Setting up Workload Protection on Kubernetes
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Use the following instructions to enable Workload Protection.
Collecting events using Workload Protection will affect your billing. For more information, see
Datadog Pricing.
Prerequisites
Note: SBOM collection is not compatible with the image streaming feature in Google Kubernetes Engine (GKE). To disable it, see the Disable Image streaming section of the GKE docs.
Installation
Add the following to the spec section of the datadog-agent.yaml file:
# datadog-agent.yaml file
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
name: datadog
spec:
features:
# (Optional) Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
admissionController:
enabled: true
cwsInstrumentation:
enabled: true
remoteConfiguration:
enabled: true
# Enables Threat Detection
cws:
enabled: true
# Enables Misconfigurations
cspm:
enabled: true
hostBenchmarks:
enabled: true
# Enables the image metadata collection and Software Bill of Materials (SBOM) collection
sbom:
enabled: true
# Enables Container Vulnerability Management
# Image collection is enabled by default with Datadog Operator version `>= 1.3.0`
containerImage:
enabled: true
# Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
# uncompressedLayersSupport: true
# Enables Host Vulnerability Management
host:
enabled: true
Apply the changes and restart the Agent.
Add the following to the datadog section of the datadog-values.yaml file:
# datadog-values.yaml file
# (Optional) Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
clusterAgent:
admissionController:
enabled: true
cwsInstrumentation:
enabled: true
datadog:
remoteConfiguration:
enabled: true
securityAgent:
# Enables Threat Detection
runtime:
enabled: true
# Enables Misconfigurations
compliance:
enabled: true
host_benchmarks:
enabled: true
sbom:
containerImage:
enabled: true
# Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
# uncompressedLayersSupport: true
# Enables Host Vulnerability Management
host:
enabled: true
# Enables Container Vulnerability Management
# Image collection is enabled by default with Datadog Helm version `>= 3.46.0`
# containerImageCollection:
# enabled: true
Restart the Agent.
If you experience RBAC issues, you can run the chart with the clusterRole.allowCreatePodsExec option enabled for the clusterRole:
helm install datadog-operator datadog/datadog-operator --set clusterRole.allowCreatePodsExec=true
Add the following settings to the env section of security-agent and system-probe in the daemonset.yaml file. Note that the DD_ADMISSION_CONTROLLER_ENABLED and DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED variables in the cluster-agent-deployment.yaml enable event enrichment with Kubernetes user identities (optional).
# Source: datadog/templates/daemonset.yaml
apiVersion:app/1
kind: DaemonSet
[...]
spec:
[...]
spec:
[...]
containers:
[...]
- name: agent
[...]
env:
- name: DD_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: system-probe
[...]
env:
- name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
value: "true"
- name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
value: "true"
- name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
value: "true"
[...]
# Source: datadog/templates/cluster-agent-deployment.yaml
apiVersion:app/1
kind: Deployment
[...]
spec:
[...]
template:
[...]
spec:
[...]
containers:
[...]
- name: cluster-agent
[...]
env:
- name: DD_ADMISSION_CONTROLLER_ENABLED
value: "true"
- name: DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED
value: "true"
