Onboarding Kubernetes Clusters to Intelligence

You can use Intelligence to do analysis on network activities in Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. clusters. For this, onboard the clusters to Intelligence. This process creates a connection between Intelligence and Kubernetes network traffic logs. You can do this after Onboarding Kubernetes Clusters to CloudGuard.

Enabling Traffic Activity

Navigate to the Assets > Environments page.
Click Add Filter > Platform > Kubernetes or use the search bar to see the Kubernetes cluster that you want to onboard to Intelligence.
In the cluster row and the Traffic Activity column, click Enable.

As an alternative, click and enter the cluster page.
On the Blades tab, in the Threat Intelligence row, move the slider to On.
The Threat Intelligence window opens. It contains a command for the agent installation on your cluster. Copy the command and run it in your cluster with the correct parameters for strings in < >.
In the Threat Intelligence window, click Yes.

When you complete these steps, CloudGuard starts the onboarding process for Intelligence. It can take several minutes.

Afterward, you can see the traffic activity on the Logs page, when you navigate to Events > Network Traffic, select the cluster name, and click Run.

To verify the correct installation of the Kubernetes Intelligence agents:

In the CloudGuard portal, go to Assets > Environments and open the required cluster page.
On the Blades tab, make sure that all agents below Threat Intelligence have the OK status.
In the Kubernetes cluster, make sure that the agent resources below are installed in the specified namespace, and have the Running state.
1. For Flow Logs DaemonSet, make sure that it is running on the correct number of nodes, based on the defined node selector, tolerations, and more.
2. For the Inventory agent, make sure that one replica is running.