Kubernetes
Deployed as a daemonset in a Kubernetes Cluster, using a helm chart
In a Kubernetes environment, sensors are deployed as a DaemonSet on the Kubernetes cluster, using a helm chart.
Quick start
Identify the IP address or DNS name used to access the ThreatStryker management console. For example, if the address is 192.168.1.10, use the following command:
- clusterNameis the name / identifier of the cluster. It should be different for different kubernetes clusters. Example: prod-cluster-1, test-cluster.
- To get container runtime in the k8s cluster, run the following command
kubectl get nodes -o=custom-columns=NAME:.metadata.name,Runtime:.status.nodeInfo.containerRuntimeVersion
- To get container runtime socket path in the k8s cluster, run the following commands and search for --container-runtime-endpointorcontainerd
kubectl apply -f https://deepfence-public.s3.amazonaws.com/kubernetes/deepfence-cluster-config-job.yaml
kubectl wait --for=condition=complete --timeout=30s job/deepfence-cluster-config
kubectl logs $(kubectl get pod -l job-name=deepfence-cluster-config -o jsonpath="{.items[0].metadata.name}")
kubectl delete -f https://deepfence-public.s3.amazonaws.com/kubernetes/deepfence-cluster-config-job.yaml
- Deploy deepfence-agent helm chart
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/enterprise
helm repo update
helm install deepfence-agent deepfence/deepfence-agent \
    --set registry.username=<deepfence_username> \
    --set registry.password=<deepfence_password> \
    --set managementConsoleUrl=192.168.1.10 \
    --set deepfenceKey=xxxxxxxx \
    --set image.tag=3.7.3 \
    --set image.clusterAgentImageTag=3.7.3 \
    --set clusterName=xxxxxxxx \
    --set mountContainerRuntimeSocket.dockerSock=false \
    --set mountContainerRuntimeSocket.containerdSock=true \
    --set trafficAnalysis.start=Y \
    --set trafficAnalysis.mode=all \
    --set dfFim=N \
    --namespace deepfence \
    --create-namespace \
    --version="1.3.1"
The registry username and password to access the Deepfence Quay registry will be sent by email.
Detailed setup instructions
helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/enterprise
- Create values file
helm show values deepfence/deepfence-agent --version="1.3.1" > deepfence_agent_values.yaml
- Edit values file and set registry username and password
registry:
  name: "quay.io"
  # Set registry username and password provided by Deepfence
  # This will create a secret called "deepfence-docker-secret"
  username: ""
  password: ""
- Set Deepfence management console ip address
managementConsoleUrl: ""
- Set image tag
image:
  # deepfence agent runs as a daemonset in all nodes in the cluster
  name: quay.io/deepfenceio/deepfence_agent
  tag: 3.7.3
  # cluster agent runs as a single pod
  clusterAgentImageName: quay.io/deepfenceio/deepfence_discovery
  clusterAgentImageTag: 3.7.3
  pullPolicy: Always
  pullSecretName: deepfence-docker-secret
- Set deepfence auth key Set authentication key when it is enabled in management console
# Auth: Get deepfence api key from UI -> Settings -> User Management
deepfenceKey: ""
- (Optional) Start Traffic Analysis Enable/disable Traffic Analysis on startup. This can be later changed from UI also.
# trafficAnalysis:
#   start: "Y"/"N"
#   processes: "sshd:943, docker-proxy:27017, /usr/local/go/bin/go:753"
#   mode: "allow"/"deny"/"all"
trafficAnalysis:
  start: ""
  processes: ""
  mode: ""
- (Optional) Instance id suffix Custom Amazon Machine Images might have same hostnames for multiple instances. This can be used to distinguish vm's.
# Suffix cloud instance id to hostnames
instanceIdSuffix: "N"
- Set kubernetes cluster name
# Set custom name for the cluster and hostname prefix for agent vm's to easily identify in Deepfence UI.
# Example: prod-cluster or dev1-cluster
# It will be suffixed with hostname - prod-cluster-aks-agentpool-123456-vmss000001
clusterName: ""
- Set container runtime socket path. By default, docker is disabled and containerd is enabled.
To get container runtime in the k8s cluster, run the following command
kubectl get nodes -o=custom-columns=NAME:.metadata.name,Runtime:.status.nodeInfo.containerRuntimeVersion
# Mount container runtime socket path to agent pod. Agent will detect which runtime it is using these files.
mountContainerRuntimeSocket:
  dockerSock: false
  # Change if socket path is not the following
  dockerSockPath: "/var/run/docker.sock"
  containerdSock: true
  # Change if socket path is not the following
  containerdSockPath: "/run/containerd/containerd.sock"
  crioSock: false
  # Change if socket path is not the following
  crioSockPath: "/var/run/crio/crio.sock"
- Install deepfence-agent helm chart with values file
helm install -f deepfence_agent_values.yaml deepfence-agent deepfence/deepfence-agent \
    --namespace deepfence \
    --create-namespace \
    --version="1.3.1"
- Wait for pods to start up
kubectl get daemonset -n deepfence
kubectl get pods -n deepfence
Uninstall agents
helm delete deepfence-agent -n deepfence
Openshift
- 
Add helm repo: helm repo add deepfence https://deepfence-helm-charts.s3.amazonaws.com/enterprise
 helm repo update
 helm search repo deepfence/deepfence-agent
- 
Identify the IP address or DNS name used to access the ThreatStryker management console. For example, if the address is 192.168.1.10, use the following command: helm install deepfence-agent deepfence/deepfence-agent \
 --set registry.username=<registry_username> \
 --set registry.password=<registry_password> \
 --set managementConsoleUrl=192.168.1.10 \
 --set deepfenceKey=xxxxxxxx \
 --set image.tag=3.7.3 \
 --set image.clusterAgentImageTag=3.7.3 \
 --set clusterName=xxxxxxxx \
 --set mountContainerRuntimeSocket.dockerSock=false \
 --set mountContainerRuntimeSocket.containerdSock=true \
 --set trafficAnalysis.start=Y \
 --set trafficAnalysis.mode=all \
 --set dfFim=N \
 --set mountContainerRuntimeSocket.dockerSock=false \
 --set mountContainerRuntimeSocket.containerdSock=true \
 --set mountContainerRuntimeSocket.containerdSockPath="/var/run/crio/crio.sock" \
 --set tolerations=null \
 --namespace deepfence \
 --create-namespace \
 --version="1.3.1"The registry username and password to access the Deepfence Quay registry will be sent by email; check the README inside the package for detailed setup instructions. helm show readme --version="1.3.1" deepfence/deepfence-agent
 helm show values --version="1.3.1" deepfence/deepfence-agent
- 
ThreatStryker agents need privileged permissions to execute on openshift, run below commands to add privileged permisions to deepfence-agent service account oc adm policy add-scc-to-user privileged -z deepfence-agent -n deepfence
- 
To delete the ThreatStryker release that was installed by the helm chart, run the following command: helm delete deepfence-agent -n deepfence