Kubernetes
Deployed as a daemonset in a Kubernetes Cluster, using a helm chart
In a Kubernetes environment, sensors are deployed as a DaemonSet on the Kubernetes cluster, using a helm chart.
Quick start
Identify the IP address or DNS name used to access the ThreatStryker management console. For example, if the address is 192.168.1.10, use the following command:
clusterName
is the name / identifier of the cluster. It should be different for different kubernetes clusters. Example: prod-cluster-1, test-cluster.- To get container runtime in the k8s cluster, run the following command
kubectl get nodes -o=custom-columns=NAME:.metadata.name,Runtime:.status.nodeInfo.containerRuntimeVersion
- To get container runtime socket path in the k8s cluster, run the following commands and search for
--container-runtime-endpoint
orcontainerd
kubectl apply -f https://deepfence-public.s3.amazonaws.com/kubernetes/deepfence-cluster-config-job.yaml
kubectl wait --for=condition=complete --timeout=30s job/deepfence-cluster-config
kubectl logs $(kubectl get pod -l job-name=deepfence-cluster-config -o jsonpath="{.items[0].metadata.name}")
kubectl delete -f https://deepfence-public.s3.amazonaws.com/kubernetes/deepfence-cluster-config-job.yaml
- Deploy deepfence-agent helm chart
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/enterprise
helm repo update
helm install deepfence-agent deepfence/deepfence-agent \
--set registry.username=<deepfence_username> \
--set registry.password=<deepfence_password> \
--set managementConsoleUrl=192.168.1.10 \
--set deepfenceKey=xxxxxxxx \
--set image.tag=3.7.3 \
--set image.clusterAgentImageTag=3.7.3 \
--set clusterName=xxxxxxxx \
--set mountContainerRuntimeSocket.dockerSock=false \
--set mountContainerRuntimeSocket.containerdSock=true \
--set trafficAnalysis.start=Y \
--set trafficAnalysis.mode=all \
--set dfFim=N \
--namespace deepfence \
--create-namespace \
--version="1.3.1"
The registry username and password to access the Deepfence Quay registry will be sent by email.
Detailed setup instructions
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/enterprise
- Create values file
helm show values deepfence/deepfence-agent --version="1.3.1" > deepfence_agent_values.yaml
- Edit values file and set registry username and password
registry:
name: "quay.io"
# Set registry username and password provided by Deepfence
# This will create a secret called "deepfence-docker-secret"
username: ""
password: ""
- Set Deepfence management console ip address
managementConsoleUrl: ""
- Set image tag
image:
# deepfence agent runs as a daemonset in all nodes in the cluster
name: quay.io/deepfenceio/deepfence_agent
tag: 3.7.3
# cluster agent runs as a single pod
clusterAgentImageName: quay.io/deepfenceio/deepfence_discovery
clusterAgentImageTag: 3.7.3
pullPolicy: Always
pullSecretName: deepfence-docker-secret
- Set deepfence auth key Set authentication key when it is enabled in management console
# Auth: Get deepfence api key from UI -> Settings -> User Management
deepfenceKey: ""
- (Optional) Start Traffic Analysis Enable/disable Traffic Analysis on startup. This can be later changed from UI also.
# trafficAnalysis:
# start: "Y"/"N"
# processes: "sshd:943, docker-proxy:27017, /usr/local/go/bin/go:753"
# mode: "allow"/"deny"/"all"
trafficAnalysis:
start: ""
processes: ""
mode: ""
- (Optional) Instance id suffix Custom Amazon Machine Images might have same hostnames for multiple instances. This can be used to distinguish vm's.
# Suffix cloud instance id to hostnames
instanceIdSuffix: "N"
- Set kubernetes cluster name
# Set custom name for the cluster and hostname prefix for agent vm's to easily identify in Deepfence UI.
# Example: prod-cluster or dev1-cluster
# It will be suffixed with hostname - prod-cluster-aks-agentpool-123456-vmss000001
clusterName: ""
- Set container runtime socket path. By default, docker is disabled and containerd is enabled.
To get container runtime in the k8s cluster, run the following command
kubectl get nodes -o=custom-columns=NAME:.metadata.name,Runtime:.status.nodeInfo.containerRuntimeVersion
# Mount container runtime socket path to agent pod. Agent will detect which runtime it is using these files.
mountContainerRuntimeSocket:
dockerSock: false
# Change if socket path is not the following
dockerSockPath: "/var/run/docker.sock"
containerdSock: true
# Change if socket path is not the following
containerdSockPath: "/run/containerd/containerd.sock"
crioSock: false
# Change if socket path is not the following
crioSockPath: "/var/run/crio/crio.sock"
- Install deepfence-agent helm chart with values file
helm install -f deepfence_agent_values.yaml deepfence-agent deepfence/deepfence-agent \
--namespace deepfence \
--create-namespace \
--version="1.3.1"
- Wait for pods to start up
kubectl get daemonset -n deepfence
kubectl get pods -n deepfence
Uninstall agents
helm delete deepfence-agent -n deepfence
Openshift
-
Add helm repo:
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/enterprise
helm repo update
helm search repo deepfence/deepfence-agent -
Identify the IP address or DNS name used to access the ThreatStryker management console. For example, if the address is 192.168.1.10, use the following command:
helm install deepfence-agent deepfence/deepfence-agent \
--set registry.username=<registry_username> \
--set registry.password=<registry_password> \
--set managementConsoleUrl=192.168.1.10 \
--set deepfenceKey=xxxxxxxx \
--set image.tag=3.7.3 \
--set image.clusterAgentImageTag=3.7.3 \
--set clusterName=xxxxxxxx \
--set mountContainerRuntimeSocket.dockerSock=false \
--set mountContainerRuntimeSocket.containerdSock=true \
--set trafficAnalysis.start=Y \
--set trafficAnalysis.mode=all \
--set dfFim=N \
--set mountContainerRuntimeSocket.dockerSock=false \
--set mountContainerRuntimeSocket.containerdSock=true \
--set mountContainerRuntimeSocket.containerdSockPath="/var/run/crio/crio.sock" \
--set tolerations=null \
--namespace deepfence \
--create-namespace \
--version="1.3.1"The registry username and password to access the Deepfence Quay registry will be sent by email; check the README inside the package for detailed setup instructions.
helm show readme --version="1.3.1" deepfence/deepfence-agent
helm show values --version="1.3.1" deepfence/deepfence-agent -
ThreatStryker agents need privileged permissions to execute on openshift, run below commands to add privileged permisions to deepfence-agent service account
oc adm policy add-scc-to-user privileged -z deepfence-agent -n deepfence
-
To delete the ThreatStryker release that was installed by the helm chart, run the following command:
helm delete deepfence-agent -n deepfence