Agent deployment

You should install Agents on all nodes of the cluster that you want to protect.

A separate group of agents is installed on each cluster.

To deploy agents in the cluster:

  1. In the main menu, go to the Components → Agents section.
  2. In the work pane, click the Add agent group button.
  3. On the General tab:
    1. Fill in the fields in the form.
      • Enter the group name. For convenient agent management, we recommend naming the group after cluster whose nodes the agents will be deployed on.
      • If required, enter a description of the agent group.
      • Select the orchestrator to use.
      • Specify the namespace name.
    2. In the KCS registry section, enter the web address of the registry where the images used to install agents are located. To access the registry, you must specify the correct user name and password.
    3. Under Linked SIEM, select the SIEM system from the drop-down list.

      To link an agent group in Kaspersky Container Security, you must create and configure at least one integration with a SIEM system.
      One agent group can be linked with only one SIEM system.

      For each SIEM system integration, the drop-down list indicates the connection status – Success, Warning, or Error.

  4. On the Node monitoring tab, use the Disable/Enable toggle to start monitoring and analyzing the status of the network, processes inside containers, and file threat protection for the following settings:
    • Network connections monitoring. The status of network connections is monitored with traffic capture devices (network monitors) and eBPF modules. This process considers applicable runtime policies and container runtime profiles.
    • Container processes monitoring. Container processes are monitored using eBPF programs based on applicable runtime policy rules and container runtime profile rules.
    • File threat protection. To track anti-malware database updates, specify one of the following values:
      • Anti-malware database update URL: the web address of the Kaspersky Container Security update service.
      • Anti-malware database update proxy: the HTTP proxy for a cloud or local update server.

      If the kcs-updates container is used to update anti-malware databases, the URL of the database update tool must be specified as follows: <domain>/kuu/updates (for example, https://kcs.company.com/kuu/updates).

      By default, File Threat Protection databases are updated from Kaspersky cloud servers.

    • File operations. The solution tracks file operations using eBPF modules based on applicable runtime policies and container runtime profiles.

      Regardless of the mode specified in the runtime policy, only the Audit mode is supported for file operations. If the Enforce mode is specified in the applicable runtime policy, file operations are performed in Audit mode.

    Monitoring steps that are not needed can be disabled to avoid unnecessary load on the nodes.

  5. Click Save.

In the workspace, the Deployment data tab displays the following data necessary for deploying agents on the cluster:

The solution automatically updates the agent deployment instruction if you change the following parameters:

Agents need access to the Kaspersky Container Security API. If connectivity between the agents and the solution API can only be achieved with a proxy server, you can add a proxy server configuration to the agent deployment instructions by creating a special secret.

To add a proxy server configuration to the agent deployment instructions:

  1. Specify proxy server information in BASE64 encoding. The example below shows proxy server information for http://proxy.example.com:8080:

    ---

    apiVersion: v1

    kind: Secret

    metadata:

    name: http-client-proxy

    namespace: kcs-namespace

    type: opaque

    data:

    HTTP_CLIENT_PROXY: 'aHR0cDovL3Byb3h5LmV4YW1wbGUuY29tOjgwODA='

    ---

  2. Add the secret to the ENV section of the DaemonSet and Deployment resources in the agent deployment instructions:

    - name: HTTP_CLIENT_PROXY

    valueFrom:

    secretKeyRef:

    name: http-client-proxy

    key: HTTP_CLIENT_PROXY

You must copy or download the updated instruction in a YAML file again, and then apply it by using the kubectl apply -f <file> -n <namespace> command. Otherwise, changes of these parameters are not applied to deployed agents.

Page top