Add Threat Stack Container Security Monitoring for Fargate to Existing Kubernetes Deployment

Overview

Ideally, each of your application containers should include a mounted sensor to provide container process telemetry. Threat Stack Container Monitoring for AWS Fargate requires a mounted volume within the monitored application containers to effectively monitor your Kubernetes deployment.

Prerequisites

  • AWS administrator account
  • AWS Fargate Kubernetes deployment
  • Threat Stack account
  • Your Threat Stack Cloud Security PlatformⓇ (CSP) organization’s deployment key, found here.

Procedure

Threat Stack Container Monitoring for AWS Fargate uses the Kubernetes Downward API to provide attributes to the Threat Stack Agent. Kubernetes provides more information on the Downward API here.

  1. Open your Kubernetes deployment .yaml file.
  2. Edit the .yaml file to include the Threat Stack Hostless Agent sidecar container and the mounted sensor command to instrument the application container(s).

    The following is a sample deployment .yaml file, which includes the Threat Stack Hostless Agent and the mounted sensor command to instrument the application container:

    apiVersion: apps/v1
    kind: Deployment
    metadata:
      name: sample-app
      namespace: <your fargate namespace>
      labels:
        app: sample-app
    spec:
      replicas: 1
      selector:
        matchLabels:
          app: sample-app
      strategy: {}  
      template:
        metadata:
          labels:
            app: sample-app
        spec:
          volumes:
            - name: agentvolume
              emptyDir: {}
          initContainers:
          - name: initsensor
            image: threatstack/ts-hostless:latest
            command: ["cp", "/bin/mountedSensor/sensor", "/threatstack"]
            volumeMounts:
            - mountPath: /threatstack
              name: agentvolume
          containers:
          - name: <your container name>
            image: <your container image>
            command: ["/bin/sh"]
            args: ["-c", "/threatstack/sensor & <your application container entry command>"]
            ports:
              - containerPort: 3000
            env:
            - name: TS_SOCKETPATH
              value: "/threatstack/socket.sock" 
            - name: TS_CONTAINERNAME
              value: "<your container name>"   
            - name: POD_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
            - name: POD_IP
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: POD_UID
              valueFrom:
                fieldRef:
                  fieldPath: metadata.uid              
            - name: NODE_NAME
              valueFrom:
                fieldRef:
                  fieldPath: spec.nodeName
            - name: SERVICE_ACCOUNT
              valueFrom:
                fieldRef:
                  fieldPath: spec.serviceAccountName
            - name: CONTAINER_CPU_REQUEST_MILLICORES
              valueFrom:
                resourceFieldRef:
                  resource: requests.cpu
                  divisor: 1m
            - name: CONTAINER_MEMORY_LIMIT_KIBIBYTES
              valueFrom:
                resourceFieldRef:
                  resource: limits.memory
                  divisor: 1Ki          
            resources: {}
            volumeMounts:
            - mountPath: /threatstack
              name: agentvolume       
          - name: threatstack
            image: threatstack/ts-hostless:latest
            env:
            - name: TS_HOSTLESS_DEPLOYMENT
              value: "<your deployment key>"        
            - name: TS_SOCKETPATH
              value: "/threatstack/socket.sock"                   
            command: ["/bin/agent"]
            args: ["--hostname=<SERVER_NAME>"]
            resources: {}        
            volumeMounts:
            - mountPath: /threatstack
              name: agentvolume

    Notes

    • Replace <your fargate namespace> with your Kubernetes namespace that has an attached Fargate profile
    • Replace <your container name> with the name of your container.
    • Replace <your container image> with the location of your container image
    • Replace <your application container entry command> with the entry command for your application container
    • Replace <your deployment key> with your Threat Stack CSP organization’s deployment key, found here
    • Replace <SERVER_NAME> with a name for the EKS deployment, which displays as the Fargate Agent name in the Threat Stack CSP
  3. Save the file.
  4. Repeat steps 1 – 3 for each container that needs to be instrumented with the mounted sensor in your EKS deployment. The next time you run deployment commands, Threat Stack Container Monitoring for AWS Fargate will run alongside your application containers.
Was this article helpful?
0 out of 0 found this helpful