Threat Stack Kubernetes DaemonSet for Agent Deploy

Overview

The Threat Stack Kubernetes DaemonSet orchestrates the Threat Stack containerized Agent. The Kubernetes DaemonSet ensures all nodes run one copy of the Threat Stack containerized Agent.

By default, the following rulesets are applied to the Kubernetes DaemonSet:

  • Base Rule Set
  • Docker Rule Set
  • Kubernetes Rule Set

    Note

    If the customer uses File Integrity Monitoring (FIM) rules to create exclusions with Agent 1.8.0C, then they must prepend /threatstackfs to the exclude path. For example, to exclude /tmp/bad, the exclusion becomes /threatstackfs/tmp/bad.

Prerequisites for Deploying Containerized Agent

From the Command Line, enter the following commands to stop and disable auditd:

sudo systemctl stop auditd
sudo systemctl disable auditd
System Consideration for the Containerized Agent

To optimize performance of your containerized Agent, we recommend configuring your host following these guidelines:

Deploy Containerized Agent Using Helm Chart

Helm is a package manager on top of Kubernetes. It facilitates installation, upgrades, and manages dependencies for the services you install in Kubernetes.

Important

The Threat Stack Agent Helm chart installation repository is provided as-is. Threat Stack support is unable to assist you with changes you make to files in the repository, custom Helm charts or provide recommendations on modifications to your environment.

Prerequisites

  • Helm v2 or Helm v3 installed
    • If using Helm v2, ensure the cluster component tiller is installed.

The Helm chart version is independent of the version of the Agent packaged/installed by the chart. The version of the application to be installed by the Helm chart is defined by Helm's appVersion field.

Installing the Helm Chart

Note

These instructions assume you already have Helm installed in your environment. It also assumes any Role-Based Access Control (RBAC) configuration has been completed for proper operation of Helm. Please see Installing Helm for instructions on installing Helm in your environment.

Local Installation

The instructions below assume the Helm chart has been released to a repository. Alternatively, you can clone Threat Stack's Git repository and run helm package in the repository's root to get a .tgz file built locally.

Important

  • When performing a local installation, do not add the Helm repository as directed in step 1 of the installing using publicly released chart section below. Omit--repo https://pkg.threatstack.com/helmfrom any command. Replace the chart name from threatstack-agent to <PATH_TO_CHART>/threatstack-agent-<VERSION>.tgz</VERSION> in the Helm commands.
  • Creating a local Helm chart does not sign it. Any verification of the provenance of the chart will fail.

Installing Using Publicly Released Chart

The Threat Stack Agent Helm chart follows the standard installation process for charts:

  1. Add the Threat Stack Agent Helm repository to your local Helm configuration using the following command:
    helm repo add threatstack https://pkg.threatstack.com/helm
  2. Using the default values.yaml, create a local yaml that overrides the configuration as desired or needed for the target cluster.
  3. Install the Threat Stack Agent with Helm.
    • Helm 2:
      helm install --name <HELM_RELEASE_NAME> --values ./<values-override-filename>.yaml threatstack/threatstack-agent
    • Helm 3:
      helm install <HELM_RELEASE_NAME> --values ./<values-override-filename>.yaml threatstack/threatstack-agent

Integrations

Once the Agent has been deployed, you can configure Threat Stack to integrate with notification platforms such as PagerDuty, Slack, VictorOps and Webhooks.

Updating the Helm Chart

To update the Helm chart, run the following command:

helm upgrade <HELM_RELEASE_NAME> threatstack/threatstack-agent

Uninstalling the Helm Chart

To uninstall the Helm chart, run the following command:

helm delete <HELM_RELEASE_NAME>

Configuration Settings

The following values/settings are important for the Helm chart. They can be modified for each target environment:

  • image.repository: It indicates the Docker repository for the container image to install. It defaults to Threat Stack's official Docker hub repository for the Agent.

    Note

    Changing this could lead to pulling an unofficial or incorrect image, and is strongly discouraged.

  • image.version: It indicates the Docker tag for the container image to install. It defaults to Threat Stack's latest official Docker image version for the Agent at the time the chart was released.

    Note

    Changing this could lead to pulling an unofficial or incorrect image, and is strongly discouraged.

  • gkeContainerOs: If true, the Daemonset definition will be modified to execute commands for the Agent to work correctly on Google Kubernetes Engine (GKE) with ContainerOS nodes. It defaults to false.
  • gkeUbuntu: If true, the Daemonset definition will be modified to execute commands for the Agent to work correctly on GKE with Ubuntu nodes. It defaults to false.
  • customDaemonsetCmd: Uncomment the command and args sub-attributes, and define them as desired to run custom commands in the Daemonset.

    Important

    Setting customDaemonsetCmd improperly can result in the Threat Stack Agent not running correctly.

  • rbac.create: If true, it will create the needed service account to run. If false, the chart will leverage the service account defined in rbac.serviceAccountName.
  • imagePullSecrets: If pulling the Agent from a private/internal Docker registry that requires credentials, you will need to add the name of your Docker credentials Secret to this array. This Secret needs to be defined outside of installing this Helm chart. It defaults to an empty array which will only work with public registries.
  • rulesets: The list of Threat Stack rulesets that the Agent container should run with. The single-quotes in the double-quotes are intentional and not optional.
  • additionalSetupConfig: A list of command line arguments used when the Agent container registers itself with the Threat Stack Cloud Security PlatformⓇ.
  • additionalConfig: A list of command line arguments used when the Agent container starts running.
Deploy Containerized Agent 2.x Series Using Kubernetes DaemonSet
Agent 2.2.x
  1. Create the Kubernetes DaemonSet file.
    1. Download a sample Threat Stack Kubernetes DaemonSet .yaml file.
    2. Make any changes to the sample file necessary for your environment.
    3. Include your unique deploy key.
    4. Save the file as “TSKubernetesDaemonSet.yaml”.
  2. Deploy the Threat Stack containerized Agent using the Kubernetes DaemonSet.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create -f TSKubernetesDaemonSet.yaml
  3. Confirm the containerized Agent deployed correctly.
    1. Log into Threat Stack.
    2. Ensure events display as expected.
Agent 2.2.0
  1. Create the Kubernetes DaemonSet file.
    1. Download a sample Threat Stack Kubernetes DaemonSet.yaml file.
    2. Make any changes to the sample file necessary for your environment.
    3. Include your unique deploy key.
    4. Save the file as “TSKubernetesDaemonSet.yaml”.
  2. Deploy the Threat Stack containerized Agent using the Kubernetes DaemonSet.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create -f TSKubernetesDaemonSet.yaml
  3. Confirm the containerized Agent deployed correctly.
    1. Log into Threat Stack.
    2. Ensure events display as expected.
Agent 2.1.x

Note

We have removed the requirement of labeling one of your nodes as threatstack-master. One node will automatically have two agents deployed to it, with one of the agents dedicated solely to Kubernetes events.

  1. Create the Kubernetes DaemonSet file.
    1. Download a sample Threat Stack Kubernetes DaemonSet.yaml file.
      1. For Agent 2.1.3
      2. For Agent 2.1.2
      3. For Agent 2.1.1
    2. Make any changes to the sample file necessary for your environment
    3. Include your unique deploy key.
    4. Save the file as “TSKubernetesDaemonSet.yaml”.
  2. Deploy the Threat Stack containerized Agent using the Kubernetes DaemonSet.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create -f TSKubernetesDaemonSet.yaml
  3. Confirm the containerized Agent deployed correctly.
    1. Log into Threat Stack.
    2. Ensure events display as expected.
Agent 2.1
  1. Create the Kubernetes DaemonSet file.
    1. Download a sample Threat Stack Kubernetes DaemonSet .yaml file.
    2. Make any changes to the sample file necessary for your environment.
    3. Include your unique deploy key.
    4. Save the file as “TSKubernetesDaemonSet.yaml”.
  2. If you want to use Threat Stack's enhanced visibility into Kubernetes, then designate one of your nodes as the master node. The master node communicates with the Kubernetes API.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER.
      kubectl label nodes <Node_Name> threatstack-master="true"

      Replace <Node Name> with the name of the node you want to designate as the master.

      Important

      If you designate more than one node as the master, then you will receive duplicate events.

  3. Deploy the Threat Stack containerized Agent using the Kubernetes DaemonSet.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create -f TSKubernetesDaemonSet.yaml
  4. Confirm the containerized Agent deployed correctly.
    1. Log into Threat Stack.
    2. Ensure events display as expected.
Agent 2.0
  1. Create the Kubernetes DaemonSet file.
    1. Download a sample Threat Stack Kubernetes DaemonSet .yaml file.
    2. Make any changes to the sample file necessary for your environment.
    3. Include your unique deploy key.
    4. Save the file as “TSKubernetesDaemonSet.yaml”.
  2. Deploy the Threat Stack containerized Agent using the Kubernetes DaemonSet.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create -f TSKubernetesDaemonSet.yaml
  3. Confirm the containerized Agent deployed correctly.
    1. Log into Threat Stack.
    2. Ensure events display as expected.
Deploy Containerized Agent 1.x Series Using Kubernetes DaemonSet
  1. Create a configuration file for the Threat Stack containerized Agent.
    1. In the /etc/ directory, create a ts-agent folder.
    2. Download a sample ts-config.json file.

      Warning

      If you do not provide a configuration file, or if you provide a misconfigured configuration file, then the deployment of the containerized Agent will not work.

    3. Make any changes to the sample file necessary for your environment.
    4. In the /etc/ts-agent folder, save the file as “ts-config.json”.
  2. Create the Kubernetes DaemonSet file.
    1. Download a sample Threat Stack Kubernetes DaemonSet .yaml file.
    2. Make any changes to the sample file necessary for your environment.
    3. Include your unique deploy key.
    4. Save the file as “TSKubernetesDaemonSet.yaml”.
  3. Map the configuration file for the Threat Stack containerized Agent to the Kubernetes DaemonSet.
    1. Open the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create configmap ts-config --from-file=ts-config.json

      This command maps the Threat Stack containerized Agent configuration file – ts-config – to the Kubernetes DaemonSet.

  4. Deploy the Threat Stack containerized Agent using the Kubernetes DaemonSet.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create -f TSKubernetesDaemonSet.yaml
  5. Confirm the containerized Agent deployed correctly.
    1. Log into Threat Stack.
    2. Ensure events display as expected.
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request