--- title: Setting up Cloud Security on Kubernetes description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Cloud Security > Setting up Cloud Security > Deploying Cloud Security on the Agent > Setting up Cloud Security on Kubernetes --- # Setting up Cloud Security on Kubernetes Use the following instructions to enable Misconfigurations and Vulnerability Management. {% alert level="info" %} Collecting events using Cloud Security affects your billing. For more information, see [Datadog Pricing](https://www.datadoghq.com/pricing/?product=cloud-security-management#products). {% /alert %} ## Prerequisites{% #prerequisites %} - Latest Datadog Agent version. For installation instructions, see [Getting Started with the Agent](https://docs.datadoghq.com/getting_started/agent.md) or install the Agent from the [Datadog UI](https://app.datadoghq.com/account/settings/agent/latest). **Note**: SBOM collection is not compatible with the image streaming feature in Google Kubernetes Engine (GKE). To disable it, see the [Disable Image streaming](https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming#disable) section of the GKE docs. ## Installation{% #installation %} {% tab title="Datadog Operator" %} 1. Add the following to the `spec` section of the `datadog-agent.yaml` file: ```yaml # datadog-agent.yaml file apiVersion: datadoghq.com/v2alpha1 kind: DatadogAgent metadata: name: datadog spec: features: # Enables Misconfigurations cspm: enabled: true hostBenchmarks: enabled: true # Enables Software Bill of Materials (SBOM) collection sbom: enabled: true # Enables Container Vulnerability Management containerImage: enabled: true # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) analyzers: ["os", "languages"] # Enables Host Vulnerability Management host: enabled: true # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) analyzers: ["os", "languages"] ``` 1. Apply the changes and restart the Agent. {% /tab %} {% tab title="Helm" %} 1. Add the following to the `datadog` section of the `datadog-values.yaml` file: ```yaml # datadog-values.yaml file datadog: securityAgent: # Enables Misconfigurations compliance: enabled: true host_benchmarks: enabled: true # Enables Software Bill of Materials (SBOM) collection sbom: # Enables Container Vulnerability Management containerImage: enabled: true # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) analyzers: ["os", "languages"] # Enables Host Vulnerability Management host: enabled: true # Enables scanning of application libraries in addition to OS packages (Agent 7.70+) analyzers: ["os", "languages"] ``` 1. Restart the Agent. {% /tab %} ### Supported application library package managers{% #supported-application-library-package-managers %} The `languages` analyzer requires Datadog Agent **7.70 or later**. When enabled, it detects vulnerabilities in application libraries managed by the package managers below, in addition to OS packages. When the `analyzers` field is omitted, Datadog only scans OS packages for container images. The `languages` analyzer covers the following package ecosystems: | Ecosystem | Package manager/format | | ------------------- | ------------------------------------------------------------------------------- | | Ruby | Bundler, GemSpec | | Rust | Cargo, Rust binary | | PHP | Composer | | Java | Jar, Maven (pom.xml), Gradle lock, Sbt lock | | JavaScript | npm (package-lock.json), Yarn, pnpm, Node package | | .NET | NuGet, .NET Core, PackagesProps | | Python | Python package (egg), pip, Pipenv, Poetry, uv, Conda package, Conda environment | | Go | Go binary, Go modules | | C/C++ | Conan lock | | Swift / Objective-C | CocoaPods, Swift | | Dart | PubSpec lock | | Elixir | Mix lock | | Julia | Julia |