Threat Stack Kubernetes DaemonSet for Agent Deploy

Follow

Overview

The Threat Stack Kubernetes DaemonSet orchestrates the Threat Stack containerized Agent. The Kubernetes DaemonSet ensures all nodes run one copy of the Threat Stack containerized Agent.

Additionally, new rule sets are available for the Kubernetes DaemonSet:

  • Kubernetes file integrity monitoring (FIM)

    Note

    If the customer uses FIM rules to create exclusions with Agent 1.8.0C, then they must prepend /threatstackfs to the exclude path. For example, to exclude /tmp/bad, the exclusion becomes /threatstackfs/tmp/bad.

  • Docker CIS

Note

AWS Elastic Container Search (ECS) is also an orchestration layer. However, securing AWS ECS workloads requires the Threat Stack host-based Agent. For more information, see FAQ: How do I secure my AWS ECS workload with Threat Stack?.

How do I deploy containerized Agent using Kubernetes DaemonSet?

Prerequisites

None.

Deploy containerized Agent using Kubernetes DaemonSet

  1. Create a configuration file for the Threat Stack containerized Agent.
    1. In the /etc/ directory, create a ts-agent folder.
    2. Open a text editing program.
    3. Create a configuration file and ensure the “configuration”: variable is present. Example below.
      {
      "deploy-key": "<your deploy key>",
      "agent_type": "i",
      "ruleset": "Base Rule Set, Docker Rule Set",
      "configuration":
      {"enable_containers":1,
      "enable_kubes":1,
      "log_level": "info"
      }
      }

      Warning

      If you do not provide a configuration file, or if you provide a misconfigured configuration file, then the deployment of the containerized Agent will not work.

    4. In the /etc/ts-agent folder, save the file as “ts-config.json”.
  2. Create the Kubernetes DaemonSet file.
    1. Open a text editing program.
    2. Type or copy the following code and paste it in the text file:
      apiVersion: apps/v1 
      kind: DaemonSet
      metadata:
      name: threatstack-agent
      spec:
      selector:
      matchLabels:
      name: "threatstack-agent"
      template:
      metadata:
      labels:
      name: "threatstack-agent"
      name: threatstack-agent
      spec:
      hostNetwork: true
      hostPID: true
      containers:
      - image: threatstack/ts-docker:latest
      imagePullPolicy: Always
      name: threatstack-agent
      env:
      - name: THREATSTACK_CONFIG_PATH
      value: /tmp/ts-config/ts-config
      securityContext:
      privileged: true
      capabilities:
      add: ["AUDIT_CONTROL", "AUDIT_READ", "NET_ADMIN", "SYS_ADMIN"]
      resources:
      requests:
      memory: "256Mi"
      cpu: "200m"
      limits:
      memory: "256Mi"
      cpu: "200m"
      volumeMounts:
      - name: dockersocket
      mountPath: /var/run/docker.sock
      - name: hostfs
      mountPath: /threatstackfs
      - name: ts-config
      mountPath: /threatstackfs/tmp/ts-config
      volumes:
      - name: ts-config
      configMap:
      name: ts-config
      items:
      - key: ts-config
      path: ts-config
      - hostPath:
      path: /var/run/docker.sock
      name: dockersocket
      - hostPath:
      path: /
      name: hostfs
    3. Save the file as “TSKubernetesDaemonSet”.
  3. Map the configuration file for the Threat Stack containerized Agent to the Kubernetes DaemonSet.
    1. Open the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create configmap ts-config --from-file=ts-config

      This command maps the Threat Stack containerized Agent configuration file – ts-config – to the Kubernetes DaemonSet.

  4. Deploy the Threat Stack containerized Agent using the Kubernetes DaemonSet.
    1. Go to the Command Line.
    2. Type or copy and paste the following command and press ENTER:
      kubectl create -f TSKubernetesDaemonSet
  5. Confirm the containerized Agent deployed correctly.
    1. Log into Threat Stack.
    2. Ensure events display as expected.
Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Article is closed for comments.