Skip to content

[workload-protection] WP Kubernetes user identities preview #30010

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[workload-protection] WP Kubernetes user identities preview #30010

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 77 additions & 35 deletions content/en/security/workload_protection/setup/agent/kubernetes.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,10 @@ Use the following instructions to enable Workload Protection.

## Installation

{{< beta-callout url="" header="Workload Protection's Kubernetes user session instrumentation is in Preview !" btn_hidden="true">}}
Workload Protection now integrates with Kubernetes to collect Kubernetes user credentials and enrich your events with real user identities to help you investigate signals. Follow the optional instructions below to test the preview !
{{< /beta-callout >}}

{{< tabs >}}

{{% tab "Datadog Operator" %}}
Expand All @@ -31,6 +35,11 @@ Use the following instructions to enable Workload Protection.
name: datadog
spec:
features:
# PREVIEW - Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
# admissionController:
# enabled: true
# cwsInstrumentation:
# enabled: true
remoteConfiguration:
enabled: true
# Enables Threat Detection
Expand All @@ -48,16 +57,17 @@ Use the following instructions to enable Workload Protection.
# Image collection is enabled by default with Datadog Operator version `>= 1.3.0`
containerImage:
enabled: true

# Uncomment the following line if you are using Google Kubernetes Engine (GKE) or Amazon Elastic Kubernetes (EKS)
# uncompressedLayersSupport: true

# Enables Host Vulnerability Management
host:
enabled: true
```

2. Apply the changes and restart the Agent.
2. (optional) Uncomment the `admissionController` section if you want to test the preview of Workload Protection's integration with Kubernetes for user identity collection.
3. Apply the changes and restart the Agent.

[2]: https://github.com/DataDog/datadog-operator/blob/main/docs/configuration.v2alpha1.md

Expand All @@ -69,6 +79,13 @@ Use the following instructions to enable Workload Protection.

```yaml
# datadog-values.yaml file

# PREVIEW - Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
# clusterAgent:
# admissionController:
# enabled: true
# cwsInstrumentation:
# enabled: true
datadog:
remoteConfiguration:
enabled: true
Expand Down Expand Up @@ -98,50 +115,75 @@ Use the following instructions to enable Workload Protection.
# enabled: true
```

2. Restart the Agent.
2. (optional) Uncomment the `clusterAgent` section if you want to test the preview of Workload Protection's integration with Kubernetes for user identity collection.
3. Restart the Agent.

{{% /tab %}}

{{% tab "DaemonSet" %}}

Add the following settings to the `env` section of `security-agent` and `system-probe` in the `daemonset.yaml` file:
1. Add the following settings to the `env` section of `security-agent` and `system-probe` in the `daemonset.yaml` file:

```bash
# Source: datadog/templates/daemonset.yaml
apiVersion:app/1
kind: DaemonSet
[...]
spec:
[...]
spec:
```bash
# Source: datadog/templates/daemonset.yaml
apiVersion:app/1
kind: DaemonSet
[...]
containers:
[...]
- name: agent
[...]
env:
- name: DD_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: system-probe
[...]
env:
- name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
value: "true"
- name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
value: "true"
- name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
value: "true"
spec:
[...]
spec:
[...]
```
containers:
[...]
- name: agent
[...]
env:
- name: DD_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: system-probe
[...]
env:
- name: DD_RUNTIME_SECURITY_CONFIG_ENABLED
value: "true"
- name: DD_RUNTIME_SECURITY_CONFIG_REMOTE_CONFIGURATION_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_ENABLED
value: "true"
- name: DD_COMPLIANCE_CONFIG_HOST_BENCHMARKS_ENABLED
value: "true"
- name: DD_SBOM_CONTAINER_IMAGE_USE_MOUNT
value: "true"
[...]
```

2. (optional) Add the following setting to the `env` section of `cluster-agent` in the `cluster-agent-deployment.yaml` file if you want to test the preview of Workload Protection's integration with Kubernetes for user identity collection.

```bash
# Source: datadog/templates/cluster-agent-deployment.yaml
apiVersion:app/1
kind: Deployment
[...]
spec:
[...]
template:
[...]
spec:
[...]
containers:
[...]
- name: cluster-agent
[...]
env:
- name: DD_ADMISSION_CONTROLLER_ENABLED
value: "true"
- name: DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED
value: "true"
```

{{% /tab %}}
{{< /tabs >}}


[5]: /getting_started/agent
[6]: https://app.datadoghq.com/account/settings/agent/latest
[7]: https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming#disable
[7]: https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming#disable
74 changes: 74 additions & 0 deletions content/en/security/workload_protection/troubleshooting/threats.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,80 @@ datadog:
```bash
DD_RUNTIME_SECURITY_CONFIG_NETWORK_ENABLED=false
```

## Troubleshooting Kubernetes remote session or pod admission disruptions

Workload Protection integrates with Kubernetes to collect user identities and enrich your Workload Protection events with the context necessary to help you differentiate remote accesses to your infrastructure from the activity generated by your workloads. This integration relies on a [Kubernetes Mutating Webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) to instrument `kubectl exec` sessions. In case this instrumentation causes disruptions in the admission of pods or in the creation of `kubectl exec` sessions, follow the guide below to disable this feature.

{{< tabs >}}

{{% tab "Datadog Operator" %}}

1. Add the following to the `spec` section of the `datadog-agent.yaml` file:

```yaml
# datadog-agent.yaml file
apiVersion: datadoghq.com/v2alpha1
kind: DatadogAgent
metadata:
name: datadog
spec:
features:
# Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
admissionController:
cwsInstrumentation:
enabled: false
```

2. Apply the changes and restart the Agent.

{{% /tab %}}

{{% tab "Helm" %}}

1. Add the following to the `datadog` section of the `datadog-values.yaml` file:

```yaml
# datadog-values.yaml file

# Integrate with Kubernetes to enrich Workload Protection events with Kubernetes user identities
clusterAgent:
admissionController:
cwsInstrumentation:
enabled: false
```

2. Restart the Agent.

{{% /tab %}}

{{% tab "DaemonSet" %}}

1. (optional) Add the following setting to the `env` section of `cluster-agent` in the `cluster-agent-deployment.yaml` file:

```bash
# Source: datadog/templates/cluster-agent-deployment.yaml
apiVersion:app/1
kind: Deployment
[...]
spec:
[...]
template:
[...]
spec:
[...]
containers:
[...]
- name: cluster-agent
[...]
env:
- name: DD_RUNTIME_ADMISSION_CONTROLLER_CWS_INSTRUMENTATION_ENABLED
value: "false"
```

{{% /tab %}}
{{< /tabs >}}

## Disable Workload Protection

To disable Workload Protection, follow the steps for your Agent platform.
Expand Down
Loading