Setting up Cloud Security Management on Kubernetes

문서 > Datadog 보안 > Cloud Security Management > Setting up Cloud Security Management > Deploying Cloud Security Management on the Agent > Setting up Cloud Security Management on Kubernetes

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Use the following instructions to enable Misconfigurations, Threat Detection, and Vulnerability Management.

Collecting events using Cloud Security Management will affect your billing. For more information, see Datadog Pricing.

Prerequisites

Latest Datadog Agent version. For installation instructions, see Getting Started with the Agent or install the Agent from the Datadog UI.

Note: SBOM collection is not compatible with the image streaming feature in Google Kubernetes Engine (GKE). To disable it, see the Disable Image streaming section of the GKE docs.

Installation

Add the following to the spec section of the datadog-agent.yaml file:

# datadog-agent.yaml file
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
  name: datadog
spec:
  features:
    remoteConfiguration:
      enabled: true
    # Enables Threat Detection
    cws:
      enabled: true
    # Enables Misconfigurations
    cspm:
      enabled: true
      hostBenchmarks:
        enabled: true
    # Enables the image metadata collection and Software Bill of Materials (SBOM) collection
    sbom:
      enabled: true
      # Enables Container Vulnerability Management
      # Image collection is enabled by default with Datadog Operator version `>= 1.3.0`
      containerImage:
        enabled: true

        # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
        # uncompressedLayersSupport: true

      # Enables Host Vulnerability Management
      host:
        enabled: true

Apply the changes and restart the Agent.

Add the following to the datadog section of the datadog-values.yaml file:

# datadog-values.yaml file
datadog:
  remoteConfiguration:
    enabled: true
  securityAgent:
    # Enables Threat Detection
    runtime:
      enabled: true
    # Enables Misconfigurations
    compliance:
      enabled: true
      host_benchmarks:
        enabled: true
  sbom:
    containerImage:
      enabled: true

      # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
      # uncompressedLayersSupport: true

    # Enables Host Vulnerability Management
    host:
      enabled: true

    # Enables Container Vulnerability Management
    # Image collection is enabled by default with Datadog Helm version `>= 3.46.0`
    # containerImageCollection:
    #   enabled: true

Restart the Agent.

Add the following settings to the env section of security-agent and system-probe in the daemonset.yaml file:

  # Source: datadog/templates/daemonset.yaml
  apiVersion:app/1
  kind: DaemonSet
  [...]
  spec:
  [...]
  spec:
      [...]
        containers:
        [...]
          - name: agent
            [...]
            env:
              - name: DD_REMOTE_CONFIGURATION_ENABLED
                value: "true"
          - name: system-probe
            [...]
            env:
              - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
                value: "true"
              - name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
                value: "true"
              - name: DD_COMPLIANCE_CONFIG_ENABLED
                value: "true"
              - name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
                value: "true"
              - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
                value: "true"
          [...]