Kubernetes Containers
Kubernetes Kubernetes, often abbreviated as “K8s”, orchestrates containerized applications to run on a cluster of hosts. is an open-source container orchestration system for automating the deployment, scaling, and management of containerized applications. It operates with a range of container tools and runs containers in a cluster with images built with Docker Docker (specifically, Docker Engine) is a software technology providing operating-system-level virtualization also known as containers., OCI Oracle Cloud Infrastructure - cloud computing platform offered by Oracle Corporation., or Kaniko. It groups containers that make up an application into logical units for easy management and discovery.
Before you can use Kubernetes Containers features in CloudGuard, your Kubernetes cluster must already be onboarded to CloudGuard. See Onboarding Kubernetes Clusters for details on how to do this.
Supported Versions
Name |
Version |
---|---|
Kubernetes |
|
Kubernetes-based Container Orchestration Platforms |
|
Container Runtime |
|
Node Operating System |
|
Node architecture |
|
1 Kubernetes versions from 1.16 to 1.20 are supported only with Helm A Kubernetes deployment tool for automating creation, packaging, configuration, and deployment of applications and services to Kubernetes clusters. deployment instructions, with the regular helm upgrade --install
command.
2 CloudGuard does not support hybrid clusters with multiple (mixed) container runtimes. You cannot change the container runtime after the service is onboarded in the cluster. For this, upgrade the solution.
|
Notes:
|
Version Deprecation
Deprecated Kubernetes versions are not supported by cloud vendors and do not get important security updates.
|
Important - Clusters with deprecated versions can be at risk. |
Platform |
Service |
Supported versions |
---|---|---|
AKS |
||
Google Cloud Platform |
GKE |
|
Amazon Web Services |
EKS |
|
Oracle Cloud Infrastructure |
OKE |
|
Red Hat |
OpenShift |
|
Kubernetes |
Kubernetes |
Requirements
The CloudGuard agent requires Kubernetes permissions for:
Verb |
Group |
Resource |
Scope |
---|---|---|---|
get, list |
- |
pods services nodes nodes/proxy serviceaccounts namespaces resourcequotas |
Cluster-wide |
apps |
daemonsets deployments replicasets statefulsets |
Cluster-wide |
|
networking.k8s.io |
networkpolicies ingresses |
Cluster-wide |
|
extensions |
ingresses |
Cluster-wide |
|
policy |
podsecuritypolicies |
Cluster-wide |
|
rbac.authorization.k8s.io |
roles rolebindings clusterroles clusterrolebindings |
Cluster-wide |
|
batch |
cronjobs |
Cluster-wide |
|
- |
pods secrets configmaps |
Agent namespace (default: checkpoint) |
|
patch |
admissionregistration.k8s.io |
validatingwebhookconfigurations |
Cluster-wide |
all (*) |
*.cloudguard.checkpoint.com |
all (*) |
Agent namespace (default: checkpoint) |
The CloudGuard agent requires these Kubernetes permissions for OpenShift Kubernetes clusters:
Verb |
Group |
Resource |
Scope |
---|---|---|---|
get, list |
config.openshift.io |
clusteroperators (resourceName: openshift-apiserver) |
Cluster-wide |
operator.openshift.io |
openshiftapiservers, kuberapiservers (resourceName: cluster) |
Cluster-wide |
|
security.openshift.io |
securitycontextconstraints |
Cluster-wide |
|
get - |
- |
configmaps (resourceName: config) |
openshift-kube-controller-manager, openshift-apiserver, openshift-kube-apiserver |
configmaps (resourceName: kube-scheduler-pod The smallest and simplest Kubernetes object. A pod represents a set of running containers on your cluster. A pod is typically set up to run a single primary container. It can also run optional sidecar containers that add supplementary features like logging. Pods are commonly managed by a Deployment.) |
openshift-kube-scheduler |
|
Note - For Kubernetes clusters on OpenShift, CloudGuard creates additional roles in OpenShift namespaces. The role bindings bind these roles to the CloudGuard service account (in CloudGuard namespace used for the agent). |
Linux allows assigning specific capabilities to processes, thus restricting the processes to only the minimum privileges required to perform their tasks and reducing the risk of security breaches.
The CloudGuard agents require these Linux kernel capabilities:
Agent Name |
Container Capabilities |
Host Network |
Privileged |
---|---|---|---|
Runtime Protection (runtime-daemon) |
|
required |
OpenShift, CRI-O, CoreOS, Bottlerocket: required |
Flow Logs(flowlogs-daemon) |
|
required |
OpenShift: required |
Image Assurance (imagescan-daemon) |
|
not required |
OpenShift and CRI-O: required |
CloudGuard agents must have connectivity to these domains:
Blade or Agent | Address | ||
---|---|---|---|
CloudGuard Image Assurance Image Scan |
.dome9.com
|
||
Runtime Protection |
https://storage.googleapis.com/cos-tools https://rep.checkpoint.com/file-rep/service/v2.0/query |
||
Container Registry A collection of repositories used to store and access container images. |
https://quay.io/checkpoint |
Instead of the domain objects, you can use the region-specific URLs for your Data Center location from the table below. Add these endpoints to the allowlist.
Blade or Agent | Address |
---|---|
Runtime Protection |
https://storage.googleapis.com/cos-tools https://rep.checkpoint.com/file-rep/service/v2.0/query |
Container Registry |
https://quay.io/checkpoint |
For Image Scan agents ver 2.28.0 and lower, you must use additional endpoints. To learn more about agent's version, see Agent Version Life Cycle.
Blade or Agent | Address |
---|---|
Image Assurance |
https://rpm-serv.sg.iaas.checkpoint.com https://shiftleft.portal.checkpoint.com/ |
Image Scan |
https://shiftleft-prod-bucket.sg.iaas.checkpoint.com |
Blade or Agent | Address |
---|---|
CloudGuard |
https://api-cpx.dome9.com https://api.dome9.com |
Threat Intelligence |
https://validator-prod-k8s.s3.amazonaws.com |
Image Scan (agent ver. 2.28.0 and lower) |
https://us-gw.sg.iaas.checkpoint.com |
Blade or Agent | Address |
---|---|
CloudGuard |
https://api-cpx.eu1.dome9.com https://api.eu1.dome9.com |
Threat Intelligence |
https://validator-prod-533924475734-k8s.s3.eu-west-1.amazonaws.com |
Image Scan (agent ver. 2.28.0 and lower) |
https://eu-gw.sg.iaas.checkpoint.com |
Blade or Agent | Address |
---|---|
CloudGuard |
https://api-cpx.ap2.dome9.com https://api.ap2.dome9.com |
Threat Intelligence |
https://validator-prod-583664506098-k8s.s3.ap-southeast-2.amazonaws.com |
Image Scan (agent ver. 2.28.0 and lower) |
https://au-gw.sg.iaas.checkpoint.com |
Blade or Agent | Address |
---|---|
CloudGuard |
https://api-cpx.cace1.dome9.com https://api.cace1.dome9.com |
Threat Intelligence |
https://validator-prod-052001227150-k8s.ca-central-1.amazonaws.com |
Image Scan (agent ver. 2.28.0 and lower) |
https://ca-gw.sg.iaas.checkpoint.com |
Blade or Agent | Address |
---|---|
CloudGuard |
https://api-cpx.ap3.dome9.com https://api.ap3.dome9.com |
Threat Intelligence |
https://validator-prod-573281234161-k8s.s3.ap-south-1.amazonaws.com |
Image Scan (agent ver. 2.28.0 and lower) |
https://in-gw.sg.iaas.checkpoint.com |
Blade or Agent | Address |
---|---|
CloudGuard |
https://api-cpx.ap1.dome9.com https://api.ap1.dome9.com |
Threat Intelligence |
https://validator-prod-155213570047-k8s.s3.ap-southeast-1.amazonaws.com |
Image Scan (agent ver. 2.28.0 and lower) |
https://sg-gw.sg.iaas.checkpoint.com |
If the CloudGuard pod image is uploaded to a private repository, connectivity to Container Registry is not necessary. In this case, the Helm chart parameter image.repository
must be changed to indicate the location of the image. For more information about how to set this parameter, see https://github.com/CheckPointSW/charts/tree/master/checkpoint/cloudguard.
Each CloudGuard feature can have pods that run in daemonsets and pods that run in deployments. For the pods in daemonsets, resources are shown in the table below per node. For the pods in deployments, resources are below per cluster. The pods that run in deployments can certainly run on different nodes.
You can find the default values of requests and limits in the defaults.yaml on the Helm Chart.
Basic Feature |
Per cluster or node |
CPU (millicores) |
Memory (MiB) |
||
---|---|---|---|---|---|
requests |
limits |
requests |
limits |
||
Posture Management |
per cluster |
100 |
200 |
50 |
50 |
Image Assurance |
per cluster |
200 |
1050 |
200 |
2600 |
per node - Docker |
50 |
50 |
50 |
50 |
|
per node - containerd |
200 |
250 |
150 |
150 |
|
per node - CRI-O* |
200 |
300 |
250 |
250 |
|
Admission Control |
per cluster |
1150 |
1350 |
330 |
450 |
* OpenShift uses the CRI-O runtime
|
Note - Image Assurance scanning engine (imagescan-engine) requires free ephemeral storage, which size is double maximal size of the scanned image. Maximal image size means the uncompressed, |
Premium Feature |
Per cluster or node |
CPU (millicores) |
Memory (MiB) |
||
---|---|---|---|---|---|
requests |
limits |
requests |
limits |
||
Runtime Protection |
per cluster |
50 |
50 |
30 |
50 |
per node* |
200 |
400 |
300 |
800 |
|
Flow Logs |
per node |
100 |
200 |
30 |
100 |
* Large Nodes (above 8 vCPUs) may require additional resources in case of pod restarts.
More Links
For Kubernetes terminology, see the Glossary in the Kubernetes documentation.