of the required resources.

  3. Data Security:

    • Network Access: Overmind does not require direct network access to any of your other VPCs. We only need access to the AWS API itself.
    • Kubernetes: If you are using Kubernetes, Overmind will require inbound access to the designated VPC on port 443. This port is used by the Overmind source, which runs as a pod in each of the clusters that you want us to discover and connect outbound to Overmind using the WebSocket protocol, secured by TLS. This traffic will be managed by a load balancer that will be provisioned using the Terraform module.

By meeting these prerequisites, you ensure a smooth and secure installation of Overmind within your infrastructure.

High-Level Installation Overview​

As an enterprise customer, you will have the option to install Overmind on-premise. To facilitate this, Overmind provides a Terraform module that automates the installation and management of the necessary infrastructure.

Enterprise Customer Benefits​

  • Security: The on-premise installation ensures that your data remains within your specified AWS environment, complying with your security policies.
  • Control: Full control over the deployment environment allows for customized configurations tailored to your specific needs.
  • Support: Dedicated support from the Overmind team to assist with installation and any issues that arise.

Installation Process Overview​

  1. Terraform Module:

    • The Overmind installation is managed using a Terraform module. This module will handle the provisioning of all necessary infrastructure, including computing resources, networking components, and security configurations.

  2. Configuration and Deployment:

    • Upon becoming an enterprise customer, you will receive the Terraform module along with detailed instructions.
    • Utilizing the Terraform module, you will configure and deploy Overmind within your isolated AWS account or VPC.

  3. Support and Documentation:

    • Detailed Instructions: A comprehensive set of instructions will be provided to guide you through the deployment process.
    • Support Team: Our support team is available to assist with any questions or issues that may arise during installation.

System Architecture and Data Flow​

Understanding how Overmind processes and handles your data is crucial for informed decision-making. This section provides an overview of Overmind’s logical structure and explains data flow within the system.

Inbound Data​

Overmind retrieves data about your infrastructure using the AWS API and the Kubernetes API. Here’s a breakdown of how this works:

  • AWS API: Overmind queries the AWS API to obtain metadata about your environment. This metadata is the same information you would get from using the AWS CLI or viewing the web console. Examples include details about S3 buckets, but not the contents within those buckets or any associated data, ensuring that sensitive information remains untouched.
    • Read-Only IAM Role: Overmind utilizes a read-only IAM role to perform these queries. This ensures that we can only view, but not modify, your AWS resources. For more details on the specific permissions required for this IAM role, please refer the AWS Source documentation.
  • Kubernetes API: Similarly, Overmind uses the Kubernetes API to return configuration and metadata information about Kubernetes objects. We only access metadata and do not query the contents of these objects, preserving the confidentiality of any sensitive information.
    • Read-Only Kubernetes Permissions: Permissions for Kubernetes are granted using a ClusterRole which is provisioned using Helm. Mor information can be found in the Kubernetes source documentation

Key Points:

  • Overmind does not access the contents within your AWS or Kubernetes objects, thereby preventing potential exposure of sensitive or customer information.
  • The queries to these APIs are performed in real-time in response to deployment events.
  • Overmind does not maintain a long-lived database of your cloud metadata. We only capture the blast radius information pertinent to each change in real-time and store only what is necessary.

communications structure of Overmind

Data Processing​

To analyze the blast radius of a change and generate risk assessments, Overmind employs a Large Language Model (LLM). Here’s an overview of how data processing occurs:

  • LLM Usage: Overmind utilizes OpenAI's GPT-4 series of models to understand proposed changes, the current state of your cloud environment, and dependencies. This LLM excels at identifying inconsistencies and potential issues that might be overlooked by humans and are challenging to codify into policies. For example, it can detect configuration mismatches that could block traffic due to an incorrectly typed security group rule.

  • Data Sent to LLM:

    • Proposed changes for a deployment.
    • Current state of the affected components.
    • Dependencies of these components.
    • Current state of the dependencies.

Key Points:

  • Data Encryption: All data is encrypted during transit and at rest, ensuring that it remains secure.
  • Least Privilege Access: Standard least privilege access controls are in place to limit access to only what is necessary.
  • Data Storage: All data is stored at rest within the customer’s environment, maintaining control and compliance.

By employing these methodologies, Overmind ensures that your data is handled securely and efficiently while providing high-quality risk assessments for your Terraform changes.

overmind data flow

Troubleshooting​

All enterprise customers receive our highest level of support, which includes access to a dedicated Slack or Discord channel for real-time assistance.

Support Channel​

  • Real-Time Support: For any troubleshooting, questions, or issues, please utilize your dedicated Slack or Discord channel. Our support team is ready to provide immediate assistance and ensure that your experience with Overmind is smooth and efficient.
  • Contact Information: Details for joining your designated support channel will be provided upon becoming an enterprise customer.