Setting up Cloud Security on Kubernetes

Docs > Plateforme de sécurité Datadog > Cloud Security Management > Configurer Cloud Security Management > Déploiement de Cloud Security sur l'Agent > Setting up Cloud Security on Kubernetes

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Use the following instructions to enable Misconfigurations and Vulnerability Management.

Collecting events using Cloud Security affects your billing. For more information, see Datadog Pricing.

Prerequisites

Latest Datadog Agent version. For installation instructions, see Getting Started with the Agent or install the Agent from the Datadog UI.

Note: SBOM collection is not compatible with the image streaming feature in Google Kubernetes Engine (GKE). To disable it, see the Disable Image streaming section of the GKE docs.

Installation

Add the following to the spec section of the datadog-agent.yaml file:

# datadog-agent.yaml file
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  features:
    # Enables Misconfigurations
    cspm:
      enabled: true
      hostBenchmarks:
        enabled: true

    # Enables Software Bill of Materials (SBOM) collection
    sbom:
      enabled: true

      # Enables Container Vulnerability Management
      containerImage:
        enabled: true
        # Enables scanning of application libraries in addition to OS packages (Agent 7.70+)
        analyzers: ["os", "languages"]

      # Enables Host Vulnerability Management
      host:
        enabled: true
        # Enables scanning of application libraries in addition to OS packages (Agent 7.70+)
        analyzers: ["os", "languages"]

Apply the changes and restart the Agent.

Add the following to the datadog section of the datadog-values.yaml file:

# datadog-values.yaml file
datadog:
  securityAgent:
    # Enables Misconfigurations
    compliance:
      enabled: true
      host_benchmarks:
        enabled: true

  # Enables Software Bill of Materials (SBOM) collection
  sbom:
    # Enables Container Vulnerability Management
    containerImage:
      enabled: true
      # Enables scanning of application libraries in addition to OS packages (Agent 7.70+)
      analyzers: ["os", "languages"]

    # Enables Host Vulnerability Management
    host:
      enabled: true
      # Enables scanning of application libraries in addition to OS packages (Agent 7.70+)
      analyzers: ["os", "languages"]

Restart the Agent.

Supported application library package managers

The languages analyzer requires Datadog Agent 7.70 or later. When enabled, it detects vulnerabilities in application libraries managed by the package managers below, in addition to OS packages.

When the analyzers field is omitted, Datadog only scans OS packages for container images.

The languages analyzer covers the following package ecosystems:

Ecosystem	Package manager/format
Ruby	Bundler, GemSpec
Rust	Cargo, Rust binary
PHP	Composer
Java	Jar, Maven (pom.xml), Gradle lock, Sbt lock
JavaScript	npm (package-lock.json), Yarn, pnpm, Node package
.NET	NuGet, .NET Core, PackagesProps
Python	Python package (egg), pip, Pipenv, Poetry, uv, Conda package, Conda environment
Go	Go binary, Go modules
C/C++	Conan lock
Swift / Objective-C	CocoaPods, Swift
Dart	PubSpec lock
Elixir	Mix lock
Julia	Julia

Setting up Cloud Security on Kubernetes

Prerequisites

Installation

Supported application library package managers

How can I help you today?