Setting up Cloud Security Management on Kubernetes
This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project,
feel free to reach out to us!Use the following instructions to enable Misconfigurations, Threat Detection, and Vulnerability Management.
Collecting events using Cloud Security Management will affect your billing. For more information, see
Datadog Pricing.
Prerequisites
Installation
Add the following to the spec
section of the datadog-agent.yaml
file:
# datadog-agent.yaml file
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
name: datadog
spec:
features:
remoteConfiguration:
enabled: true
# Enables Threat Detection
cws:
enabled: true
# Enables Misconfigurations
cspm:
enabled: true
hostBenchmarks:
enabled: true
# Enables the image metadata collection and Software Bill of Materials (SBOM) collection
sbom:
enabled: true
# Enables Container Vulnerability Management
# Image collection is enabled by default with Datadog Operator version `>= 1.3.0`
containerImage:
enabled: true
# Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
# uncompressedLayersSupport: true
# Enables Host Vulnerability Management
host:
enabled: true
Apply the changes and restart the Agent.
Add the following to the datadog
section of the datadog-values.yaml
file:
# datadog-values.yaml file
datadog:
remoteConfiguration:
enabled: true
securityAgent:
# Enables Threat Detection
runtime:
enabled: true
# Enables Misconfigurations
compliance:
enabled: true
host_benchmarks:
enabled: true
sbom:
containerImage:
enabled: true
# Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
# uncompressedLayersSupport: true
# Enables Host Vulnerability Management
host:
enabled: true
# Enables Container Vulnerability Management
# Image collection is enabled by default with Datadog Helm version `>= 3.46.0`
# containerImageCollection:
# enabled: true
Restart the Agent.
Add the following settings to the env
section of security-agent
and system-probe
in the daemonset.yaml
file:
# Source: datadog/templates/daemonset.yaml
apiVersion:app/1
kind: DaemonSet
[...]
spec:
[...]
spec:
[...]
containers:
[...]
- name: agent
[...]
env:
- name: DD_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: system-probe
[...]
env:
- name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
value: "true"
- name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
value: "true"
- name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
value: "true"
[...]