Distributed Cloud AIP Kubernetes Deployment

From the Command Line, enter the following commands to stop and disable auditd:

sudo systemctl stop auditd
sudo systemctl disable auditd

To optimize performance of your containerized Agent, we recommend configuring your host following these guidelines:

• Allocate enough host memory to run a 256 mebibyte (MiB) application.
  • It can be increased to 384MiB or more for performance as necessary.

  Tip

  Specify limits for CPU and memory values the Agent can utilize. For more information about the minimum and maximum ranges for these values, see:

  • Docker Guidelines
  • Kubernetes Guidelines
• Ability to disable auditd on the host to ensure all Agent services run, including the Audit Collection Service.
• Configure outbound network connectivity over port 443.
• Allow the container to mount a file system on the host.

Helm is a package manager on top of Kubernetes. It facilitates installation, upgrades, and manages dependencies for the services you install in Kubernetes.

Prerequisites

• Helm v2 or Helm v3 installed
  • If using Helm v2, ensure the cluster component tiller is installed.

The Helm chart version is independent of the version of the Agent packaged/installed by the chart. The version of the application to be installed by the Helm chart is defined by Helm's appVersion field.

Install the Helm Chart

These instructions assume you already have Helm installed in your environment. It also assumes any Role-Based Access Control (RBAC) configuration has been completed for proper operation of Helm. Please see Installing Helm for instructions on installing Helm in your environment.

Local Installation

The instructions below assume the Helm chart has been released to a repository. Alternatively, you can clone Distributed Cloud AIP's Git repository and run helm package in the repository's root to get a .tgz file built locally.

Install Using Publicly Released Chart

The Distributed Cloud AIP Agent Helm chart follows the standard installation process for charts:

1. Add the Distributed Cloud AIP Agent Helm repository to your local Helm configuration using the following command:

   helm repo add threatstack https://pkg.threatstack.com/helm

2. Using the default values.yaml, create a local yaml that overrides the configuration as desired or needed for the target cluster.
3. Install the Distributed Cloud AIP Agent with Helm.
   • Helm 2:

     helm install --name <HELM_RELEASE_NAME> --values ./<values-override-filename>.yaml threatstack/threatstack-agent

   • Helm 3:

     helm install <HELM_RELEASE_NAME> --values ./<values-override-filename>.yaml threatstack/threatstack-agent

Integrations

Once the Agent has been deployed, you can configure Distributed Cloud AIP to integrate with notification platforms such as PagerDuty, Slack, VictorOps, and Webhooks.

Update the Helm Chart

To update the Helm chart, run the following command:

helm upgrade <HELM_RELEASE_NAME> threatstack/threatstack-agent

Uninstall the Helm Chart

To uninstall the Helm chart, run the following command:

helm delete <HELM_RELEASE_NAME>

Configuration Settings

The following values/settings are important for the Helm chart. They can be modified for each target environment:

• image.repository: Indicates the Docker repository for the container image to install. It defaults to Distributed Cloud AIP's official Docker hub repository for the Agent.
  

  Note

  Changing this could lead to pulling an unofficial or incorrect image, and is strongly discouraged.

• image.version: Indicates the Docker tag for the container image to install. It defaults to Distributed Cloud AIP's latest official Docker image version for the Agent at the time the chart was released.
  

  Note

  Changing this could lead to pulling an unofficial or incorrect image, and is strongly discouraged.

• gkeContainerOs: If true, the Daemonset definition will be modified to execute commands for the Agent to work correctly on Google Kubernetes Engine (GKE) with ContainerOS nodes. It defaults to false.
• gkeUbuntu: If true, the Daemonset definition will be modified to execute commands for the Agent to work correctly on GKE with Ubuntu nodes. It defaults to false.
• customDaemonsetCmd: Uncomment the command and args sub-attributes, and define them as desired to run custom commands in the Daemonset.
  • Example
    To turn off and disable auditd on the host and allow the container agent to monitor activity:

    customDaemonsetCmd:
      command: ["bash"]
      args: ["-c", "chroot /threatstackfs /bin/bash -c 'service auditd stop >/dev/null || systemctl stop auditd; systemctl disable auditd'; eval tsagent setup $THREATSTACK_SETUP_ARGS; eval tsagent config --set $THREATSTACK_CONFIG_ARGS; sleep 5; /opt/threatstack/sbin/tsagentd -logstdout"]

  Important

  Setting customDaemonsetCmd improperly can result in the Distributed Cloud AIP Agent not running correctly.

• rbac.create: If true, it will create the needed service account to run. If false, the chart will leverage the service account defined in rbac.serviceAccountName.
• imagePullSecrets: If pulling the Agent from a private/internal Docker registry that requires credentials, you will need to add the name of your Docker credentials Secret to this array. This Secret needs to be defined outside of installing this Helm chart. It defaults to an empty array which will only work with public registries.
• For more guidance with using private container registries, please review the following Kubernetes documentation for details around setting this up correctly with your registry service:
  • Add ImagePullSecrets to a Service Account
  • Create a Secret by Providing Credentials on the Command Line
  • Using a Private Registry
• rulesets: The list of Distributed Cloud AIP rulesets that the Agent container should run with. The single-quotes in the double-quotes are intentional and not optional.
• additionalSetupConfig: A list of command line arguments used when the Agent container registers itself with Distributed Cloud AIP.
• additionalConfig: A list of command line arguments used when the Agent container starts running.
• nodeSelector: The reference scripts for Linux Agents 2.2 and later default this value to empty. If you do not change this value, then Helm will deploy to all nodes in the cluster.