diff --git a/content/en/security/workload_protection/setup/agent/kubernetes.md b/content/en/security/workload_protection/setup/agent/kubernetes.md index 9f4fea9e61e4f..aba2e671c93bc 100644 --- a/content/en/security/workload_protection/setup/agent/kubernetes.md +++ b/content/en/security/workload_protection/setup/agent/kubernetes.md @@ -17,6 +17,10 @@ Use the following instructions to enable Workload Protection. ## Installation +{{< beta-callout url="" header="Workload Protection's Kubernetes user session instrumentation is in Preview !" btn_hidden="true">}} +Workload Protection now integrates with Kubernetes to collect Kubernetes user credentials and enrich your events with real user identities to help you investigate signals. Follow the optional instructions below to test the preview ! +{{< /beta-callout >}} + {{< tabs >}} {{% tab "Datadog Operator" %}} @@ -31,6 +35,11 @@ Use the following instructions to enable Workload Protection. name: datadog spec: features: + # PREVIEW - Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities + # admissionController: + # enabled: true + # cwsInstrumentation: + # enabled: true remoteConfiguration: enabled: true # Enables Threat Detection @@ -48,16 +57,17 @@ Use the following instructions to enable Workload Protection. # Image collection is enabled by default with Datadog Operator version `>= 1.3.0` containerImage: enabled: true - + # Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS) # uncompressedLayersSupport: true - + # Enables Host Vulnerability Management host: enabled: true ``` -2. Apply the changes and restart the Agent. +2. (optional) Uncomment the `admissionController` section if you want to test the preview of Workload Protection's integration with Kubernetes for user identity collection. +3. Apply the changes and restart the Agent. [2]: https://github.com/DataDog/datadog-operator/blob/main/docs/configuration.v2alpha1.md @@ -69,6 +79,13 @@ Use the following instructions to enable Workload Protection. ```yaml # datadog-values.yaml file + + # PREVIEW - Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities + # clusterAgent: + # admissionController: + # enabled: true + # cwsInstrumentation: + # enabled: true datadog: remoteConfiguration: enabled: true @@ -98,45 +115,70 @@ Use the following instructions to enable Workload Protection. # enabled: true ``` -2. Restart the Agent. +2. (optional) Uncomment the `clusterAgent` section if you want to test the preview of Workload Protection's integration with Kubernetes for user identity collection. +3. Restart the Agent. {{% /tab %}} {{% tab "DaemonSet" %}} -Add the following settings to the `env` section of `security-agent` and `system-probe` in the `daemonset.yaml` file: +1. Add the following settings to the `env` section of `security-agent` and `system-probe` in the `daemonset.yaml` file: -```bash - # Source: datadog/templates/daemonset.yaml - apiVersion:app/1 - kind: DaemonSet - [...] - spec: - [...] - spec: + ```bash + # Source: datadog/templates/daemonset.yaml + apiVersion:app/1 + kind: DaemonSet [...] - containers: - [...] - - name: agent - [...] - env: - - name: DD_REMOTE_CONFIGURATION_ENABLED - value: "true" - - name: system-probe - [...] - env: - - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED - value: "true" - - name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED - value: "true" - - name: DD_COMPLIANCE_CONFIG_ENABLED - value: "true" - - name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED - value: "true" - - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT - value: "true" + spec: + [...] + spec: [...] -``` + containers: + [...] + - name: agent + [...] + env: + - name: DD_REMOTE_CONFIGURATION_ENABLED + value: "true" + - name: system-probe + [...] + env: + - name: DD_RUNTIME_SECURITY_CONFIG_ENABLED + value: "true" + - name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED + value: "true" + - name: DD_COMPLIANCE_CONFIG_ENABLED + value: "true" + - name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED + value: "true" + - name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT + value: "true" + [...] + ``` + + 2. (optional) Add the following setting to the `env` section of `cluster-agent` in the `cluster-agent-deployment.yaml` file if you want to test the preview of Workload Protection's integration with Kubernetes for user identity collection. + + ```bash + # Source: datadog/templates/cluster-agent-deployment.yaml + apiVersion:app/1 + kind: Deployment + [...] + spec: + [...] + template: + [...] + spec: + [...] + containers: + [...] + - name: cluster-agent + [...] + env: + - name: DD_ADMISSION_CONTROLLER_ENABLED + value: "true" + - name: DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED + value: "true" + ``` {{% /tab %}} {{< /tabs >}} @@ -144,4 +186,4 @@ Add the following settings to the `env` section of `security-agent` and `system- [5]: /getting_started/agent [6]: https://app.datadoghq.com/account/settings/agent/latest -[7]: https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming#disable \ No newline at end of file +[7]: https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming#disable diff --git a/content/en/security/workload_protection/troubleshooting/threats.md b/content/en/security/workload_protection/troubleshooting/threats.md index 8673366da887a..fe064e705d4de 100644 --- a/content/en/security/workload_protection/troubleshooting/threats.md +++ b/content/en/security/workload_protection/troubleshooting/threats.md @@ -74,6 +74,80 @@ datadog: ```bash DD_RUNTIME_SECURITY_CONFIG_NETWORK_ENABLED=false ``` + +## Troubleshooting Kubernetes remote session or pod admission disruptions + +Workload Protection integrates with Kubernetes to collect user identities and enrich your Workload Protection events with the context necessary to help you differentiate remote accesses to your infrastructure from the activity generated by your workloads. This integration relies on a [Kubernetes Mutating Webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to instrument `kubectl exec` sessions. In case this instrumentation causes disruptions in the admission of pods or in the creation of `kubectl exec` sessions, follow the guide below to disable this feature. + +{{< tabs >}} + +{{% tab "Datadog Operator" %}} + +1. Add the following to the `spec` section of the `datadog-agent.yaml` file: + + ```yaml + # datadog-agent.yaml file + apiVersion: datadoghq.com/v2alpha1 + kind: DatadogAgent + metadata: + name: datadog + spec: + features: + # Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities + admissionController: + cwsInstrumentation: + enabled: false + ``` + +2. Apply the changes and restart the Agent. + +{{% /tab %}} + +{{% tab "Helm" %}} + +1. Add the following to the `datadog` section of the `datadog-values.yaml` file: + + ```yaml + # datadog-values.yaml file + + # Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities + clusterAgent: + admissionController: + cwsInstrumentation: + enabled: false + ``` + +2. Restart the Agent. + +{{% /tab %}} + +{{% tab "DaemonSet" %}} + +1. (optional) Add the following setting to the `env` section of `cluster-agent` in the `cluster-agent-deployment.yaml` file: + + ```bash + # Source: datadog/templates/cluster-agent-deployment.yaml + apiVersion:app/1 + kind: Deployment + [...] + spec: + [...] + template: + [...] + spec: + [...] + containers: + [...] + - name: cluster-agent + [...] + env: + - name: DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED + value: "false" + ``` + +{{% /tab %}} +{{< /tabs >}} + ## Disable Workload Protection To disable Workload Protection, follow the steps for your Agent platform.